Added Independent Finding Execution Behavior #1030
Conversation
drdavella
left a comment
drdavella
left a comment
There was a problem hiding this comment.
Overall this looks good. My comments boil down to two basic issues:
- We should preserve the current hardening behavior as the default for now
- I'm not totally convinced that locations are being handled correctly for the hardening case
src/codemodder/codemodder.py
Outdated
| sast_only: bool = False, | ||
| ai_client: bool = True, | ||
| log_matched_files: bool = False, | ||
| hardening: bool = False, |
There was a problem hiding this comment.
| hardening: bool = False, | |
| hardening: bool = True, |
.github/workflows/codemod_pygoat.yml
Outdated
| path: pygoat | ||
| - name: Run Codemodder | ||
| run: codemodder --dry-run --output output.codetf pygoat | ||
| run: codemodder_hardening --dry-run --output output.codetf pygoat |
There was a problem hiding this comment.
I think we should preserve the existing behavior of the command line for now.
|
|
||
| command = [ | ||
| "codemodder", | ||
| "codemodder_hardening", |
There was a problem hiding this comment.
Let's keep the existing behavior for now.
|
|
||
| command = [ | ||
| "codemodder", | ||
| "codemodder_hardening", |
There was a problem hiding this comment.
Preserve existing behavior for now.
pyproject.toml
Outdated
|
|
||
| [project.scripts] | ||
| codemodder = "codemodder.codemodder:main" | ||
| codemodder_hardening = "codemodder.codemodder:harden" |
There was a problem hiding this comment.
I don't think this is necessary. We expect per-finding mode to be accessed exclusively by client library calls for now and we should preserve the existing codemodder behavior as the default in the near term.
There was a problem hiding this comment.
We do use the new command line script for integration tests.
src/codemodder/codemodder.py
Outdated
|
|
||
|
|
||
| def _run_cli(original_args) -> int: | ||
| def _run_cli(original_args, hardening=False) -> int: |
There was a problem hiding this comment.
| def _run_cli(original_args, hardening=False) -> int: | |
| def _run_cli(original_args, hardening=True) -> int: |
src/codemodder/codemodder.py
Outdated
| return status | ||
|
|
||
|
|
||
| def harden(): |
There was a problem hiding this comment.
I don't think this is necessary; see comments above.
| contexts.extend([process_file(file) for file in files_to_analyze]) | ||
| else: | ||
| # Do each result independently and outputs the diffs | ||
| if not hardening: |
There was a problem hiding this comment.
This if/else feels like each branch should maybe be a separate function. It would probably enable the call to be a one-liner as well.
| singleton = results.__class__() | ||
| singleton.add_result(result) | ||
| result_locations = self.get_files_to_analyze(context, singleton) | ||
| # We do an execution for each location in the result |
There was a problem hiding this comment.
I don't think this is correct. We only need to execute each fix per finding. A finding may report multiple locations, but will still result in only a single fix (which itself may touch multiple locations). I think the distinction is subtle but we still execute each codemod only once per finding.
Let me know whether there's something I'm missing or whether maybe the comment isn't quite right.
There was a problem hiding this comment.
Two things to note: our transformers are file-based, that is, they execute per file. ChangeSet objects only reports changes to a single file.
This particular piece of code mimics the behavior we had before. If you only had one result with multiple locations, you would run the codemod for each location and produce a changeset object for each location.
What changed is that now each changeset is only associated with a single finding.
clavedeluna
left a comment
clavedeluna
left a comment
There was a problem hiding this comment.
a few code comments that seem unnecessarily explaining code (LLM generated likely) that are worth removing
pyproject.toml
Outdated
|
|
||
| [project.scripts] | ||
| codemodder = "codemodder.codemodder:main" | ||
| codemodder_hardening = "codemodder.codemodder:harden" |
There was a problem hiding this comment.
for consistency with other commands, I suggest codemodder-hardening
|
|
||
| path_exclude = [f"{tmp_file_path}:{line}" for line in lines_to_exclude or []] | ||
|
|
||
| print(expected_diff_per_change) |
There was a problem hiding this comment.
| print(expected_diff_per_change) |
andrecsilva
force-pushed
the
independent-execution
branch
from
e943f3c to
5c37c17
Compare
andrecsilva
force-pushed
the
independent-execution
branch
3 times, most recently
from
0ff1b1d to
7585715
Compare
drdavella
left a comment
drdavella
left a comment
There was a problem hiding this comment.
Approved and looks good but please consider making the change to clean up creation of singleton result sets.
| if results: | ||
| for result in results.results_for_rules(rules): | ||
| # this need to be the same type of ResultSet as results | ||
| singleton = results.__class__() |
There was a problem hiding this comment.
Sorry for such late feedback but it feels like this could be done more cleanly by implementing a class method on the ResultSet type:
T = TypeVar("T", bound=Result) # we may already have this somewhere
@classmethod
def from_single_result(cls, result: T) -> Self:
new = cls()
cls.add_result(result)
return newAlternatively there may be a way to make it a method of Result instead, I'm not sure which is cleaner. In either case it avoids the introspection and feels like better encapsulation.
andrecsilva
force-pushed
the
independent-execution
branch
from
7585715 to
bb95515
Compare
|
3 participants
Overview
Adds independent finding behavior for codemods
Description
Independent finding behavior means that codemods will execute once for each finding (i.e. remediation), as opposed to once for all findings (i.e. hardening). Hardening aims to produce a file with all the changes, while remediation will produce diffs for each finding. Remediation is the default behavior accessible with the
codemoddercommand, while hardening is now accessible ascodemodder_hardening.Additional Details