Merge pull request #2 from zph/add-wasm-plugins

Working wasm plugin model

Author: zph

cmd/root.go

@@ -12,7 +12,7 @@ import (
 )
 
 var (
-	version = "v0.0.1"
+	version = "v100.0.1"
 	commit  = ""
 	date    = ""
 )

examples/simple.yaml

@@ -71,3 +71,18 @@ rules:
     scope: path
     name: fn
     body: const fn = (path, _i, _l) => path.includes('print')
+
+- id: no-python-in-path
+  description: Don't use python here
+  recommendation: None
+  severity: low
+  link: https://examples.com/wiki/no-print-js-path-level
+  include_paths: '\.py$'
+  exclude_paths: null
+  fn:
+    type: wasm
+    scope: path
+    name: path_validator
+    body: ./plugins/test-plugin.wasm
+    metadata:
+      sha256: f2880b9d1a2f70f7eddca65c7aa539483c800653669e5a070b8cb3b11a199eca

go.mod

@@ -13,8 +13,10 @@ require (
 
 require (
 	github.com/dlclark/regexp2 v1.7.0 // indirect
+	github.com/extism/go-sdk v1.2.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/google/pprof v0.0.0-20230207041349-798e818bf904 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -30,8 +32,10 @@ require (
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tetratelabs/wazero v1.3.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/multierr v1.9.0 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/text v0.14.0 // indirect

go.sum

@@ -15,12 +15,16 @@ github.com/dop251/goja v0.0.0-20240220182346-e401ed450204 h1:O7I1iuzEA7SG+dK8ocO
 github.com/dop251/goja v0.0.0-20240220182346-e401ed450204/go.mod h1:QMWlm50DNe14hD7t24KEqZuUdC9sOTy8W6XbCU1mlw4=
 github.com/dop251/goja_nodejs v0.0.0-20210225215109-d91c329300e7/go.mod h1:hn7BA7c8pLvoGndExHudxTDKZ84Pyvv+90pbBjbTz0Y=
 github.com/dop251/goja_nodejs v0.0.0-20211022123610-8dd9abb0616d/go.mod h1:DngW8aVqWbuLRMHItjPUyqdj+HWPvnQe8V8y1nDpIbM=
+github.com/extism/go-sdk v1.2.0 h1:A0DnIMthdP8h6K9NbRpRs1PIXHOUlb/t/TZWk5eUzx4=
+github.com/extism/go-sdk v1.2.0/go.mod h1:xUfKSEQndAvHBc1Ohdre0e+UdnRzUpVfbA8QLcx4fbY=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/go-sourcemap/sourcemap v2.1.3+incompatible h1:W1iEw64niKVGogNgBN3ePyLFfuisuzeidWPMPWmECqU=
 github.com/go-sourcemap/sourcemap v2.1.3+incompatible/go.mod h1:F8jJfvm2KbVjc5NqelyYJmf/v5J0dwNLS2mL4sNA1Jg=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20230207041349-798e818bf904 h1:4/hN5RUoecvl+RmJRE2YxKWtnnQls6rQjjW5oV7qg2U=
@@ -84,11 +88,17 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+github.com/tetratelabs/wazero v1.3.0 h1:nqw7zCldxE06B8zSZAY0ACrR9OH5QCcPwYmYlwtcwtE=
+github.com/tetratelabs/wazero v1.3.0/go.mod h1:wYx2gNRg8/WihJfSDxA1TIL8H+GkfLYm+bIfbblu9VQ=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
 go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
+go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
+go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=

main_test.go

@@ -40,13 +40,13 @@ func TestProcessFile(t *testing.T) {
 		findingsCount int
 		expectedErr   error
 	}{
-		{"Basic test without ignores", `print("A")`, "example.py", 4, nil},
-		{"Basic test for-file ignore", forFileIgnore, "example.py", 2, nil},
-		{"Basic test next-line ignore", nextLineIgnore, "example.py", 2, nil},
-		{"Basic test next-line ignore shorthand", nextLineIgnoreShorthand, "example.py", 3, nil},
-		{"Basic test next-line ignore doesn't apply", nextLineIgnoreDoesntApply, "example.py", 4, nil},
-		{"Basic test with faulty ignore statement", fileWithFaultyIgnoreStatement, "example.py", 4, nil},
-		{"Basic test with banned filename", nextLineIgnore, "print.py", 3, nil},
+		{"Basic test without ignores", `print("A")`, "example.py", 5, nil},
+		{"Basic test for-file ignore", forFileIgnore, "example.py", 3, nil},
+		{"Basic test next-line ignore", nextLineIgnore, "example.py", 3, nil},
+		{"Basic test next-line ignore shorthand", nextLineIgnoreShorthand, "example.py", 4, nil},
+		{"Basic test next-line ignore doesn't apply", nextLineIgnoreDoesntApply, "example.py", 5, nil},
+		{"Basic test with faulty ignore statement", fileWithFaultyIgnoreStatement, "example.py", 5, nil},
+		{"Basic test with banned filename", nextLineIgnore, "print.py", 4, nil},
 	}
 	for idx, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -86,7 +86,7 @@ func TestConfigFileParsing(t *testing.T) {
 		content           string
 		expectedRuleCount int
 	}{
-		{"basic config file with 1 rule", simpleConfigFile, 6},
+		{"basic config file with 1 rule", simpleConfigFile, 7},
 	}
 	for idx, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/log.go

@@ -0,0 +1,16 @@
+package polylint
+
+import "go.uber.org/zap"
+
+var logz *zap.SugaredLogger
+
+func init() {
+	logger, _ := zap.NewProductionConfig().Build(
+		zap.WithCaller(true),
+	)
+
+	zap.NewAtomicLevelAt(zap.DebugLevel)
+	defer logger.Sync() // flushes buffer, if any
+	logz = logger.Sugar()
+	logz.Debugw("polylint initialized", "version", "0.0.2")
+}

pkg/processors.go

@@ -1,7 +1,9 @@
 package polylint
 
 import (
+	"context"
 	"crypto/sha256"
+	"encoding/json"
 	"fmt"
 	"io"
 	"log"
@@ -13,6 +15,7 @@ import (
 	"strings"
 
 	"github.com/dop251/goja"
+	extism "github.com/extism/go-sdk"
 	"github.com/spf13/viper"
 	"golang.org/x/mod/semver"
 	"gopkg.in/yaml.v2"
@@ -41,7 +44,7 @@ func extractIgnoresFromLine(line string, lineNo int, f *FileReport) error {
 				f.Ignores = append(f.Ignores, Ignore{Scope: pathScope, SourceLineNo: lineNo, LineNo: 0, Id: ignore})
 			}
 		} else {
-			fmt.Printf("WARNING: directive for polylint not recognized on line %d %s %s\n", lineNo, directive, ignoresStr)
+			logz.Warnf("WARNING: directive for polylint not recognized on line %d %s %s\n", lineNo, directive, ignoresStr)
 			return nil
 		}
 	}
@@ -98,24 +101,27 @@ func LoadConfigFile(content string) (ConfigFile, error) {
 	var config ConfigFile
 	err := yaml.Unmarshal([]byte(content), &rawConfig)
 	if err != nil {
-		fmt.Printf("Error unmarshalling YAML: %v", err)
+		logz.Errorf("Error unmarshalling YAML: %v", err)
 		return ConfigFile{}, err
 	}
 
 	if !strings.HasPrefix(rawConfig.Version, "v") {
-		fmt.Printf("Error: config file version must start with a 'v' but was %s\n", rawConfig.Version)
+		logz.Errorf("Error: config file version must start with a 'v' but was %s\n", rawConfig.Version)
 		panic("Invalid version due to semver incompatibility")
 	}
 
 	if !semver.IsValid(rawConfig.Version) {
-		fmt.Printf("Error: Config version %s is newer than binary version %s\n", rawConfig.Version, viper.GetString("binary_version"))
-		fmt.Println(semver.IsValid(rawConfig.Version))
+		logz.Errorf("Error: Config version %s is newer than binary version %s\n", rawConfig.Version, viper.GetString("binary_version"))
+		logz.Errorln(semver.IsValid(rawConfig.Version))
 		panic("Invalid version due to semver incompatibility")
 	}
 
 	// If version file is too new for binary version
 	if semver.Compare(rawConfig.Version, viper.GetString("binary_version")) == 1 {
-		fmt.Printf("Warning: config file version %s is newer than binary version %s\n", rawConfig.Version, viper.GetString("binary_version"))
+		_ = 1
+		// TODO: determine how to handle version for version check when not set in tests
+		// Ignore for now until we can control the output
+		//logz.Warnf("Warning: config file version %s is newer than binary version %s\n", rawConfig.Version, viper.GetString("binary_version"))
 	}
 
 	config.Version = rawConfig.Version
@@ -285,6 +291,8 @@ func BuildLineFn(f RawFn) RuleFunc {
 		return buildLineFnBuiltin(f)
 	case "js":
 		return buildJsFn(f)
+	case "wasm":
+		return buildWasmFn(f)
 	default:
 		panic(fmt.Sprintf("unknown type %s", f.Type))
 	}
@@ -296,6 +304,8 @@ func BuildFileScopeFn(f RawFn) RuleFunc {
 		return BuildFileFnBuiltin(f)
 	case "js":
 		return BuildFileFnJs(f)
+	case "wasm":
+		return buildWasmFn(f)
 	default:
 		panic(fmt.Sprintf("unknown type %s", f.Type))
 	}
@@ -340,6 +350,8 @@ func BuildPathScopeFn(f RawFn) RuleFunc {
 		return BuildPathFnBuiltin(f)
 	case "js":
 		return BuildPathFnJs(f)
+	case "wasm":
+		return buildWasmFn(f)
 	default:
 		panic(fmt.Sprintf("unknown type %s", f.Type))
 	}
@@ -394,6 +406,80 @@ func buildJsFn(f RawFn) RuleFunc {
 	return fn
 }
 
+func buildWasmFn(f RawFn) RuleFunc {
+	hash, err := f.GetMetadataHash()
+	if err != nil {
+		logz.Warnf("Warning: cannot find metadata hash for %s\n", f.Body)
+	}
+	var content []byte
+
+	// TODO: handle null case of hash
+	if hash != "" {
+		content, err = f.GetWASMFromCache(hash)
+	}
+	if err != nil {
+		if strings.HasPrefix(f.Body, "http") {
+			content, err = f.GetWASMFromUrl(f.Body)
+		} else {
+			content, err = f.GetWASMFromPath(f.Body)
+		}
+	}
+	if err != nil {
+		panic(err)
+	}
+
+	ok := f.CheckWASMHash(content, hash)
+	if !ok && hash != "" {
+		logz.Errorf("hash mismatch for %s", f.Body)
+	}
+	f.WriteWASMToCache(content)
+
+	var location []extism.Wasm
+	location = append(location, extism.WasmData{
+		Data: content,
+		Hash: hash,
+	})
+
+	manifest := extism.Manifest{
+		Wasm: location,
+	}
+
+	ctx := context.Background()
+	config := extism.PluginConfig{
+		EnableWasi: true,
+	}
+
+	plugin, err := extism.NewPlugin(ctx, manifest, config, []extism.HostFunction{})
+	if err != nil {
+		logz.Errorf("Failed to initialize plugin: %v\n", err)
+		os.Exit(1)
+	}
+
+	return func(path string, idx int, line string) bool {
+		args := RuleFuncArgs{path, idx, line}
+		b, err := json.Marshal(&args)
+		if err != nil {
+			panic(err)
+		}
+
+		exit, bytes, err := plugin.CallWithContext(ctx, f.Name, b)
+		if err != nil {
+			logz.Errorln(err)
+			os.Exit(int(exit))
+		}
+		var result RuleFuncResult
+		json.Unmarshal(bytes, &result)
+
+		return result.Value
+	}
+}
+
+type RuleFuncArgs [3]interface{}
+
+type RuleFuncResult struct {
+	Value bool
+}
+
 func ProcessFile(content string, path string, cfg ConfigFile) (FileReport, error) {
 	f := FileReport{
 		Path:     path,
@@ -405,7 +491,7 @@ func ProcessFile(content string, path string, cfg ConfigFile) (FileReport, error
 	for idx, line := range lines {
 		err := processLine(line, idx, &f)
 		if err != nil {
-			fmt.Printf("ERROR: %s\n", err)
+			logz.Errorf("ERROR: %s\n", err)
 			return FileReport{}, err
 		}
 	}