-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is it possible to match something that is missing in a file? #668
Comments
I don't think this is something I've tried before, but can you share the sample that worked with match/must-not match? If it passes those tests I think it should be possible to make it work, but it may be that there's a check somewhere in the conversion from match to issue object creation/output creation that is swallowing it. If you share the sample rule I could debug in and see where it might be getting stuck. |
A very minimal test for negative lookaheads:
[{
"name": "Ensure 'xyz' is used",
"id": "ensure_xyz_is_used",
"description": "The string 'xyz' must be present.",
"recommendation": "Ensure that the string 'xyz' is included anywhere.",
"tags": [
"test"
],
"confidence": "high",
"severity": "important",
"patterns": [{
"pattern": "^(?!.*xyz).*$",
"type": "regex",
"scopes": [
"code"
]
}],
"must-match": [
"abc",
"dee ghi"
],
"must-not-match": [
"abc xyz",
"xyz abc"
]
}] devskim verify -r ".\xyz.devskim.json"
[21:10:40 INF] 1 of 1 rules have must-match self-tests.
[21:10:40 INF] 1 of 1 rules have must-not-match self-tests. If I use this rule one a simple text file with one line that does not contain or does contain, it works as expected as well. The negative lookahead seems to work in self-test and on one-line files, although I'm having trouble getting it to work when I include newlines and tabs in the must-match and must-not-match tests (such as with yaml). Even with modifier |
I just remembered this is possible using conditions. Here I just set the initial pattern to something that matches everything, and then leverage the [{
"name": "Ensure 'xyz' is used",
"id": "ensure_xyz_is_used",
"description": "The string 'xyz' must be present.",
"recommendation": "Ensure that the string 'xyz' is included anywhere.",
"tags": [
"test"
],
"confidence": "high",
"severity": "important",
"patterns": [{
"pattern": ".*",
"type": "regex",
"scopes": [
"code"
]
}],
"conditions": [
{
"pattern": {
"pattern": "xyz",
"type": "string",
"scopes": [
"code"
],
"modifiers": [
"i"
]
},
"search_in": "same-file",
"negate_finding": true
}
],
"must-match": [
"abc",
"dee ghi"
],
"must-not-match": [
"abc xyz",
"xyz abc"
]
}] I believe you can add newlines to the |
Thank you. That's great and it works with Yes I can use |
You should be able to substitute any pattern you want (including ymlpath etc) in the initial pattern for what you would want highlighted - I just left it very broad for the example. That should then only be identified as an issue in the absence of the condition negating the finding (which could additionally be a different ymlpath query if desired), but functionally you'd need something to hook onto for the original match before being potentially negated. |
Is it possible to match something that is missing in a file? For example if I apply a DevSkim rule on all yaml files or better if possible on all files ending with
.sometool.yaml
, can I then specifically trigger a warning on something that does not exist? For example the file is expected to have a certain option but it doesn't contain it.I tried to achieve it with regex negative lookaheads but it doesn't seem possible, I get the self-tests (must-match / must-not-match) to work but not triggering on the actual content.
The text was updated successfully, but these errors were encountered: