Add Homoglyphs detection in Minder #2312
Conversation
|
6k PR daaaaaaaaaaamn |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| } | ||
|
|
||
| // Eval evaluates the mixed scripts rule type | ||
| func (mse *MixedScriptsEvaluator) Eval(ctx context.Context, _ map[string]any, res *engif.Result) error { |
There was a problem hiding this comment.
The Eval method of the these two evaluation strategies seem to share mostly identical code. I suspect it's possible to refactor them to share a common function. From what I can see, the only things which seem to change between the two Eval methods is:
- The type of processor and the method of the processor which carries out the evaluation.
- The message written in the PR comment
- The status/message in the PR review
One solution for this would be to add a common interface for MixedScriptsEvaluator and InvisibleCharactersEvaluator which looks something like this:
type HomoglyphEvaluator interface {
FindViolations(codeLine string) InfoType
GetLineCommentText() string
GetFailedReviewText() string
GetPassedReviewText() string
}
(I am not 100% sure of the types involved here, and there may be better names than the ones in my example)
At which point you could write a common function with a signature such as:
func checkForHomoglyphViolation(ctx context.Context, evaluator HomoglyphEvaluator, res *engif.Result) errror
Which will mostly look like the current code, except that it delegates the methods of the HomoglyphEvaluator struct instead of having hard-coded evaluator-specific references. The Eval methods of both structs simply calls into the common function with the appropriate arguments.
There was a problem hiding this comment.
Thanks for the descriptive suggestion and the discussion that followed in Slack!
I've addressed your comments.
Closes: #2121
Please refer to #2121 for a full description of the work covered in this PR. There will be a second short one for adding the rule types and a profile.
Reference to the PR and repo used for testing the feature: teodor-yanev/a-testrepo#1
A couple of notes here regarding the implementation:
Considering the ongoing work (Create single status comment and correctly dismiss reviews #2171) and the tightly coupled (to the "vulncheck" dependency checks for ecosystems functionality) way of "review" related calls and string constants, I decided to opt-in for an "extract and refactor" approach which can be seen in "reviewer.go" and the related functions and files. After we reach a consensus on generalising these calls, we can come back to this work and address the necessary changes.
Two rule types instead of one with parameters: an entirely subjective decision, this approach gives more flexibility when we want to customise each rule further.
Two evaluators behind one "main" 'Homoglyphs' evaluator: The Homoglyphs evaluator presents a type field which gives us a direction on which functionality we need, that's it. There are two for now but there might be more in the future. While they are still classified under the same type of "Evaluator", they are still two separate logical entities, providing a different set of results, and making decisions based on different parameters.
Please note that the PR size isn't as scary as it looks: the scripts.txt file is ~3k lines alone and we also have proto generations.