ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
602 Commits 329 Branches 2 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Quentin Jaquier 92c23dd5a0 Modify rule S6291[java]: Add Java examples
2021-09-29 14:12:39 +02:00
.github/workflows
RULEAPI-657: Set up a cron job for rule_coverage/coverage.py (#385)
2021-09-23 10:15:02 +02:00
asciidoctor
Test asciidoctor conversion
2020-06-23 09:16:22 +02:00
ci
Fix the asciidoc validation CI check (#377)
2021-09-21 11:30:38 +02:00
docs
Add documentation about rule deprecation (#257)
2021-08-10 16:59:12 +00:00
frontend
update coverage information
2021-09-29 00:31:31 +00:00
img
RULEAPI-620 Update README
2021-06-02 10:58:42 +02:00
rspec-tools
RULEAPI-687: Migrate legacy keys from Jira RSPEC (#392)
2021-09-24 09:08:46 +02:00
rule_coverage
Improve stability of the checkout for analyzer versions(tags) (#403)
2021-09-28 09:44:33 +00:00
rules
Modify rule S6291[java]: Add Java examples
2021-09-29 14:12:39 +02:00
.cirrus.yml
RULEAPI-646: Speed up the "validate_asciidoc" check by validating only the changed rules
2021-06-09 11:15:47 +02:00
.gitignore
.gitignore IntelliJ IDEA files (#289)
2021-08-31 13:31:58 +02:00
index.html
Only keep display on branch and remove test_request
2020-06-26 09:37:47 +02:00
Pipfile
Check links embeded in adocs files (#32)
2021-02-12 15:18:24 +01:00
Pipfile.lock
Check links embeded in adocs files (#32)
2021-02-12 15:18:24 +01:00
README.adoc
RULEAPI-660: Add an exception to the new-rule workflow (#133)
2021-06-16 13:59:09 +00:00
supported_languages.adoc
RULEAPI-653: Add a new language identifier for secrets detection rules (#154)
2021-07-01 12:26:02 +00:00

README.adoc 

ifdef::env-github[]
:warning-caption: :warning:
:note-caption: :information_source:
endif::[]
= SonarSource Rule Specification repository

This repository contains the specification of every static-analysis rule available in SonarLint, SonarCloud, or SonarQube.

It also contains rules which have been dropped and rules which will one day be implemented.

== Rules directory structure

* https://github.com/SonarSource/rspec/tree/master/rules[rules] directory: contains every specified rule.
** `rules/Sxxxx`: contains every specification for rule `Sxxxx`.
*** `rules/Sxxxx/*.adoc`: Asciidoc files which can be reused by multiple language-specific descriptions.
*** `rules/Sxxxx/metadata.json`: rule metadata shared between language-specific RSPECs. Each language can override fields in its own `metadata.json` file. +
It is thanks to this file that you can add `tags`, `securityStandards` etc... to your rule.
*** `rules/Sxxxx/[LANGUAGE]`: contains the language-specific RSPEC. For every rule, there must be at least one `[LANGUAGE]` subdirectory. +
`[LANGUAGE]` can be any of the following:
include::supported_languages.adoc[]
**** `rules/Sxxxx/[LANGUAGE]/rule.adoc`: asciidoc file used to generate the `Sxxxx` rule description for programming language `[LANGUAGE]`. It can include parts from `*.adoc` files located in the parent directory.
**** `rules/Sxxxx/[LANGUAGE]/metadata.json`: metadatas for the specific language. Each key at the top will completely override the key of the `metadata.json` file of the parent directory.

== Search rules

All specified rules (implemented or not) are listed in the https://sonarsource.github.io/rspec/#/[Search Page].

For each rule, you can find the languages it covers, the descriptions for each language as well as the related open tickets and pull requests. +
There will be a red warning with a link to the rule pull request if the rule has not been implemented yet (i.e. is not present on the main branch yet).

You can use the "Search in unimplemented" link on the Search Page to repeat your search in the PRs.

WARNING: Unlike the Search Page, the GitHub search across the PRs for unimplemented rules considers only the PR summary and title. It does not search the content of the proposed rule (i.e. it does not look into `rule.adoc` nor into `metadata.json`).

== Create or modify a rule

Before, the Languages Team used Jira to host both implemented and unimplemented rules. This is why the `rules` directory contains both too.

However, one of the reasons we are migrating to a git repository is that we want to have a clean process and history for rule creation and modification.

In particular, the main branch aims at representing what will be integrated in the next version of the analyzers, i.e. what will be part of the next releases.

Thus every newly created rule or modification of rule should follow these steps:

. Create a pull request adding or modifying a rule
. Ask for a review
. Create an implementation ticket
. Implement the new rule or the change in the existing rule
. Merge the RSPEC PR as soon as the implementation is ready (unless the implementation needs access to the RSPEC before it is ready, see RULEAPI-660).
 * Here "ready" means it is tested/validated/tuned/discussed and lacks only the rule metadata to be merged into analyzer's main branch.
. Fetch the updated metadata with `rule-api`
. Merge the implementation PR

A <<multi-language-rule-creation>> is somewhat more involved.

=== 1. Create a pull request

==== To create a new rule
. go to the https://github.com/SonarSource/rspec/actions/workflows/create_new_rspec.yml[Create new RSPEC] GitHub action
. click on the grey _Run wokflow_ button (on the right).
. in the field _"Comma-separated list of targeted languages"_ write the list of languages you want to specify this rule for. +
They can be any of the following:
include::supported_languages.adoc[]
. click on the green _Run workflow_ button.

image::img/new-rule-workflow.png[]

You should see https://github.com/pulls/assigned[a new pull request assigned to you]. It might take up to a few minutes to appear.
It contains a scaffolding of files for the new rule. Feel free to modify it as you please.

The title of the PR for a new rule will say only "Create rule Sxxxx", which is not very informative. +
Modify the title to better summarize the nature or the rule, so that it is easier to find when searching through unimplemented rules.
Do preserve the "Create rule Sxxxx" prefix, as it is used by our tooling.
For example:

----
Create rule S7028: All identifiers should be in CamelCase
----

Add the description of the PR to further increase its discoverability
(GitHub PR search does not see the `rule.adoc`).
To do that, click on the three dots (next to the smile) on the first comment (created by github-actions bot) and select "Edit".

The rule must contain subdirectories corresponding to all the languages this rule will be implemented for (by the time the PR is merged).

Each language subdirectory contains the `rule.adoc` that is the root document used to render the specification.
The rule specification in `rule.adoc` can include other `*.adoc` files that are in the language subdirectory or in the parent directory by using the `include::content.adoc[]` syntax.

To reduce the number of turnarounds with the asciidoc edits you can install an asciidoc plugin.
Otherwise, you can use https://asciidoclive.com/[AsciiDocLIVE] and this https://docs.asciidoctor.org/asciidoc/latest/syntax-quick-reference/[cheatsheet].

==== To add language to an existing rule

If the rule exists on the main branch, create a PR named "Create rule Sxxxx[_language_]: _rule title_". For example:
----
Create rule S100[java]: Method names should comply with a naming convention
----

Otherwise, if the rule has not been merged yet (i.e. the rule has not been implemented by any plugin), you can use the already existing PR corresponding to this rule. +

Then,

* Create a subdirectory with the name of the language you want to add. +
It can be any of the following:
include::supported_languages.adoc[]
* Add two files in this subdirectory:

** `rule.adoc`: write down the whole description of the rule. If you want to include already existing parts (that are in the current or the parent directory), use the `include::` syntax.
** `metadata.json`: it automatically inherits from the `metadata.json` of the parent directory so you only need to write the parts that need to be overwritten. +
Please note that in any case this file should at least contain two curly braces (`{ }`)


==== To modify an existing rule
Create a branch for your modifications manually.
Then open a pull request manually.
The subject must start with the following required prefix:
----
Modify rule Sxxxx
----
Add a short summary of the PR after the required prefix. For example:
----
Modify rule S1234: Allow tail recursion for languages supporting TCO
----
Add at least one label corresponding to the language(s) the PR relates to.

==== To deprecate a rule
Create a branch for the deprecation manually.
Then open a pull request manually.
In the subject add the following text:
----
Deprecate rule Sxxxx
----
Add at least one label corresponding to the language(s) the PR relates to.

In the `metadata.json` of the rule you want to deprecate:

* Remove all tags
* Remove all quality profiles
* Change the status to `deprecated`
* Fill in the `replacementRules` field with the rules that deprecate this one, if any

NOTE: use a GitHub hot-key `t` in the source view to navigate to an existing rule specification.

==== To delete a rule
If the rule has never been implemented and is still defined in an open pull request, just close the pull request. +
Otherwise, create a pull request to change the status of the rule to "closed".

=== 2. Ask for a review

Every PR that is creating or modifying a rule should be reviewed.

If it is a new rule, or if it requires the analyzer to change its implementation, do not merge the pull request yet.

If the change does not require an implementation, merge the pull request after the review.

=== 3. Create an implementation ticket

Create an implementation ticket as it is usually done for your plugin (i.e. as a Jira ticket or a Github issue). +
For this ticket to be correcty indexed on the search page of the rules, it has to contain the rule ID (RSPEC-1234 or S1234) either in the ticket title or in the ticket description. +
It is also recommended to add a link to the Github Page of the related rule, to ease the navigation between the ticket and the rule.

In the pull request adding the rule specification, add the following text referencing the implementation ticket:
----
Implementation ticket: CPP-1234 (for a CFamily ticket on Jira)
----
or
----
Implementation ticket: SonarSource/sonar-dotnet/issues/1234 (for a sonar-dotnet issue on Github)
----


=== 4. Implement the rule

Implement the rule or the modification as usual.

Only once the implementation is complete, but before it is merged on the analyzer side, merge the RSPEC PR.
The RSPEC PR has to be merged before the implementation PR to enable `rule-api` to fetch the correct metadata in the analyzer.
The RSPEC PR has to be merged as close as possible to the merge of the implementation PR to shorten the time span of the inconsistency in the rule status
("active" in the RSPEC metadata, and not implemented on the analyzer side).

Finally, merge the rule implementation in your analyzer repository.


==== Generate/Update rule metadata for the analyzer

* Download the last version of https://github.com/SonarSource/sonar-rule-api[rule-api].
* call `generate` if you are adding a rule, or `update` if you just want the last specification version.

Example:
[source,shell]
----
$ java -jar rule-api-1.24.3.jar generate -rule S4328
# or
$ java -jar rule-api-1.24.3.jar update
----

NOTE: If you generate rules in an empty directory,
you have to run `update` immediately after,
because rule-api relies on the files in the directory to determine the covered set of rules
when generating the deprecation notes for superseded rules.

=== Multi-Language Rule Creation
Multi-language rule creation is more involved than the default process because it involves multiple roles that typically do not coincide.
It is infeasible to synchronize the implementation of the rule for all the languages it covers.

The special metadata field `"extra"."coveredLanguages"` enables asynchrous implementation in multiple analyzers.

`"extra"."coveredLanguages"` contains the languages the rule is implemented for.

The workflow below makes sure that all rules on the main branch are implemented for all languages they are specified for or for all languages listed in `"coveredLanguages"`.

. An RSPECator creates a PR and specifies the multi-language rule.
 * The RSPECator asks for a review for the PR.
 * The RSPECator does not merge the PR, even after the review is done.
 * The rule metadata.json contains an empty `"extra": {"coveredLanguages": []}` field.
. The RSPECator opens implementation tickets for all the targeted languages.
. An Ada analyzer developer Alice implements the rule first. Alice prepares the PR with the implementation.
. As soon as the implementation of the rule is ready for Ada analyzer, Alice merges both PRs:
.. Alice adds `"Ada"` to `"coveredLanguages"` in the RSPEC PR (`"extra": {"coveredLanguages": ["Ada"]}`).
.. Alice merges the RSPEC PR.
.. Alice fetches the rule metadata with `rule-api` into Ada analyzer.
.. Alice merges the rule implementation in Ada analyzer.
. A Cobol analyzer developer Bob implements the rule some time later. Bob prepares the PR with the implementation.
. Bob opens a new RSPEC PR "Modify rule S1234: Add Cobol support" to add `"Cobol"` to `"coveredLangauges"` (`"extra": {"coveredLanguages": ["Ada", "Cobol"]}`).
. As soon as the Cobol implementation is ready, Bob merges both PRs:
.. Bob merges his RSPEC PR.
.. Bob fetches the rule metadata with `rule-api` into Cobol analyzer.
.. Bob merges the rule implementation in Cobol analyzer.

== Comment a rule

Comments and links that were created on Jira have been gathered in a `comments-and-links.adoc` file for each concerned rule. +
You can add a comment anywhere in a rule by adding the following lines in the `*.adoc` file:
[source]
----
\ifdef::env-github,rspecator-view[]
John Doe (9 Jun 2021, 15:49): my comment on the rule
\endif::env-github,rspecator-view[]
----
This way, your comment will only be visible in GitHub preview and on the Search Page (and will not be visible for the user).

== Untriaged Pull Requests

Untriaged PRs are the ones without any label. You can easily see all of them with the filter https://github.com/SonarSource/rspec/pulls?q=is%3Aopen+is%3Apr+no%3Alabel[`Label > Unlabeled`]. +
All triaged PRs should have at least one label that corresponds to the bubble(s) the PR is related to. This allows bubbles to easily filter out the PRs they are interested in.

== Tooling
https://github.com/SonarSource/rspec/tree/master/rspec-tools[rspec-tools]::
A python CLI tool for adding and validating rules. It is used by GitHub checks and GitHub actions.
For more information see the README file in the `rspec-tools` directory.
https://github.com/SonarSource/rspec/tree/master/frontend[frontend]::
The GitHub page that enables the search for rules.
For more information see the README file in the `frontend` directory.

== RSPEC dataflow

The following graph shows the path of an RSPEC from its inception in Github RSPEC repository to its consumption in SQ/SC/SL or on rules.sonarsource.com: +
(The part that is grayed out corresponds to what existed before, when RSPECs were hosted in Jira)

image::img/RSPEC-flow-2.png[]

== Help

Tickets related to this RSPEC repository are in Jira, in the https://jira.sonarsource.com/projects/RULEAPI/issues/RULEAPI-324?filter=allopenissues[RULEAPI] project.

You found a bug, something is bothering you or you have an idea of how to improve the project? First, have a look at all the https://jira.sonarsource.com/projects/RULEAPI/issues/RULEAPI-324?filter=allopenissues[open tickets]. If you don't see anything related to your subject, please open a new ticket in the backlog, with `backlog` as the fix version.
Description
Rule Specification
Readme 104 MiB
Languages
TypeScript 34.7%
Python 33.6%
HTML 25.7%
Shell 4.1%
Ruby 1.3%
Other 0.6%