Skip to content

Comments

Refactor scan rule implementation#613

Merged
TharmiganK merged 10 commits intomasterfrom
static-rule
Oct 21, 2025
Merged

Refactor scan rule implementation#613
TharmiganK merged 10 commits intomasterfrom
static-rule

Conversation

@TharmiganK
Copy link
Contributor

@TharmiganK TharmiganK commented Oct 17, 2025
edited
Loading

Purpose

Fixes:
ballerina-platform/ballerina-library#8354

Fixed issues:

  • Previous implementation has the following issues and fixed with the new design,
    • Using complex and duplicated analysis to get argument values with parameter names
    • Does not use semantic information to resolve module name to filter the crypto module function
    • Using semantic model references API to check whether the value is modified. But this is not ideal since if the variable is even used without reassignment or modification, it can be referenced. Ideal solution would be navigate to the references and check the nodes. But this is a very complex process. Hence, used an analysis based on the global and local block scopes to find the modifications or reassignments. Yet, any blocks like if, match, etc. can change the values, so avoided to resolve the variable declaration finding if we encounter any block statements. This is the least intrusive option.
  • With the new implementation, a new interface is introduce to implement any resource level static code rules and a context object is introduced which can contain all the required objects to perform the analysis
  • Fixes several other bugs in the previous implementation
  • Added a section in the specification regarding the static code rules. The section follows the following format: 
    # Static Rule Title

<!-- one line description of the static code rule -->

## Why this is an issue?

## What is the potential impact?

## How can I fix this?

<!-- description -->

**Non-complaint code:**
<!-- code example -->

**Complaint code:**
<!-- code example -->

## Additional Resources
  • Removed the rule 4. Check the comment in the issue for more information. Also IMO suggesting to use a external method call might not looks nice. We should consider this when we can a Ballerina level support for creating secure randoms

Examples

N/A

Checklist

  • Linked to an issue
  • Updated the changelog
  • Added tests
  • Updated the spec
  • Checked native-image compatibility

TharmiganK
TharmiganK commented Oct 17, 2025
View reviewed changes
@codecov
Copy link

codecov bot commented Oct 17, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 78.98305% with 62 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.03%. Comparing base (7210fa2) to head (cbb204b).
⚠️ Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
...mpiler/staticcodeanalyzer/CryptoAnalyzerUtils.java 71.17% 7 Missing and 25 partials ⚠️
...o/compiler/staticcodeanalyzer/FunctionContext.java 79.31% 6 Missing and 6 partials ⚠️
...ctionrules/AvoidReusingCounterModeVectorsRule.java 77.14% 2 Missing and 6 partials ⚠️
...zer/functionrules/AvoidFastHashAlgorithmsRule.java 86.27% 2 Missing and 5 partials ⚠️
...ticcodeanalyzer/CryptoCipherAlgorithmAnalyzer.java 90.00% 0 Missing and 1 partial ⚠️
.../staticcodeanalyzer/CryptoFunctionRulesEngine.java 93.75% 0 Missing and 1 partial ⚠️
...r/functionrules/AvoidWeakCipherAlgorithmsRule.java 92.85% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master     #613      +/-   ##
============================================
- Coverage     82.32%   82.03%   -0.30%     
- Complexity      241      369     +128     
============================================
  Files            29       41      +12     
  Lines          1375     1714     +339     
  Branches        191      266      +75     
============================================
+ Hits           1132     1406     +274     
- Misses          196      215      +19     
- Partials         47       93      +46

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

daneshk
daneshk previously approved these changes Oct 17, 2025
View reviewed changes
daneshk
daneshk previously approved these changes Oct 20, 2025
View reviewed changes
@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 21, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@TharmiganK TharmiganK merged commit cf1437f into master Oct 21, 2025
6 of 7 checks passed
@TharmiganK TharmiganK deleted the static-rule branch October 21, 2025 03:56
TharmiganK added a commit that referenced this pull request Oct 21, 2025
@TharmiganK
Refactor scan rule implementation (#613)
9d026a9 
* Refactor static code rule implementation

* Update spec with scan rules

* Update changelog

* Address sonar cloud reported issues

* Add enable code coverage report for compiler plugin

* Bump to the next minor version

* [Automated] Update the native jar versions

* Improve code coverage

* Update AES encryption example from CCM to CBC

* Fix reference to SHA256 in password hashing function

(cherry picked from commit cf1437f)
randilt pushed a commit to randilt/module-ballerina-crypto that referenced this pull request Dec 7, 2025
@TharmiganK @randilt
Refactor scan rule implementation (ballerina-platform#613)
609a37f 
* Refactor static code rule implementation

* Update spec with scan rules

* Update changelog

* Address sonar cloud reported issues

* Add enable code coverage report for compiler plugin

* Bump to the next minor version

* [Automated] Update the native jar versions

* Improve code coverage

* Update AES encryption example from CCM to CBC

* Fix reference to SHA256 in password hashing function
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daneshk daneshk daneshk approved these changes

@ThisaruGuruge ThisaruGuruge Awaiting requested review from ThisaruGuruge ThisaruGuruge is a code owner

@MohamedSabthar MohamedSabthar Awaiting requested review from MohamedSabthar MohamedSabthar is a code owner

@DimuthuMadushan DimuthuMadushan Awaiting requested review from DimuthuMadushan DimuthuMadushan is a code owner

@shafreenAnfar shafreenAnfar Awaiting requested review from shafreenAnfar shafreenAnfar is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TharmiganK @daneshk