-
-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ENABLE_ERRORS_LINTERS #3599
Comments
@wesley-dean-flexion good idea :) |
@nvuillam Sure. I'm thinking that when it's invoked, we handle it as the user specified self.disable_errors_linters = list_all_linters().difference (
config.get_list(
self.request_id, "DISABLE_ERRORS_LINTERS", self.disable_errors_linters
)
) I haven't tested that to see if it would work -- I don't even know if the types would align -- but I think that ought to be sufficient to convey the idea. Are my logic and reasoning sound? |
@wesley-dean-flexion like for ENABLE_LINTERS and DISABLE_LINTERS, if ENABLE variable is set, then its value is applied , and DISABLE variable is ignored :) |
This issue has been automatically marked as stale because it has not had recent activity. If you think this issue should stay open, please remove the |
I'll get on it... I swear....... |
@wesley-dean-flexion you do when you can , that's ok :) Note: next major version should happen in the following weeks :) |
@nvuillam Outstanding about the new major version! |
Hey @nvuillam. I thunk another thought this morning. This is fresh and I haven't verified anything yet, so I could be wildly incorrect with anything and everything I'm about to say. Currently, Suppose Suppose this is an excerpt from some project's DISABLE_ERRORS: True
PYTHON_PYLINT_DISABLE_ERRORS: False Currently, this case would cause MegaLinter to return a 0 (success) because HOWEVER, if So, if I wanted to only allow This is different from the current interpretation of I think this would be simpler and less ambiguous than the initial What do you think? |
@wesley-dean-flexion in my opinion errors should not be disabled by default, and it's only during the setup and after checking the blocking errors, that someone can decide to consider some linters unrelevant , and individually disable them But as it seems that your update would not change the current behaviour (that would induce an unwanted breaking change), I'd be ok to validate a PR that "forces enablement of linter errors" if DISABLE_ERRORS is defined to true :) |
Agreed. I generally find acceptable that errors cause a MegaLinter run to fail while warnings do not.
Also agreed. My hope and desire is to not change any existing, default behavior. The only way this new functionality would happen is when
|
The goal is still the same as before: I would like to be able to specify a list of linters where errors affirmatively cause MegaLinter to return a non-zero result code while the other linters do not. It would allow something like this: ---
DISABLE_ERRORS: True
REPOSITORY_TRIVY_DISABLE_ERRORS: False
REPOSITORY_GRYPE_DISABLE_ERRORS: False In that situation, errors detected by any linter, scanner, etc. that MegaLinter provides will show up as warnings except for Grype and Trivy. Errors found by those tools will cause MegaLinter to return a non-zero result code. My vision is that the security-related scanners (so, mostly the That is, MegaLinter as a security tool first and foremost. |
works for me :) |
This issue has been automatically marked as stale because it has not had recent activity. If you think this issue should stay open, please remove the |
activity |
even more activity |
leaving myself a breadcrumb: https://github.com/oxsecurity/megalinter/blob/main/megalinter/Linter.py#L746 |
Another, less invasive approach came to me last night. My motivation is being able to have MegaLinter run security-related tests and have findings there fail builds while non-security findings result in warnings. We can do that already by telling MegaLinter which linters have errors disabled. The challenge is having to disable errors for a large (and growing!) list of linters. If there are 105 linters and I only want 5 of them to have findings result in errors, I need to disable errors for 100 linters. The idea came to me, "just run MegaLinter twice, one that will only run the security-related linters and fail when finding anything and another run with the non-fatal linters and have errors disabled for that entire second run." The two runs would be different from a configuration perspective in that one would use environment variables to configure which linters ran and how to handle findings. Both would use the same
Does this make sense? Are there any obvious problems with this approach? |
My local testing with this approach appears to be working # repository scans
docker run --rm -it -u root -v "${WORKSPACE}:/tmp/lint" -w /tmp/lint -e "ENABLE_LINTERS=REOPSITORY" -e "DISABLE_ERRORS=false" oxsecurity/megalinter-security:latest
# non-repository scans
docker run --rm -it -u root -v "${WORKSPACE}:/tmp/lint" -w /tmp/lint -e "DISABLE_LINTERS=REOPSITORY" -e "DISABLE_ERRORS=true" oxsecurity/megalinter-javascript:latest |
This issue has been automatically marked as stale because it has not had recent activity. If you think this issue should stay open, please remove the |
Is your feature request related to a problem? Please describe.
Right now, we have
DISABLE_ERRORS_LINTERS
as a convenient way to provide a list of linters whose findings will not cause MegaLinter to fail a build.The vision I have is that MegaLinter could run and fail builds if scanners in
REPOSITORY_.*
produce findings but allow MegaLinter to pass builds that have findings in the other linters.So, the security-centric
REPOSITORY_.*
scanners findings' will be errors while everything else has errors disabled. It's the inverse ofDISABLE_ERRORS_LINTERS
.Describe the solution you'd like
Example:
(the first line may or may not be implied by the presence of
ENABLE_ERRORS_LINTERS
)Describe alternatives you've considered
Additional context
This could mirror the behavior of other variables in the activation / deactivation functionality, but that may be more involved than would be required at an early stage.
I looked through the code and the issues on GitHub but I didn't see what I was looking for, but that's not to say there isn't a fancy, super-excellent way to get from here to there without changing a line of code.
Just an idea. Thank you!
The text was updated successfully, but these errors were encountered: