New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add suppression information in the output of ESLint #14784
Comments
Thanks for the issue. Can you list out what information you would expect for each suppression? It’s not very clear from the snippet. |
Hi @nzakas , thanks for the reply. A suppression entry contains a When disabling rules using configuration comments, the description after two or more consecutive /* eslint-disable no-console -- Just for debug. */
/* eslint-disable no-console
-------
Just for debug. */
/* eslint-disable no-console
* -----
* Just for debug.
*/
// eslint-disable-line no-console -- Just for debug.
// eslint-disable-next-line no-console -- Just for debug. Then we may get: {"kind": "inSource", "justification": "Just for debug."} When disabling rules using configuration files, it seems no good places to put a justification. We could have a discussion about it. Currently for example: rules: {"no-console": "off"} Then we may get: {"kind": "external", "justification": ""} If a line is suppressed by multiple rules, a suppression list would be preferred to gather all suppression info: suppressions: [
{"kind": "inSource", "justification": "foo"},
{"kind": "external", "justification": ""}
] We may have a new CLI option such as |
The two cases you mention are handled very differently in ESLint: configuration files and inline comments. When rules are disabled inside of configuration files, we don't do any tracking at all and that information is not returned to a formatter. We never run the rules at all so there are no lint messages to display. When you use I'm still having trouble understanding what a "suppression" actually means. Does it just mean you want to know when a rule was disabled and why? Or does it mean you want the lint message (including location information) but also a reason why it was disabled? |
Here is our Dev Spec, which has a clearer description. ProblemESLint is a famous tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. When codes violating one or more defined rules, ESLint will report warnings or errors: "messages": [
{
"ruleId":"no-undef",
"severity":2,
"message":"'b' is not defined.",
"line":2,
"column":1,
"nodeType":"Identifier",
"messageId":"undef",
"endLine":2,
"endColumn":2
}
] However, in our scenarios, when violations are suppressed, Security Development Lifecycle (SDL) tools, such as ESLint, are expected to export suppression information, including its kind and justification. We could take advantage of this info to generate corresponding signals for auditing purposes. "messages": [
{
"ruleId":"no-undef",
"severity":2,
"message":"'b' is not defined.",
"line":2,
"column":1,
"nodeType":"Identifier",
"messageId":"undef",
"endLine":2,
"endColumn":2,
"suppressions": [
{
"kind":"inSource",
"justification":"Justification example"
}
]
}
] Suppression in ESLintThere are 2 ways to suppress (or disable in ESLint) warnings/errors (violations), according to disabling-rules:
When an error or warning is suppressed, it will not be output. Particularly, an option Currently, ESLint cannot dump these output messages into the SARIF format. A tool ESLint.Formatter can be used to convert the output of ESLint to SARIF format:
Figure Data Flow below is a high-level understanding of the current design.
What we needAs mentioned above, what we need is to allow engineers to provide justification in the suppression and output the suppression information. To minimize changes, we propose to use the More specifically, for inSource suppression (or inline comments in ESLint), the description after two or more consecutive dashes can be treated as the justification. For example: /* eslint-disable no-undef -- Justification example */
a = 1;
/* eslint-enable no-undef */ console.log("foo"); // eslint-disable-line no-console -- Justification example // eslint-disable-next-line no-console -- Justification example
console.log("bar"); Then we may get: {"kind": "inSource", "justification": "Justification example"} For external suppression (or configuration files in ESLint), there are no good places to put a justification. We may put something general as a justification, like “Globally disabled”. For example: {"kind": "external", "justification": "Globally disabled"} If a line is suppressed by multiple rules, a suppression list would be preferred to gather all suppression information: suppressions: [
{"kind": "inSource", "justification": "foo"},
{"kind": "external", "justification": "Globally disabled"}
] Goals
DesignWe are proposing to add a new CLI option Architectural DiagramInput:
Output: Add suppressions attribute in
|
Okay, that’s a lot of information to digest and it’s hard with an issue comment. What I’d like to suggest is that you create a formal RFC so we can review and make inline comments on areas where we need more information. |
Oops! It looks like we lost track of this issue. @eslint/eslint-tsc what do we want to do here? This issue will auto-close in 7 days without an update. |
Keeping this open while we work on the RFC |
The version of ESLint you are using.
v7.29.0
The problem you want to solve.
ESLint is a great and famous tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. It helps a lot in our development. Sometimes we developers have to suppress warnings/errors in the code by adding
eslint-disable
,eslint-disable-line
andeslint-disable-next-line
comments, according to disabling-rules. We can also use.\node_modules\.bin\eslint.cmd 1.js -f @microsoft/eslint-formatter-sarif -o 1.sarif --no-inline-config
to dump all information including suppressed ones into a SARIF file.However in our scenarios, Security Development Lifecycle (SDL) tools, such as ESLint, are expected to export suppression justifications when warnings/errors are disabled. For example, a developer use
eslint-disable-line no-console
to suppress a warning:Then in DevOps, ESLint could record this message and dump it into file:
This suppression info would trigger a signal to our team, and thus we could judge whether the suppression is reasonable by the justification.
Your take on the correct solution to problem.
Since it might be a non-trivial change, I think we could have a discussion first.
Are you willing to submit a pull request to implement this change?
Yes.
The text was updated successfully, but these errors were encountered: