-
Notifications
You must be signed in to change notification settings - Fork 46
/
rule-example.yaml
421 lines (419 loc) · 12.4 KB
/
rule-example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
- message: all go files
ruleID: file-001
description: "Testing that we can get all the go files in the project"
links:
- title: "Golang"
url: "https://go.dev"
labels:
- "testing"
- "test"
category: potential
effort: 3
when:
builtin.file:
pattern: "*.go"
- message: not any go files
ruleID: file-002
effort: 1
when:
builtin.file:
pattern: "*.go"
not: true
- message: POM XML dependencies - '{{{matchingXML}}}'
ruleID: xml-pom-001
effort: 1
when:
builtin.xml:
xpath: "//dependencies/dependency"
- message: '{{{matchingXML}}}'
ruleID: chain-pom-001
effort: 1
when:
or:
- builtin.xml:
xpath: "//dependencies/dependency"
filepaths: "{{poms.extras.filepaths}}"
from: poms
- builtin.file:
pattern: pom.xml
as: poms
ignore: true
- message: apiextensions/v1beta1/customresourcedefinitions is deprecated, apiextensions/v1/customresourcedefinitions should be used instead
ruleID: lang-ref-001
effort: 1
when:
or:
- java.referenced:
pattern: "*apiextensions.v1beta1.CustomResourceDefinition*"
location: TYPE
- go.referenced:
pattern: "v1beta1.CustomResourceDefinition"
- message: 'golang apiextensions/v1/customresourcedefinitions found {{file}}:{{lineNumber}}'
ruleID: go-lang-ref-001
effort: 1
when:
go.referenced:
pattern: "v1beta1.CustomResourceDefinition"
- message: testing nested conditions
ruleID: lang-ref-002
effort: 1
when:
# This is purposfully failing, the golang reference will not
# find anything. testing that `and` will work correctly
and:
- go.referenced:
pattern: "*CustomResourceDefinition*"
- java.referenced:
pattern: "*CustomResourceDefinition*"
location: TYPE
- message: 'java found apiextensions/v1/customresourcedefinitions found {{file}}:{{lineNumber}}'
ruleID: lang-ref-003
effort: 1
when:
java.referenced:
pattern: "*apiextensions.v1beta1.CustomResourceDefinition*"
location: TYPE
- tag:
- License={{matchingText}}
ruleID: tag-license
when:
builtin.filecontent:
pattern: "Apache"
- tag:
- Language=Golang
ruleID: tag-go-000
when:
builtin.file:
pattern: "go.mod"
- tag:
- Infra=Kubernetes
ruleID: tag-k8s-000
when:
builtin.filecontent:
pattern: ".*k8s.io/.*"
filePattern: ".*go.mod"
- tag:
- Java
ruleID: tag-java-000
when:
or:
- builtin.file:
pattern: "pom.xml"
- builtin.file:
pattern: "*.ear"
- builtin.file:
pattern: "*.jar"
- builtin.file:
pattern: "*.war"
- message: "Tags {{tags}} found"
ruleID: tech-tag-001
when:
or:
- builtin.hasTags:
- Golang
- Kubernetes
- builtin.hasTags:
- Java
- message: "dependency {{name}} with {{version}} is bad and you should feel bad for using it"
ruleID: golang-gomod-dependencies
effort: 1
when:
and:
- go.dependency:
name: golang.org/x/text
upperbound: v0.3.8
- go.dependency:
name: k8s.io/apimachinery
lowerbound: v0.24.3
- go.dependency:
name: sigs.k8s.io/structured-merge-diff/v4
lowerbound: v4.2.0
upperbound: v4.2.2
- message: "dependency {{name}} with {{version}} is bad and you should feel bad for using it"
ruleID: java-pomxml-dependencies
effort: 1
when:
and:
- java.dependency:
name: junit.junit
upperbound: 4.12.2
lowerbound: 4.4.0
- java.dependency:
name: io.fabric8.kubernetes-client
lowerbound: 5.0.100
- message: "found generic call"
ruleID: lang-ref-004
effort: 1
customVariables:
- pattern: '([A-z]+)\.get\(\)'
name: VariableName
when:
java.referenced:
location: METHOD_CALL
pattern: com.example.apps.GenericClass.get
- message: condition entries should evaluate out of order
ruleID: singleton-sessionbean-00001
effort: 1
when:
or:
- as: sessionbean
from: singleton
java.referenced:
location: IMPLEMENTS_TYPE
pattern: javax.ejb.SessionBean
- as: singleton
java.referenced:
location: ANNOTATION
pattern: javax.ejb.Singleton
- message: condition entries should evaluate in order
ruleID: singleton-sessionbean-00002
effort: 1
when:
or:
- as: singleton
java.referenced:
location: ANNOTATION
pattern: javax.ejb.Singleton
- as: sessionbean
from: singleton
java.referenced:
location: IMPLEMENTS_TYPE
pattern: javax.ejb.SessionBean
- message: "error test"
ruleID: error-rule-001
effort: 1
when:
builtin.xml:
xpath:
invalid-query: "test"
- message: "JBoss 5.x EAR descriptor (jboss-app.xml) was found with public-id"
ruleID: jboss-eap5-7-xml-02000
effort: 1
when:
builtin.xmlPublicID:
regex: .*JBoss.+DTD Java EE.+5.*
- message: "Tags {{tags}} found, creating message and new tag both"
ruleID: multiple-actions-001
tag:
- Backend=Golang
when:
builtin.hasTags:
- Golang
- message: "Found usage of openjdk base image"
ruleID: filecontent-codesnip-test
effort: 1
when:
builtin.filecontent:
pattern: "^FROM.*openjdk-11.*"
filePattern: "Dockerfile"
- message: python sample rule 001
ruleID: python-sample-rule-001
effort: 1
when:
python.referenced:
pattern: "hello_world"
- message: python sample rule 002
ruleID: python-sample-rule-002
effort: 1
when:
python.referenced:
pattern: "speak"
- message: python sample rule 003
ruleID: python-sample-rule-003
effort: 1
when:
python.referenced:
pattern: "create_custom_resource_definition"
- message: Deprecated/removed Kubernetes API version 'extensions/v1beta1' is used for 'Deployment'. Consider using 'apps/v1'.
ruleID: k8s-deprecated-api-001
description: "Check for usage of deprecated Kubernetes API versions"
category: potential
effort: 2
when:
yaml.k8sResourceMatched:
apiVersion: "extensions/v1beta1"
kind: "Deployment"
deprecatedIn: "v1.9.0"
removedIn: "v1.16.0"
replacementAPI: "apps/v1"
- message: Deprecated Kubernetes API version 'apps/v1beta1' is used for 'StatefulSet'. Consider using 'apps/v1'.
ruleID: k8s-deprecated-api-002
description: "Check for usage of deprecated Kubernetes API versions"
category: potential
effort: 2
when:
yaml.k8sResourceMatched:
apiVersion: "extensions/v1beta1"
kind: "ReplicaSet"
deprecatedIn: "v1.9.0"
removedIn: "v1.16.0"
replacementAPI: "apps/v1"
- category: potential
description: "Test code snippets when match is a key of a XML node"
message: "The code snippet should point to <beans> in the beans.xml file"
ruleID: xml-test-key-match
effort: 1
when:
builtin.xml:
filepaths:
- beans.xml
namespaces:
b: http://xmlns.jcp.org/xml/ns/javaee
xpath: /b:beans
- category: potential
description: Move to Jakarta EE Maven Artifacts - replace groupId javax.activation
effort: 1
message: If you migrate your application to JBoss EAP 7.3, or later, and want to
ensure its Maven building, running or testing works as expected, use instead the
Jakarta EE dependency with groupId `com.sun.activation`
ruleID: maven-javax-to-jakarta-00002
when:
java.dependency:
lowerbound: 0.0.0
name: javax.activation.activation
- category: mandatory
description: |
This rule tests includedPaths config of the java provider. There should be two instances of this issue in the example app.
We are filtering one of them using includedPaths in provider config.
effort: 3
message: Only incidents in util/FileReader.java should be found
ruleID: java-inclusion-test
when:
java.referenced:
pattern: java.io.File
- category: optional
description: |
This is same as java-io-file-usage but for the builtin providers. There are multiple instances of the same incidents in different directories.
We are filtering some out using includedPaths setting.
message: Only incidents in dir-0/test.json should be found
ruleID: builtin-inclusion-test-json
effort: 1
when:
and:
- builtin.json:
xpath: //inclusionTestNode
- builtin.file:
pattern: inclusion-test.json
- builtin.filecontent:
pattern: "inclusionTestNode"
- category: optional
description: |
This is same as java-io-file-usage but for the builtin providers. There are multiple instances of the same incidents in different directories.
We are filtering some out using includedPaths setting.
message: Only incidents in dir-0/test.xml should be found
ruleID: builtin-inclusion-test-xml
effort: 1
when:
and:
- builtin.xml:
xpath: //inclusionTestNode
- builtin.file:
pattern: inclusion-test.xml
- builtin.filecontent:
pattern: "<inclusionTestNode>"
- category: mandatory
description: |
This rule looks for a class only present in the gradle project
effort: 3
message: Only incidents in gradle project should appear
ruleID: java-gradle-project
when:
java.referenced:
pattern: com.sun.net.httpserver.HttpExchange
- category: mandatory
description: |
This rule tests the application downloaded from maven artifact
tag:
- Java Operator SDK
ruleID: java-downloaded-maven-artifact
when:
java.referenced:
pattern: io.javaoperatorsdk.operator.Operator
- category: mandatory
description: Sample field declaration rule
message: "Field found"
ruleID: field-rule-00001
when:
java.referenced:
pattern: io.konveyor.demo.ordermanagement.repository.CustomerRepository
location: FIELD
- category: mandatory
description: |
This rule looks for a given class annotated with a given annotation
message: "Annotation inspection 01"
ruleID: java-annotation-inspection-01
when:
java.referenced:
pattern: io.konveyor.demo.ordermanagement.config.PersistenceConfig
location: TYPE
annotated:
pattern: org.springframework.data.jpa.repository.config.EnableJpaRepositories
elements:
- name: basePackages
value: "io.konveyor.demo.ordermanagement.repository"
- category: mandatory
description: |
This rule looks for a given method annotated with a given annotation
message: "Annotation inspection 02"
ruleID: java-annotation-inspection-02
when:
java.referenced:
pattern: entityManagerFactory()
location: METHOD_DECLARATION
annotated:
pattern: org.springframework.context.annotation.Bean
- category: mandatory
description: |
This rule looks for a given field annotated with a given annotation
message: "Annotation inspection 03"
ruleID: java-annotation-inspection-03
when:
java.referenced:
pattern: io.konveyor.demo.ordermanagement.service.CustomerService
location: FIELD
annotated:
pattern: org.springframework.beans.factory.annotation.Autowired
- category: mandatory
description: |
This rule looks for a given annotation used with some given properties (elements)
message: "Annotation inspection 04"
ruleID: java-annotation-inspection-04
when:
java.referenced:
pattern: org.springframework.web.bind.annotation.GetMapping
location: ANNOTATION
annotated:
elements:
- name: value
value: "id"
- category: mandatory
description: |
This rule looks for a given annotation used with another annotation
message: "Annotation inspection 05"
ruleID: java-annotation-inspection-05
when:
java.referenced:
pattern: org.springframework.context.annotation.Configuration
location: ANNOTATION
annotated:
pattern: org.springframework.data.jpa.repository.config.EnableJpaRepositories
elements:
- name: basePackages
value: "io.konveyor.demo.ordermanagement.repository"
- ruleID: java-chaining-01
category: mandatory
description: "There should only be one instance of this rule"
message: |
Sample message. This rule checks that the chaining conditions are working. Should only get a single issue.
when:
and:
- java.referenced:
pattern: java.lang.Override
location: ANNOTATION
as: class
ignore: true
- java.referenced:
pattern: org.springframework.web.WebApplicationInitializer
location: IMPLEMENTS_TYPE
filepaths: "{{class.Filepaths}}"
from: class