[lint, LS] Add security analyzers and protocol stringer support#614
[lint, LS] Add security analyzers and protocol stringer support#614
Conversation
SupunS
left a comment
SupunS
left a comment
There was a problem hiding this comment.
Thank you for adding these! 🙏
Overall LGTM! Left a couple of suggestions for improving the coverage for some of the linters. I can also help with getting those in, please let me know.
turbolent
left a comment
turbolent
left a comment
There was a problem hiding this comment.
Thank you for porting these linters over from the CLI PR and rewriting them from regular expressions to analyzers! 👍
There was a problem hiding this comment.
Nice! The improvements look good, just a couple minor things left.
I'm worried CapabilityPublishAnalyzer will be too noisy and will break developers' CI (e.g. FF DeFi repos), as they treat all warnings as errors and require all diagnostics to be addressed. Given the current lack of allowing these diagnostics to be addressed, we need to either provide a way to address them, or maybe exclude this analyzer from this PR and add it in another PR.
turbolent
changed the title
turbolent
changed the title
3 participants
Summary
Adds AST-based security lint analyzers and
stringer-generatedString()methods for protocol types, based on feedback from onflow/flow-cli#2306.New lint analyzers:
permissive-access— flagsaccess(all) var(mutable) fields in composites, which allow public write accesshardcoded-address— flags hex integer literals >= 8 digits as potential hardcoded addresses, suggesting named imports for portabilitycapability-publish— flagscapabilities.publish()calls as a reminder to verify entitlements guard the capability (type-checked againstAccount.Capabilitiesto avoid false positives)public-account-param— flagsaccess(all)functions that acceptauth(...) &Accountparameters, exposing broad account access to any callerProtocol stringer support:
go:generate stringerforSymbolKindandDiagnosticSeverityinlanguageserver/protocolString()methods usable by downstream consumersAll analyzers are AST-based (not regex), follow existing analyzer patterns, self-register via
init(), and include comprehensive tests.Test plan