Display CI results with short static rule ids about semgrep-action HOT 5 CLOSED

My preferred UI for this in CI would be:

html-to-image-injection       [javascript] [wkhtmltoimage] [security] [audit]
     > server/semgrep_app/controllers/registry.py:79

     ╷
   79│   r = wkhtmltoimage(html)
     ╵
     = There's an HTTP request made with requests, but the raise_for_status()
       utility method isn't used. This can result in request errors going
       unnoticed and your code behaving in unexpected ways, such as if your
       authorization API returns a 500 error while you're only checking for a
       401.

And when there's lack of space

                              [javascript] [wkhtmltoimage] [security] [audit]
dlukeomalley:html-to-image-injection

     > server/semgrep_app/controllers/registry.py:79
     ╷
   79│   r = wkhtmltoimage(html)
     ╵
     = There's an HTTP request made with requests, but the raise_for_status()
       utility method isn't used. This can result in request errors going
       unnoticed and your code behaving in unexpected ways, such as if your
       authorization API returns a 500 error while you're only checking for a
       401.

from semgrep-action.

@nbrahms how will we empower the user to change the config or the rule from the CI output with just the short check ID? What if rule IDs alias?

from semgrep-action.

@underyx and I have discussed this quite a bit. Our thought was that rule-ids should be unique within a rule pack or be prefixed with the rule pack they've been imported from: dlukeomalley.python:no-exec. Not sure if this is the spirit of this ticket, but in general I'd like to move towards shorter more friendly rule-ids and rely on our output formatting to highlight their category, language, etc.

From a web UI perspective if we move towards this naming scheme we eliminate the need for ... on rule IDs.

@underyx I think we have a ticket talking about rule ids more broadly? Can't seem to find it.

from semgrep-action.

@ievans I think the line of thinking that @DrewDennison and I had was to just leave this as an edge case for now. E.g. you just get a warning that you're overwriting a rule, for instance.

from semgrep-action.

Capturing some of the Slack discussion about these feature and adding notes:

I agree with @ievans point to avoid things like B001 and want to avoid the equally hairy (but perhaps grokkable) javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection.

From a UI perspective in CI, CLI, web we do a lot to account for and handle long rule IDs - they are the norm rather than the exception. To clean up output and make rules more discussable and grokkable the suggestion is to use short names.

For example, nobody in discussion says javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection, they refer to it as html-to-image-injection.

Instead of adopting a global naming scheme with many constraints, I’d prefer to give semgrep rule authors free rein and associate a rule back to them (Pride is the sin here). So dlukeomalley.bento:no-eval. You know who uniquely controls the pack, what the pack is, and what the rule is.

I don’t think this is needs to be a now thing necessarily, but earlier may be better to get this right and make it more like Bento with human readable short strings than Bandit or what we currently have.

from semgrep-action.