Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sobelow should have better default flags #163

Open
marcandre opened this issue Apr 12, 2024 · 2 comments
Open

sobelow should have better default flags #163

marcandre opened this issue Apr 12, 2024 · 2 comments

Comments

@marcandre
Copy link

Options --config and --skip should be the default, they should not be necessary.

I know of no other program (none!) that does not take their .some-config into account by default.

Feel free to add --no-config and --no-skip, although I don't see a utility for them.

@houllette
Copy link
Contributor

Hey @marcandre - while I don't disagree, just wanted to shed some light on why the design of Sobelow is the way it is currently:

Sobelow was originally made as a security tool to aide in evaluating codebases locally (whether that was a Security professional or a developer looking to secure their code) - I can't say for certain, but I believe it's because of that specific use case in mind that the architecture of the codebase isn't as natively conducive to the CI/CD use case that having better defaults would allow for.

In #159 you brought up the following point:

The question is: are there any users calling sobelow without the --skip option that would be impacted?

And the problem is, frankly I have no idea if any users would be impacted and its hard to figure out if that would be the case or not. To me that sounds like a potentially breaking change, while I'm not adverse to those (namely Elixir/OTP version bumps), I'm always still hesitant to introduce them given the fact that many abstractions are built on top of Sobelow (GitLab Security Scanning, Paraxial.io, etc.) that I don't know exactly how they're anticipating how functionality works beyond how it exists today.

Again, not saying this isn't a worthwhile change or something to pursue (PRs are always welcome from folks besides me) - just wanted to lay out all the context I have and outline my concerns.

@marcandre
Copy link
Author

Thanks for the reply.

I agree these are breaking changes.

I disagree that this request has anything to do with CI/CD. I'd say its the contrary. Current setup makes it difficult to setup CI/CD as I believe noone would think to initially use --config and --skip options. But that's a one time thing. Once it is setup, it will work for that project.

But anytime a user calls sobelow locally, they have to type in these options. I don't have a sufficient memory to remember that. So every single time I'm using sobelow outside of CI/CD, it will not give me the correct results and I have to figure out why.

I'll be glad to produce a PR if you greenlight the changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants