docs: add package import rule guide #752
Conversation
|
Caution Review failedThe pull request is closed. WalkthroughA new documentation file has been added that describes a generic CodeQL rule template for detecting specific Go package imports. The documentation includes a YAML rule snippet, usage instructions, an example for detecting JWT imports, a playground link, and contributor credit. Changes
Poem
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
website/catalog/go/match-package-import.md (2)
11-18: Wrap regex value in quotes for YAML validity
Unquoted regex strings containing dots, slashes, or special characters can lead to YAML parsing issues. Wrapping the pattern in quotes ensures consistent behavior.rule: kind: import_spec has: - regex: PACKAGE_PATTERN_HERE + regex: "PACKAGE_PATTERN_HERE"
20-22: Add a usage example for clarity
Consider adding a brief CLI invocation snippet showing how to apply this rule with ast-grep (for example:ast-grep -c match-package-import.yaml ./...). This will help users quickly integrate the template into their workflows.
| @@ -0,0 +1,46 @@ | |||
| ## Match package import in Golang | |||
|
|
|||
| * [Playground Link](https://ast-grep.github.io/playground.html#eyJtb2RlIjoiQ29uZmlnIiwibGFuZyI6ImdvIiwicXVlcnkiOiIiLCJyZXdyaXRlIjoiIiwic3RyaWN0bmVzcyI6InNtYXJ0Iiwic2VsZWN0b3IiOiIiLCJjb25maWciOiJpZDogbWF0Y2gtaW1wb3J0LXBrZ1xubGFuZ3VhZ2U6IGdvXG5ydWxlOlxuICBraW5kOiBpbXBvcnRfc3BlY1xuICBoYXM6XG4gICAgcmVnZXg6IGdpdGh1Yi5jb20vZ29sYW5nLWp3dC9qd3QiLCJzb3VyY2UiOiJpbXBvcnQgKFxuXHRcImNvbnRleHRcIlxuXHRcImZtdFwiXG5cdFwib3NcIlxuXG5cdFwiZ2l0aHViLmNvbS9nb2xhbmctand0L2p3dFwiXG4pXG5cbmltcG9ydCBcdFwiZ2l0aHViLmNvbS9nb2xhbmctand0L2p3dFwiXG5cbmltcG9ydCBcdFwiZ2l0aHViLmNvbS9nb2xhbmctand0L2p3dC92NFwiIn0=) | |||
There was a problem hiding this comment.
https://ast-grep.github.io shall be omitted
|
|
||
| JWT Library Detection | ||
|
|
||
| ```yaml |
There was a problem hiding this comment.
example here should be golang code, not yaml
| regex: PACKAGE_PATTERN_HERE | ||
| ``` | ||
| ### Configuration |
There was a problem hiding this comment.
please don't add h3 new section. markdown is processed by scripts and section order is critical. please follow other file's format
There was a problem hiding this comment.
Fixed, adjusted the file to match existing markdown files.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
website/catalog/go/match-package-import.md (2)
1-1: Use "Go" instead of "Golang" for consistency
Most Go community and other documentation use "Go" rather than "Golang" in headings. Consider renaming the title accordingly.-## Match package import in Golang +## Match package import in Go
31-58: Suppress or replace hard tabs to satisfy markdownlint MD010
The Go example uses hard tabs throughout, triggeringMD010warnings. You can either convert them to spaces or disable the rule around this block. For example:-```go +<!-- markdownlint-disable MD010 --> +```go import ( - "fmt" - "github.com/golang-jwt/jwt" // This matches the AST rule + "fmt" + "github.com/golang-jwt/jwt" // This matches the AST rule ) func main() { // Create a new token token := jwt.New(jwt.SigningMethodHS256) ... } -``` +``` +<!-- markdownlint-enable MD010 -->🧰 Tools
🪛 markdownlint-cli2 (0.17.2)
35-35: Hard tabs
Column: 1(MD010, no-hard-tabs)
36-36: Hard tabs
Column: 1(MD010, no-hard-tabs)
40-40: Hard tabs
Column: 1(MD010, no-hard-tabs)
41-41: Hard tabs
Column: 1(MD010, no-hard-tabs)
42-42: Hard tabs
Column: 1(MD010, no-hard-tabs)
43-43: Hard tabs
Column: 1(MD010, no-hard-tabs)
44-44: Hard tabs
Column: 1(MD010, no-hard-tabs)
45-45: Hard tabs
Column: 1(MD010, no-hard-tabs)
46-46: Hard tabs
Column: 1(MD010, no-hard-tabs)
47-47: Hard tabs
Column: 1(MD010, no-hard-tabs)
48-48: Hard tabs
Column: 1(MD010, no-hard-tabs)
49-49: Hard tabs
Column: 1(MD010, no-hard-tabs)
50-50: Hard tabs
Column: 1(MD010, no-hard-tabs)
51-51: Hard tabs
Column: 1(MD010, no-hard-tabs)
52-52: Hard tabs
Column: 1(MD010, no-hard-tabs)
53-53: Hard tabs
Column: 1(MD010, no-hard-tabs)
54-54: Hard tabs
Column: 1(MD010, no-hard-tabs)
55-55: Hard tabs
Column: 1(MD010, no-hard-tabs)
56-56: Hard tabs
Column: 1(MD010, no-hard-tabs)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
website/catalog/go/match-package-import.md(1 hunks)
🧰 Additional context used
🪛 markdownlint-cli2 (0.17.2)
website/catalog/go/match-package-import.md
35-35: Hard tabs
Column: 1
(MD010, no-hard-tabs)
36-36: Hard tabs
Column: 1
(MD010, no-hard-tabs)
40-40: Hard tabs
Column: 1
(MD010, no-hard-tabs)
41-41: Hard tabs
Column: 1
(MD010, no-hard-tabs)
42-42: Hard tabs
Column: 1
(MD010, no-hard-tabs)
43-43: Hard tabs
Column: 1
(MD010, no-hard-tabs)
44-44: Hard tabs
Column: 1
(MD010, no-hard-tabs)
45-45: Hard tabs
Column: 1
(MD010, no-hard-tabs)
46-46: Hard tabs
Column: 1
(MD010, no-hard-tabs)
47-47: Hard tabs
Column: 1
(MD010, no-hard-tabs)
48-48: Hard tabs
Column: 1
(MD010, no-hard-tabs)
49-49: Hard tabs
Column: 1
(MD010, no-hard-tabs)
50-50: Hard tabs
Column: 1
(MD010, no-hard-tabs)
51-51: Hard tabs
Column: 1
(MD010, no-hard-tabs)
52-52: Hard tabs
Column: 1
(MD010, no-hard-tabs)
53-53: Hard tabs
Column: 1
(MD010, no-hard-tabs)
54-54: Hard tabs
Column: 1
(MD010, no-hard-tabs)
55-55: Hard tabs
Column: 1
(MD010, no-hard-tabs)
56-56: Hard tabs
Column: 1
(MD010, no-hard-tabs)
🔇 Additional comments (1)
website/catalog/go/match-package-import.md (1)
18-25: YAML snippet is clear and correctly formatted
Theyamlcode fence and indentation for theid,language, andrulefields look good and align with other rule docs.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (3)
website/catalog/go/match-package-import.md (3)
1-2: Use "Go" instead of "Golang" in the title
For consistency with official terminology and other catalog entries, rename the heading to:-## Match package import in Golang +## Match package import in Go
23-31: Consider alias import scenarios
Although the regex-based rule will match alias imports (e.g.,import jwt "github.com/golang-jwt/jwt"), it may help to explicitly call out that alias imports are covered.
36-63: Prevent markdownlint MD010 failures
The Go example uses hard tabs for indentation inside the fenced block, triggering MD010. To keep Go’s formatting and satisfy lint, wrap the snippet with directives:<!-- markdownlint-disable MD010 --> ```go package main import ( "fmt" "github.com/golang-jwt/jwt" ) ...<details> <summary>🧰 Tools</summary> <details> <summary>🪛 markdownlint-cli2 (0.17.2)</summary> 40-40: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 41-41: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 45-45: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 46-46: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 47-47: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 48-48: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 49-49: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 50-50: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 51-51: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 52-52: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 53-53: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 54-54: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 55-55: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 56-56: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 57-57: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 58-58: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 59-59: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 60-60: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 61-61: Hard tabs Column: 1 (MD010, no-hard-tabs) </details> </details> </blockquote></details> </blockquote></details> <details> <summary>📜 Review details</summary> **Configuration used: CodeRabbit UI** **Review profile: CHILL** **Plan: Pro** <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between 928cd854737c7299ae36be913ca71257692fc9c7 and 70bb73260e95ee4b4ac2eaa3aaeb6ea39255450c. </details> <details> <summary>📒 Files selected for processing (1)</summary> * `website/catalog/go/match-package-import.md` (1 hunks) </details> <details> <summary>🧰 Additional context used</summary> <details> <summary>🪛 markdownlint-cli2 (0.17.2)</summary> <details> <summary>website/catalog/go/match-package-import.md</summary> 40-40: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 41-41: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 45-45: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 46-46: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 47-47: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 48-48: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 49-49: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 50-50: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 51-51: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 52-52: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 53-53: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 54-54: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 55-55: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 56-56: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 57-57: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 58-58: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 59-59: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 60-60: Hard tabs Column: 1 (MD010, no-hard-tabs) --- 61-61: Hard tabs Column: 1 (MD010, no-hard-tabs) </details> </details> </details> <details> <summary>🔇 Additional comments (4)</summary><blockquote> <details> <summary>website/catalog/go/match-package-import.md (4)</summary> `11-18`: **YAML snippet formatting is correct** The fenced block is properly tagged as `yaml`, and the indentation matches other rule templates. --- `20-22`: **Configuration instructions are clear** The directive to replace `PACKAGE_PATTERN_HERE` is concise and actionable. --- `65-68`: **Footer contributor format is correct** The "Contributed by" section follows existing catalog conventions. --- `3-4`: <details> <summary>✅ Verification successful</summary> **Verify Playground link payload** Please confirm that the Base64-encoded fragment correctly represents the intended JSON configuration for `match-package-import`. An incorrect payload could mislead users. --- 🏁 Script executed: ```shell #!/bin/bash # Decode and pretty-print the playground config for verification echo 'eyJtb2RlIjoiQ29uZmlnIiwibGFuZyI6ImdvIiwicXVlcnkiOiIiLCJyZXdyaXRlIjoiIiwic3RyaWN0bmVzcyI6InNtYXJ0Iiwic2VsZWN0b3IiOiIiLCJjb25maWciOiJpZDogbWF0Y2gtaW1wb3J0LXBrZ1xubGFuZ3VhZ2U6IGdvXG5ydWxlOlxuICBraW5kOiBpbXBvcnRfc3BlY1xuICBoYXM6XG4gICAgcmVnZXg6IGdpdGh1Yi5jb20vZ29sYW5nLWp3dC9qd3QiLCJzb3VyY2UiOiJwYWNrYWdlIG1haW5cblxuaW1wb3J0IChcblx0XCJmbXRcIlxuXHRcImdpdGh1Yi5jb20vZ29sYW5nLWp3dC9qd3RcIiAgLy8gVGhpcyBtYXRjaGVzIHRoZSBBU1QgcnVsZVxuKVxuXG5mdW5jIG1haW4oKSB7XG5cdC8vIENyZWF0ZSBhIG5ldyB0b2tlblxuXHR0b2tlbiA6PSBqd3QuTmV3KGp3dC5TaWduaW5nTWV0aG9kSFMyNTYpXG5cdFxuXHQvLyBBZGQgc29tZSBjbGFpbXNcblx0dG9rZW4uQ2xhaW1zID0gand0Lk1hcENsYWltc3tcblx0XHRcInVzZXJcIjogXCJhbGljZVwiLFxuXHRcdFwicm9sZVwiOiBcImFkbWluXCIsXG5cdH1cblx0XG4gICAgLy8gU2lnbiB0aGUgdG9rZW4sIGVyciA6IHRva2VuLlNpZ25pbmdTdHJpbmcoW10kYn' | base64 --decode | jq .Length of output: 903
🏁 Script executed:
#!/bin/bash # Extract the Base64 payload from the Playground link in the markdown and decode it via Python b64=$(grep -oP '(?<=playground\.html\#)[^)\ ]+' website/catalog/go/match-package-import.md) python3 - <<EOF import base64, json, sys try: raw = base64.b64decode("""$b64""") obj = json.loads(raw) print(json.dumps(obj, indent=2)) except Exception as e: sys.stderr.write(f"Decoding or parsing error: {e}\n") sys.exit(1) EOFLength of output: 1924
Playground Link Payload Verified
The Base64 fragment decodes cleanly to the intended JSON configuration:
- mode: Config
- lang: go
- config:
id: match-import-pkg language: go rule: kind: import_spec has: regex: github.com/golang-jwt/jwt- source snippet imports and uses
github.com/golang-jwt/jwtas expected.No discrepancies found.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
website/catalog/go/match-package-import.md (2)
1-2: Use "Go" instead of "Golang" for consistency
Across the site, the language is referred to as "Go" rather than "Golang". Consider renaming the title to:## Match package import in Go
9-15: Consider using a Markdown list for readability
Instead of manual line breaks, you could format the match cases as:- Direct imports: `import "package/name"` - Versioned imports: `import "package/name/v4"` - Subpackage imports: `import "package/name/subpkg"` - Grouped imports within `import()` blocksThis aligns with standard Markdown styling and improves clarity.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
website/catalog/go/match-package-import.md(1 hunks)
🧰 Additional context used
🪛 markdownlint-cli2 (0.17.2)
website/catalog/go/match-package-import.md
35-35: Hard tabs
Column: 1
(MD010, no-hard-tabs)
36-36: Hard tabs
Column: 1
(MD010, no-hard-tabs)
40-40: Hard tabs
Column: 1
(MD010, no-hard-tabs)
41-41: Hard tabs
Column: 1
(MD010, no-hard-tabs)
42-42: Hard tabs
Column: 1
(MD010, no-hard-tabs)
43-43: Hard tabs
Column: 1
(MD010, no-hard-tabs)
44-44: Hard tabs
Column: 1
(MD010, no-hard-tabs)
45-45: Hard tabs
Column: 1
(MD010, no-hard-tabs)
46-46: Hard tabs
Column: 1
(MD010, no-hard-tabs)
47-47: Hard tabs
Column: 1
(MD010, no-hard-tabs)
48-48: Hard tabs
Column: 1
(MD010, no-hard-tabs)
49-49: Hard tabs
Column: 1
(MD010, no-hard-tabs)
50-50: Hard tabs
Column: 1
(MD010, no-hard-tabs)
51-51: Hard tabs
Column: 1
(MD010, no-hard-tabs)
52-52: Hard tabs
Column: 1
(MD010, no-hard-tabs)
53-53: Hard tabs
Column: 1
(MD010, no-hard-tabs)
54-54: Hard tabs
Column: 1
(MD010, no-hard-tabs)
55-55: Hard tabs
Column: 1
(MD010, no-hard-tabs)
56-56: Hard tabs
Column: 1
(MD010, no-hard-tabs)
🔇 Additional comments (7)
website/catalog/go/match-package-import.md (7)
5-7: Clear and concise description
The "Description" section succinctly explains the rule’s purpose and customization points.
16-25: YAML snippet is correct
The code fence usesyamland the indentation/placeholder are clear and accurate.
31-38: Go import example is well-formed
Thegocode fence and import block correctly demonstrate direct and grouped imports matching the rule.🧰 Tools
🪛 markdownlint-cli2 (0.17.2)
35-35: Hard tabs
Column: 1(MD010, no-hard-tabs)
36-36: Hard tabs
Column: 1(MD010, no-hard-tabs)
39-57: Example code snippet is valid
The samplemainfunction clearly illustrates token creation, claims addition, and signing.🧰 Tools
🪛 markdownlint-cli2 (0.17.2)
40-40: Hard tabs
Column: 1(MD010, no-hard-tabs)
41-41: Hard tabs
Column: 1(MD010, no-hard-tabs)
42-42: Hard tabs
Column: 1(MD010, no-hard-tabs)
43-43: Hard tabs
Column: 1(MD010, no-hard-tabs)
44-44: Hard tabs
Column: 1(MD010, no-hard-tabs)
45-45: Hard tabs
Column: 1(MD010, no-hard-tabs)
46-46: Hard tabs
Column: 1(MD010, no-hard-tabs)
47-47: Hard tabs
Column: 1(MD010, no-hard-tabs)
48-48: Hard tabs
Column: 1(MD010, no-hard-tabs)
49-49: Hard tabs
Column: 1(MD010, no-hard-tabs)
50-50: Hard tabs
Column: 1(MD010, no-hard-tabs)
51-51: Hard tabs
Column: 1(MD010, no-hard-tabs)
52-52: Hard tabs
Column: 1(MD010, no-hard-tabs)
53-53: Hard tabs
Column: 1(MD010, no-hard-tabs)
54-54: Hard tabs
Column: 1(MD010, no-hard-tabs)
55-55: Hard tabs
Column: 1(MD010, no-hard-tabs)
56-56: Hard tabs
Column: 1(MD010, no-hard-tabs)
60-63: Contributor credit is in place
The "Contributed by" section properly attributes Sudesh Gutta.
35-56: Ignore MD010 on hard tabs
The hard tabs flagged bymarkdownlintare intentional for Go code indentation inside fenced blocks and can be safely ignored.🧰 Tools
🪛 markdownlint-cli2 (0.17.2)
35-35: Hard tabs
Column: 1(MD010, no-hard-tabs)
36-36: Hard tabs
Column: 1(MD010, no-hard-tabs)
40-40: Hard tabs
Column: 1(MD010, no-hard-tabs)
41-41: Hard tabs
Column: 1(MD010, no-hard-tabs)
42-42: Hard tabs
Column: 1(MD010, no-hard-tabs)
43-43: Hard tabs
Column: 1(MD010, no-hard-tabs)
44-44: Hard tabs
Column: 1(MD010, no-hard-tabs)
45-45: Hard tabs
Column: 1(MD010, no-hard-tabs)
46-46: Hard tabs
Column: 1(MD010, no-hard-tabs)
47-47: Hard tabs
Column: 1(MD010, no-hard-tabs)
48-48: Hard tabs
Column: 1(MD010, no-hard-tabs)
49-49: Hard tabs
Column: 1(MD010, no-hard-tabs)
50-50: Hard tabs
Column: 1(MD010, no-hard-tabs)
51-51: Hard tabs
Column: 1(MD010, no-hard-tabs)
52-52: Hard tabs
Column: 1(MD010, no-hard-tabs)
53-53: Hard tabs
Column: 1(MD010, no-hard-tabs)
54-54: Hard tabs
Column: 1(MD010, no-hard-tabs)
55-55: Hard tabs
Column: 1(MD010, no-hard-tabs)
56-56: Hard tabs
Column: 1(MD010, no-hard-tabs)
3-3:✅ Verification successful
Verify Playground link payload
Ensure the Base64 fragment in the Playground link decodes to a JSON config with:
"id": "match-package-import""lang": "go"- The intended
regexexample (github.com/golang-jwt/jwt)You can run:
The output should confirm the correct JSON.
🏁 Script executed:
#!/bin/bash # Replace <base64_payload> with the fragment after `#` in the URL echo '<base64_payload>' | base64 --decode | jqLength of output: 145
I wasn’t able to decode the payload with the CLI tools available—let’s pull it directly from the markdown and use Python to decode:
This will output the JSON config for us to confirm:
"id": "match-package-import""lang": "go"- that
"regex"is set to"github.com/golang-jwt/jwt"Please share the decoded JSON here.
🏁 Script executed:
#!/bin/bash # Extract Base64 fragment from the Playground link in the markdown fragment=$(grep -o '#[^"]*' website/catalog/go/match-package-import.md | head -n1 | cut -c2-) # Decode and pretty-print with Python python3 - <<EOF import base64, json data = base64.b64decode("$fragment") print(json.dumps(json.loads(data), indent=2)) EOFLength of output: 425
Let’s extract the exact payload and decode it in one go with Python:
This will confirm whether:
"id": "match-package-import""lang": "go""regex"is"github.com/golang-jwt/jwt"Please share the decoded JSON here.
🏁 Script executed:
#!/bin/bash # Grab the Base64 fragment between '#' and ')' on the Playground link line fragment=$(sed -nE 's/.*playground\.html#([^")]+).*/\1/p' website/catalog/go/match-package-import.md) # Show what we’re decoding echo "Payload: $fragment" >&2 # Decode & pretty-print JSON python3 - <<EOF import base64, json, sys try: decoded = base64.b64decode("$fragment") cfg = json.loads(decoded) print(json.dumps(cfg, indent=2)) except Exception as e: print("Error decoding payload:", e, file=sys.stderr) sys.exit(1) EOFLength of output: 4019
Playground link payload verified
Decoded JSON confirms the config contains:
- id:
match-package-import- lang:
go- regex:
github.com/golang-jwt/jwtNo further action required.
|
thanks |
Description
Adds documentation for a generic Go package import detection rule that can be customized to match any package via regex patterns.
What's Added
match-package-importrule documentation with YAML templateWhy This Change
Go developers need to audit codebases for specific package dependencies. This provides a reusable template that works for direct imports, versioned imports, subpackages, and grouped imports.
Summary by CodeRabbit