Here is my yaml file named test.yaml as below:

name: create an app with full permission

file:
  path: /app
  owner: foo
  group: foo
  mode: "777"

And I ran the command to generate the report this way glitch --tech ansible --csv test.yaml

The output below seems not correct:

+-------------------------------------+-------------+----------------------------+---------------------------+
| Smell                               | Occurrences | Smell density (Smell/KLoC) | Proportion of scripts (%) |
+-------------------------------------+-------------+----------------------------+---------------------------+
| Admin by default                    |           0 |                        0.0 |                       0.0 |
| Avoid comments                      |           0 |                        0.0 |                       0.0 |
| Duplicate block                     |           0 |                        0.0 |                       0.0 |
| Empty password                      |           0 |                        0.0 |                       0.0 |
| Full permission to the filesystem   |           0 |                        0.0 |                       0.0 |
| Hard-coded password                 |           0 |                        0.0 |                       0.0 |
| Hard-coded secret                   |           0 |                        0.0 |                       0.0 |
| Hard-coded user                     |           0 |                        0.0 |                       0.0 |
| Imperative abstraction              |           0 |                        0.0 |                       0.0 |
| Improper alignment                  |           0 |                        0.0 |                       0.0 |
| Invalid IP address binding          |           0 |                        0.0 |                       0.0 |
| Long Resource                       |           0 |                        0.0 |                       0.0 |
| Long statement                      |           0 |                        0.0 |                       0.0 |
| Misplaced attribute                 |           0 |                        0.0 |                       0.0 |
| Missing default case statement      |           0 |                        0.0 |                       0.0 |
| Multifaceted Abstraction            |           0 |                        0.0 |                       0.0 |
| No integrity check                  |           0 |                        0.0 |                       0.0 |
| Suspicious comment                  |           0 |                        0.0 |                       0.0 |
| Too many variables                  |           0 |                        0.0 |                       0.0 |
| Unguarded variable                  |           0 |                        0.0 |                       0.0 |
| Unnecessary abstraction             |           0 |                        0.0 |                       0.0 |
| Use of HTTP without TLS             |           0 |                        0.0 |                       0.0 |
| Use of obsolete command or function |           0 |                        0.0 |                       0.0 |
| Weak Crypto Algorithm               |           0 |                        0.0 |                       0.0 |
+-------------------------------------+-------------+----------------------------+---------------------------+
| Combined                            |           0 |                        0.0 |                       0.0 |
+-------------------------------------+-------------+----------------------------+---------------------------+
+-----------------+---------------+
| Total IaC files | Lines of Code |
+-----------------+---------------+
|               1 |             7 |
+-----------------+---------------+

You see Full permission to the filesystem it should contain occurrences 1. everything shows zero. Did I miss anything? I really appreciate your help.

This smell can be detected in two different ways for Puppet:

1. More than one resource is defined in the declaration of a file, service or package. We are not currently able to support this because of #7.
2. Calculation of the LCOM. LCOM is related to the intersection of parameters between components. We should be able to support this easily if we implement #6.

Currently doing checksums with md5 will trigger weak crypt smell, eg:

# Docker
RUN md5sum foo.sh

In this case md5sum is being used to verify the integrity of the file and it will trigger the weak crypt smell. md5sum and other checksums commands (shasum, sha1sum, etc..) should be whitelisted.

          This is fine, but it might be a good idea to include versions (perhaps the best is to create a separate issue for that). Otherwise, we might have issues in a near future related to incompatible versions.

Originally posted by @jff in #19 (comment)

Describe the solution you'd like
It would be nice to have an automated test that checks if the number of true/false positives and true/false negatives remains the same for the oracle datasets used in GLITCH's studies.

Describe the solution you'd like
Add docstrings to all public methods and add a check in CI for this.

Describe the solution you'd like
It would be interesting to have support in the intermediate representation for the management of nodes, i.e., for instance the inventory in Ansible and the node construct in Puppet.

Since autodetect was removed, the extension has to be updated.

Describe the solution you'd like
It would be nice to have black in the CI. This would enforce the usage of black.

We ignored the point "Right-to-left chaining arrows should not be used", since we are not able to support this Puppet operation yet.

Describe the bug
The tests are creating a Dockerfile that is not deleted

Expected behavior
The file is deleted.

We should parse the values in the intermediate representation allowing to differ, for instance, types (booleans, strings, numbers...) and expressions (ands, ors ...). This parsing would allow to define other type of smells in a more accurate way. For instance, imagine the smell "Hard-coded secret". We have something like: $test | "hello". Although a variable is present, there is still a chance that the secret is hard-coded.

AttributeError: 'str' object has no attribute '__name__'

Describe the solution you'd like
Right now some CLI options are not very clear. For instance, the --includeall and --dataset are not very clear and should be replaced with simpler options or even removed. The --linterand --csv option could also be replaced with a format option.

1. git clone [email protected]:sr-lab/GLITCH.git
2. cd GLITCH
3. python -m pip install -e .

Successfully built glitch
Installing collected packages: glitch
Attempting uninstall: glitch
Found existing installation: glitch 1.0.1
Uninstalling glitch-1.0.1:
Successfully uninstalled glitch-1.0.1
Successfully installed glitch-1.0.1

Then running the glitch command shows error as of below:
abdul@Abduls-MacBook-Pro GLITCH % glitch --help
Traceback (most recent call last):
File "/Users/abdul/Library/Caches/pypoetry/virtualenvs/glitch-5uPBzSuZ-py3.12/bin/glitch", line 5, in
from glitch.main import main
File "/Users/abdul/projects/uwf/GLITCH/glitch/main.py", line 15, in
from glitch.parsers.chef import ChefParser
File "/Users/abdul/projects/uwf/GLITCH/glitch/parsers/chef.py", line 8, in
from pkg_resources import resource_filename
ModuleNotFoundError: No module named 'pkg_resources'

If anybody please helps?

Describe the bug
setuptools is required since we use the module pkg_resources

Following the discussion here, we should decide if hashes are handled as hierarchical attributes and variables in Chef and Puppet, or should be handled as regular values.

(#17)

(or we should adapt the current ones)
Some technologies have blocks of structures that do not make sense in every technology. For instance, Puppet allows to group resources inside the same declaration

Puppet

• Collect dataset (Rahman)
• Compute and validate dataset statistics
• Collect Oracle (Our own)
• Compute and validate oracle statistics
• Run SLIC: collect results and execution time
  • Oracle
  • Compute precision and accuracy
  • Rahman's dataset (7 smells) 🎯
• Run GLITCH: collect results and execution time
  • Oracle
  • Compute precision and accuracy
  • Rahman's dataset (7 smells) 🎯
  • Rahman's dataset (all of GLITCH's supported smells) 🎯

Ansible

• Collect dataset (our own, following same criteria as Rahman and Rahman Openstack Dataset)
• Compute and validate dataset statistics
• Collect Oracle (Rahman)
• Compute and validate oracle statistics
• Review Oracle and add code line to each smell
• Run SLAC: collect results and execution time
  • Oracle 🎯
  • Compute precision and accuracy 🎯
  • Rahman's dataset (8 smells)
• Run GLITCH: collect results and execution time
  • Oracle 🎯
  • Compute precision and accuracy 🎯
  • Rahman's dataset (8 smells)
  • Rahman's dataset (all of GLITCH's supported smells)

Chef

• Collect dataset (our own, following same criteria as Rahman)
• Compute dataset statistics
• Collect Oracle (Our own)
• Compute and validate oracle statistics
• Run SLAC: collect results and execution time
  • Oracle
  • Compute precision and accuracy
  • Run on dataset (9 smells) 🎯
• Run GLITCH: collect results and execution time
  • Oracle
  • Compute precision and accuracy
  • Run on dataset (9 smells) 🎯
  • Run on dataset (all of GLITCH's supported smells; same as above?) 🎯

Describe the bug
Long statement is being detected when we have 140 characters + '\n'.

To Reproduce
Run GLITCH on script with a line with 140 characters + '\n'.

Expected behavior
It shouldn't detect the smell

Describe the enhancement
Currently, the Docker parser has some problems such as:

• command parsing
• multi-line commands

The translation of a Dockerfile to our intermediate representation is also not very intuitive. It would be better to invest some time in identifying a new mapping between Dockerfiles and the IR.

Describe the solution you'd like
The CLI should have a command that allows to print the intermediate representation for a certain script.

Is your feature request related to a problem? Please describe.
Right now the condition statement and its conditions are represented with the same construct ConditionStatement. However, this doesn't allow the distinction between them and sometimes the conditions are used as being the condition statement itself.
For instance:

$php_prefix = $::osfamily ? {
    'debian' => 'php5-',
    'redhat' => 'php-',
}

Only has a ConditionStatement for the first condition and one for the second condition, but it doesn't have a construct for the actual switch statement.

Describe the solution you'd like
We should create a new construct either for the conditions or the switch/if statements.

Describe the solution you'd like
Right now, the UnitBlock has an attribute for each type of element. However, this does not scale well, does not adhere to good practices of object-oriented programming and it is not intuitive when generic statements are in the mix. For instance, let's imagine a conditional statement has a atomic unit in its blocks. Should the atomic unit also be added to the atomic_units attribute? It doesn't make sense.

Describe alternatives you've considered
The UnitBlock should have a single attribute for statements.

The print should be recursive and follow the same patterns as the other components, otherwise it becomes hard to understand what is going on.

Instead of this:

roles[0]->None attributes: [name:'Install dependencies']

We want something like this:

roles[0]->None:
  attributes:
    name->Install dependencies

It would be interesting if there was a better way to define the type of an Ansible script (vars, tasks or script)

In Ansible, Chef and Puppet, there are files that exist only to define variables. In those files, the smell should not be triggered.

Is your feature request related to a problem? Please describe.
Currently GLITCH does not support attributes defined as in the example below (aka Ansible-specific syntax):

- name: Create web root
  file: path="{{ www_root }}"
        owner="{{ web_user }}"
        group="{{ web_group }}"
        mode=0755
        state=directory
  with_dict: sites

This is mentioned in the work by Opdebeeck et al. (2023).

Describe the solution you'd like
We shoud use the ansible-core package instead of the yaml package..

Describe the bug
The regex for the missing integrity check isn't triggered on values as such:
https://storage.googleapis.com/cri-containerd-release/cri-containerd-{{ containerd_version }}.linux-amd64.tar.gz
This happens because of the space before and after the variable.

To Reproduce
Run GLITCH on this script:
https://github.com/starlingx/ansible-playbooks/blob/7983841637966089106bb80f28d7b701ec6b6323/playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/tasks/install-ubuntu-packages.yml#L31

Expected behavior
Detecting a Missing integrity check smell.

Describe the solution you'd like
Add a mode that outputs a LaTeX (or a PDF) diagram for the intermediate representation.

Describe the solution you'd like
Change the usage of the package click to the package fire for the CLI.

We only consider duplicate blocks inside the same file instead of inside the same cookbook (as Schwarz et al.)

https://github.com/Nfsaavedra/GLITCH/blob/5162cd1168e2ccfb28373a51ef0fff9a9423667f/glitch/analysis/rules.py#L279

Describe the solution you'd like
Configuration files that do not have a certain key should use the value in the default.ini file. This is useful, for instance, to specify a Terraform-specific configuration with only the necessary keys.

Describe the solution you'd like
We should migrate the VSCode extension to the Python tools template (https://github.com/microsoft/vscode-python-tools-extension-template#readme). This would allow GLITCH to be bundled in the extension.

The parsers for the intermediate representation should have unit tests.

Describe the solution you'd like
Unit tests.

Describe the solution you'd like
Refactor the tests to use pytest instead of unittest.