nccgroup/sobelow

sobelow should not accept `# sobelow_skip` that are not needed

Open

#159 opened on Apr 3, 2024

View on GitHub
 (4 comments) (0 reactions) (0 assignees)Elixir (1,780 stars) (119 forks)batch import
backlogfeaturegood first issue

Description

I notice in our code an instance of

  # sobelow_skip ["XSS.Raw"]
  def a_function(arg) do
    that_does_not_call_raw()
  end

I believe sobelow should raise an error on these. They do not reflect the code / current intention. Although unlikely, they could allow someone to add raw without it being super apparent in the diff of the resulting PR.

Thanks for sobelow

Contributor guide

Tech stack
elixir
Domain
securitytooling
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Elixir knowledgesobelow tool usagestatic analysis basics
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Investigate how `sobelow skip` is currently processed, likely in the main analysis module (e.g., `lib/sobelow/analyzer.ex`). Look for existing tests related to skip functionality and consider adding validation in the parsing stage. Ensure the error message clearly indicates the unnecessary skip comment.