Include enforcement date in warnings for future effective_on violations#3412
Include enforcement date in warnings for future effective_on violations#3412Acepresso wants to merge 1 commit into
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
🤖 Review · |
…olations When the CLI demotes a deny result to a warning due to a future effective_on date, the warning message is now enhanced to indicate when enforcement begins. Before: "The required 'cpe' label is missing" After: "The required 'cpe' label is missing. This will become a failure starting on 2025-01-01T00:00:00Z" This applies to both sources of effective_on: rule annotations and rule_data items. The effective_on date is included as-is (RFC3339 format). Ref: https://redhat.atlassian.net/browse/EC-1901 Assisted-by: Claude Opus 4.6
|
🤖 Finished Review · ✅ Success · Started 3:26 PM UTC · Completed 3:31 PM UTC |
Review — ApprovePR: #3412 — Include enforcement date in warnings for future effective_on violations SummaryWhen the CLI demotes a deny/failure result to a warning because its The change introduces a helper function FindingsAll findings are low severity — none are blocking. 1.
|
| effectiveOnStr, ok := result.Metadata[metadataEffectiveOn].(string) | ||
| if !ok || effectiveOnStr == "" { | ||
| return originalMessage | ||
| } |
There was a problem hiding this comment.
[low] correctness
strings.TrimRight(originalMessage, ".") removes all trailing characters in the cutset, not just a single trailing period. If a message ends with "..." (ellipsis), all three dots are stripped. strings.TrimSuffix would be more precise.
Suggested fix: Replace strings.TrimRight(originalMessage, ".") with strings.TrimSuffix(originalMessage, ".") to remove exactly one trailing period.
| case "failure": | ||
| if getSeverity(result) == severityWarning || !isResultEffective(result, effectiveTime) { | ||
| warnings = append(warnings, result) | ||
| // If being demoted due to future effective_on, enhance the message |
There was a problem hiding this comment.
[low] maintainability
The same 7-line enhancement block is duplicated in both LegacyPostEvaluationFilter.CategorizeResults and UnifiedPostEvaluationFilter.CategorizeResults. Changes to message format or guards require updating both sites.
Suggested fix: Extract a small helper function (e.g., appendWithEnhancement) to eliminate the duplication.
| case "failure": | ||
| if getSeverity(result) == severityWarning || !isResultEffective(result, effectiveTime) { | ||
| warnings = append(warnings, result) | ||
| // If being demoted due to future effective_on, enhance the message |
There was a problem hiding this comment.
[low] correctness
When a deny result has both severity:warning AND a future effective_on, the message claims it will become a failure, but the severity annotation keeps it as a warning even after the date passes. This is misleading for contradictory rule configurations.
Suggested fix: Consider guarding the enhancement to only fire when the demotion reason is exclusively the future effective_on (i.e., getSeverity != severityWarning), or add a code comment noting this edge case.
When the CLI demotes a deny result to a warning due to a future effective_on date, the warning message is now enhanced to indicate when enforcement begins.
Before: "The required 'cpe' label is missing"
After: "The required 'cpe' label is missing. This will become a failure starting on 2025-01-01T00:00:00Z"
This applies to both sources of effective_on: rule annotations and rule_data items. The effective_on date is included as-is (RFC3339 format), matching the pattern used by trusted_task's future_deny_rule warnings.
No duplicate warnings for trusted_task rules. The enhancement only applies to failures being demoted, not to existing warning rules like
future_deny_rule.Test plan
formatFutureEnforcementMessagecovering: valid effective_on, missing metadata, non-string value, empty string, nil metadataTestConftestEvaluatorEvaluateSeverityupdated and passingec validateagainst a policy with a futureeffective_ondate and verify the warning message includes the enforcement dateRef: https://redhat.atlassian.net/browse/EC-1901
Assisted-by: Claude Opus 4.6