Skip to content

tests: check: ast-grep: add static analysis rules #545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pzmarzly wants to merge 17 commits into
base: main
Choose a base branch
from
Open

tests: check: ast-grep: add static analysis rules #545

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
be54032
tests: check: ast-grep: integrate with build and CI
pzmarzly Apr 21, 2026
9b9adde
tests: check: ast-grep: add assert-pointer-params rule
pzmarzly Apr 21, 2026
ed87540
tests: check: ast-grep: add bf-prefix-public-functions rule
pzmarzly Apr 21, 2026
f83d855
tests: check: ast-grep: add double-pointer-output rule
pzmarzly Apr 21, 2026
aa60e80
tests: check: ast-grep: add doxygen-prefer-backticks rule
pzmarzly Apr 21, 2026
fef0071
tests: check: ast-grep: add doxygen-public-functions rule
pzmarzly Apr 21, 2026
1d12817
tests: check: ast-grep: add enum-bf-prefix rule
pzmarzly Apr 21, 2026
07397a2
tests: check: ast-grep: add enum-sentinel-format rule
pzmarzly Apr 21, 2026
eafcf52
tests: check: ast-grep: add fd-init-minus-one rule
pzmarzly Apr 21, 2026
8fb423d
tests: check: ast-grep: add free-function-pattern rule
pzmarzly Apr 21, 2026
f722aa8
tests: check: ast-grep: add negative-errno-returns rule
pzmarzly Apr 21, 2026
9efbdd3
tests: check: ast-grep: add no-direct-free rule
pzmarzly Apr 21, 2026
1939157
tests: check: ast-grep: add no-fprintf-stderr rule
pzmarzly Apr 21, 2026
bd69105
tests: check: ast-grep: add no-ifndef-guards rule
pzmarzly Apr 21, 2026
96edf73
tests: check: ast-grep: add single-line-comment-style rule
pzmarzly Apr 21, 2026
54a0e2d
tests: check: ast-grep: add spdx-license-header rule
pzmarzly Apr 21, 2026
0b9abfb
tests: check: ast-grep: add struct-bf-prefix rule
pzmarzly Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/fedora-42.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ RUN dnf --disablerepo=* --enablerepo=fedora,updates --nodocs --setopt=install_we
libcmocka-devel \
libgit2-devel \
libtool \
pipx \
procps-ng \
python3-breathe \
python3-dateutil \
Expand All @@ -36,3 +37,6 @@ RUN dnf --disablerepo=* --enablerepo=fedora,updates --nodocs --setopt=install_we
sed \
xxd && \
dnf clean all -y

Copy link
Copy Markdown

@github-actions github-actions Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude: suggestion: ast-grep-cli is installed without a version pin (pipx install --global ast-grep-cli). A breaking change in ast-grep's rule syntax or --off flag behavior could cause CI failures across all branches simultaneously. Consider pinning to a specific version (e.g. pipx install --global ast-grep-cli==0.38.0) and updating periodically via a dedicated PR. Same applies to all other Dockerfiles (Fedora via pipx, Ubuntu via pip).

Copy link
Copy Markdown
Contributor Author

@pzmarzly pzmarzly May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the other hand, it'd be nice to see failures introduced in new version immediately, not "whenever we remember to bump hardcoded versions". I think fetching the latest version should be fine.

RUN pipx install --global ast-grep-cli && \
ast-grep --version
4 changes: 4 additions & 0 deletions .github/fedora-43.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ RUN dnf --disablerepo=* --enablerepo=fedora,updates --nodocs --setopt=install_we
libcmocka-devel \
libgit2-devel \
libtool \
pipx \
procps-ng \
python3-breathe \
python3-dateutil \
Expand All @@ -36,3 +37,6 @@ RUN dnf --disablerepo=* --enablerepo=fedora,updates --nodocs --setopt=install_we
sed \
xxd && \
dnf clean all -y

RUN pipx install --global ast-grep-cli && \
ast-grep --version
4 changes: 4 additions & 0 deletions .github/fedora-44.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ RUN dnf --disablerepo=* --enablerepo=fedora,updates --nodocs --setopt=install_we
libgit2-devel \
libpfm-devel \
libtool \
pipx \
procps-ng \
python3-breathe \
python3-dateutil \
Expand All @@ -37,3 +38,6 @@ RUN dnf --disablerepo=* --enablerepo=fedora,updates --nodocs --setopt=install_we
sed \
xxd && \
dnf clean all -y

RUN pipx install --global ast-grep-cli && \
Copy link
Copy Markdown
Contributor

@qdeslandes qdeslandes May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already use pip for Ubuntu containers, why not using it too here?

ast-grep --version
4 changes: 4 additions & 0 deletions .github/fedora-rawhide.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ RUN dnf --disablerepo=* --enablerepo=fedora --nodocs --setopt=install_weak_deps=
libgit2-devel \
libpfm-devel \
libtool \
pipx \
procps-ng \
python3-breathe \
python3-dateutil \
Expand All @@ -39,3 +40,6 @@ RUN dnf --disablerepo=* --enablerepo=fedora --nodocs --setopt=install_weak_deps=
sed \
xxd && \
dnf clean all -y

RUN pipx install --global ast-grep-cli && \
ast-grep --version
3 changes: 2 additions & 1 deletion .github/ubuntu-24.04.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,5 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
xxd && \
rm -rf /var/lib/apt/lists/*

RUN pip install --break-system-packages linuxdoc
RUN pip install --break-system-packages linuxdoc ast-grep-cli && \
ast-grep --version
3 changes: 2 additions & 1 deletion .github/ubuntu-25.04.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,5 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
xxd && \
rm -rf /var/lib/apt/lists/*

RUN pip install --break-system-packages linuxdoc
RUN pip install --break-system-packages linuxdoc ast-grep-cli && \
ast-grep --version
3 changes: 2 additions & 1 deletion .github/ubuntu-25.10.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,5 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
xxd && \
rm -rf /var/lib/apt/lists/*

RUN pip install --break-system-packages linuxdoc
RUN pip install --break-system-packages linuxdoc ast-grep-cli && \
ast-grep --version
25 changes: 25 additions & 0 deletions tests/check/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,31 @@ set_tests_properties("check.checkstyle" PROPERTIES
LABELS "check"
)

find_program(SG_BIN NAMES ast-grep)

if(SG_BIN)
set(SG_CONFIG ${CMAKE_SOURCE_DIR}/tests/check/ast-grep/sgconfig.yml)

add_test(NAME "check.astgrep.test"
COMMAND ${SG_BIN} test --config ${SG_CONFIG}
)

add_test(NAME "check.astgrep"
COMMAND ${SG_BIN} scan --config ${SG_CONFIG}
${CMAKE_SOURCE_DIR}/src/libbpfilter
${CMAKE_SOURCE_DIR}/src/bfcli
--off=assert-pointer-params
--off=doxygen-prefer-backticks
--off=doxygen-public-functions
--off=no-direct-free
--off=single-line-comment-style
)

set_tests_properties("check.astgrep.test" "check.astgrep" PROPERTIES
LABELS "check"
)
endif()

add_custom_target(fixstyle
COMMAND
${CLANG_FORMAT_BIN}
Expand Down
Empty file added tests/check/ast-grep/rule-tests/.gitkeep
View file
Open in desktop
Empty file.
62 changes: 62 additions & 0 deletions tests/check/ast-grep/rule-tests/__snapshots__/assert-pointer-params-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
id: assert-pointer-params
snapshots:
? |
int bf_chain_add_rule(struct bf_chain *chain, struct bf_rule *rule)
{
return 0;
}
: labels:
- source: |-
int bf_chain_add_rule(struct bf_chain *chain, struct bf_rule *rule)
{
return 0;
}
style: primary
start: 0
end: 85
- source: '*chain'
style: secondary
start: 38
end: 44
- source: struct bf_chain *chain
style: secondary
start: 22
end: 44
- source: (struct bf_chain *chain, struct bf_rule *rule)
style: secondary
start: 21
end: 67
- source: bf_chain_add_rule(struct bf_chain *chain, struct bf_rule *rule)
style: secondary
start: 4
end: 67
? |
void bf_rule_free(struct bf_rule **rule)
{
return;
}
: labels:
- source: |-
void bf_rule_free(struct bf_rule **rule)
{
return;
}
style: primary
start: 0
end: 56
- source: '**rule'
style: secondary
start: 33
end: 39
- source: struct bf_rule **rule
style: secondary
start: 18
end: 39
- source: (struct bf_rule **rule)
style: secondary
start: 17
end: 40
- source: bf_rule_free(struct bf_rule **rule)
style: secondary
start: 5
end: 40
30 changes: 30 additions & 0 deletions tests/check/ast-grep/rule-tests/__snapshots__/bf-prefix-public-functions-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: bf-prefix-public-functions
snapshots:
? |
int my_func(void)
{
return 0;
}
: labels:
- source: |-
int my_func(void)
{
return 0;
}
style: primary
start: 0
end: 35
? |
void process_packet(struct pkt *p)
{
return;
}
: labels:
- source: |-
void process_packet(struct pkt *p)
{
return;
}
style: primary
start: 0
end: 50
24 changes: 24 additions & 0 deletions tests/check/ast-grep/rule-tests/__snapshots__/double-pointer-output-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
id: double-pointer-output
snapshots:
? |
int bf_chain_new(struct bf_chain *chain)
{
return 0;
}
: labels:
- source: |-
int bf_chain_new(struct bf_chain *chain)
{
return 0;
}
style: primary
start: 0
end: 58
- source: bf_chain_new
style: secondary
start: 4
end: 16
- source: bf_chain_new(struct bf_chain *chain)
style: secondary
start: 4
end: 40
36 changes: 36 additions & 0 deletions tests/check/ast-grep/rule-tests/__snapshots__/doxygen-prefer-backticks-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
id: doxygen-prefer-backticks
snapshots:
? |
/**
* @brief Free a map object.
*
* @param map @ref bf_map object to free.
*/
void bf_map_free(struct bf_map **map);
: labels:
- source: |-
/**
* @brief Free a map object.
*
* @param map @ref bf_map object to free.
*/
style: primary
start: 0
end: 81
? |
/**
* @brief Manage BPF object references.
*
* @ref bf_handle is used to manage references.
*/
int bf_handle_new(void);
: labels:
- source: |-
/**
* @brief Manage BPF object references.
*
* @ref bf_handle is used to manage references.
*/
style: primary
start: 0
end: 98
17 changes: 17 additions & 0 deletions tests/check/ast-grep/rule-tests/__snapshots__/doxygen-public-functions-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
id: doxygen-public-functions
snapshots:
? |
// This is not a Doxygen comment
int bf_set_add(struct bf_set *set, int value);
: labels:
- source: int bf_set_add(struct bf_set *set, int value);
style: primary
start: 33
end: 79
? |
int bf_rule_free(void);
: labels:
- source: int bf_rule_free(void);
style: primary
start: 0
end: 23
42 changes: 42 additions & 0 deletions tests/check/ast-grep/rule-tests/__snapshots__/enum-bf-prefix-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
id: enum-bf-prefix
snapshots:
? |
enum filter_type
{
FILTER_ACCEPT,
_FILTER_MAX,
};
: labels:
- source: |-
enum filter_type
{
FILTER_ACCEPT,
_FILTER_MAX,
}
style: primary
start: 0
end: 56
- source: filter_type
style: secondary
start: 5
end: 16
? |
enum hook
{
HOOK_XDP,
_HOOK_MAX,
};
: labels:
- source: |-
enum hook
{
HOOK_XDP,
_HOOK_MAX,
}
style: primary
start: 0
end: 42
- source: hook
style: secondary
start: 5
end: 9
58 changes: 58 additions & 0 deletions tests/check/ast-grep/rule-tests/__snapshots__/enum-sentinel-format-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
id: enum-sentinel-format
snapshots:
? |
enum bf_chain_type
{
BF_CHAIN_TYPE_FILTER,
BF_CHAIN_TYPE_NAT,
};
: labels:
- source: |-
enum bf_chain_type
{
BF_CHAIN_TYPE_FILTER,
BF_CHAIN_TYPE_NAT,
}
style: primary
start: 0
end: 71
- source: bf_chain_type
style: secondary
start: 5
end: 18
- source: |-
{
BF_CHAIN_TYPE_FILTER,
BF_CHAIN_TYPE_NAT,
}
style: secondary
start: 19
end: 71
? |
enum bf_hook
{
BF_HOOK_XDP,
BF_HOOK_TC_INGRESS,
};
: labels:
- source: |-
enum bf_hook
{
BF_HOOK_XDP,
BF_HOOK_TC_INGRESS,
}
style: primary
start: 0
end: 57
- source: bf_hook
style: secondary
start: 5
end: 12
- source: |-
{
BF_HOOK_XDP,
BF_HOOK_TC_INGRESS,
}
style: secondary
start: 13
end: 57
Loading
Loading