FP S1848: Incorrect detection for CDK constructs

Rules and Languages Report False-positive / False-negative...
, ,
1

Make sure to read this post before raising a thread here:

Then tell us:

  • What language is this for?

    • Typescript with cdk8s framework.

  • Which rule?

  • Why do you believe it’s a false-positive/false-negative?

    • The cdk constructs require to declare constructors for the resources being created in the code without being any assignment.

  • Are you using

    • SonarCloud

  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

  • Setup a cdk8s project and try to create any resource. Example:

import { KubeIngress } from "../../imports/k8s";
import { Chart, ChartProps } from "cdk8s";
import { HttpIngressPathType } from "cdk8s-plus-29";
import { Construct } from "constructs";
export type LocalKongIngressProps = ChartProps & {};
export class LocalKongIngressChart extends Chart {
  constructor(scope: Construct, id: string, props: LocalKongIngressProps) {
    const { namespace } = props;
    super(scope, id, props);
    /**
     * Create ingress
     */
    new KubeIngress(this, "kong-ingress", {
Either remove this useless object instantiation of "KubeIngress" or use it.

      metadata: {
        namespace,
        name: "kong-ingress",
      },
      spec: {
        ingressClassName: "loc00-nginx",
        rules: [
          {
            host: "school.bettermarks.loc",
            http: {
              paths: [
                {
                  path: "/",
                  pathType: HttpIngressPathType.PREFIX,
                  backend: {
                    service: {
                      name: "kong-authx",
                      port: {
                        number: 8000,
                      },
                    },
                  },
                },
              ],
            },
          },
        ],
      },
    });
  }
}

Screenshot 2024-11-05 at 14.34.49
Screenshot 2024-11-05 at 14.34.491638×1388 270 KB

4

Hello Saurabh,

Thank you for the feedback. As you have noticed, our rule raises for all constructor calls that are not assigned to a variable. In general, it is a bad pattern to perform an action inside the constructor, but a few high-profile libraries do this, so we have extended the rule to accommodate these exceptions. We could consider doing it for this case as well, and I would need more information about your use case.
What is that folder ../../imports/k8s from which you import the KubeIngress class?
Is it somewhere you re-export a specific library like cdk8s?

Best,
Ilia

5

Hi Ilia,
Thanks for your answer.
I think broadly it is the case for every Infrastructure as Code libraries. Currently we use three of them:

  • CDKTF
    • In this case, things are imported from generated providers as well.
  • CDK8S
    • This is the example I shared, and imports can happen from the generated imports or cdk8-plus libraries.
  • AWS-CDK

Probably, it is even less about exceptions for specific libraries but more about either guiding us to ignore specific constructors and infrastructure as code frameworks,

With Regards
Saurabh

7

Hi, I haven’t heard back on this topic for a while. Today I met Berkay Bektas and made him aware of the issue.
He requested to ping you again to remind about the topic.
Can you please let me know if Sonarqube has plans to handle rules for Infrastructure as Code frameworks outlined above?

With Regards,
Saurabh

8

Hi, I’m also seeing a similar false negative when using the AWS CDK (JS) library. We build up custom constructs that extend classes from AWS CDK, but these are being highlighted by SonarCloud Qube (Cloud), such as:

image
image606×114 6.2 KB

Is there a way to suppress these from being detected, similar to ESLint’s ignore? Such as:
// sonar-disable-next-line

Cheers,
Reece

9

Hi,

Here is the ticket tracking this request: Jira