Slang kotlin more insights


(Josef Procházka) #1

Hello SonarQube ,

Because we need a support for kotlin language I come accros slang and kotlin-plugin projects. It looks very interesing but I am missing more documentation and some future plans for slang and kotlin.
If I am not wrong, this plugin uses own slang parser (which is not language dependent ) + imports reports from detekt.
I wonder if slang AST tree is suitable to detect language dependent issues such as SQL injection or it is meant mostly for “language independent issuses”.

Thank you

Josef Prochazka

(Jonathan Cornaz) #2

Same for me. I’m keen to write rules for Kotlin, but the lack of documentation makes it very hard.

(Alban Auzeill) #3

Hi Josef & Jonathan,

(glossary: AST, abstract syntax tree)

This is how sonar-kotlin-plugin works to analyse one Kotlin file:
Step 1) Read the input file
Step 2) Parse the file using Jetbrains kotlin-compiler to produce an AST with org.jetbrains.kotlin.psi.* nodes
Step 3) Convert kotlin AST to slang AST with org.sonarsource.slang.api.* nodes
Step 4) Apply the slang rules and metrics on the slang AST

Some clarifications:

  • Rules at “Step 4”, focus only on “language independent issues”
  • There’s no entry point after “Step 2” to apply rules on kotlin AST. It would be a nice place to write “language dependent rules”, but it’s not yet possible.
  • I agree about the lack of documentation, we are at the very beginning of the “slang” adventure and we will for sure improve it.



(Jonathan Cornaz) #4

Thanks for your reply @alban.auzeill.

Is there documentation about how to create slang rules already?

There’s a bunch of rules that I’m sure I could write for Kotlin even on a “language independent” level.

(Alban Auzeill) #5

Jonathan, currently there’s no documentation about how to create slang rules.
Meanwhile, it would be great if you can contribute by starting to describe your rules here: suggestions/rules.

(Jonathan Cornaz) #6

Ok, thanks @alban.auzeill

I did propose 3 rules which are very important for our team and I also reported one false-positive about Kotlin.

I’m eager to read more documentation about how creating slang rules :wink:

(Josef Procházka) #7

Just a litle actualisation. I have found Slang very handy. We have needed to updatejproperties plugin to be compatible with the latest version of SonarQube.
We are alredy using custom fork of jproperties plugin so I have got the idea to use the Slang framework to acomplish that instead of simply updating the plugin. I have used the sslr grammar part from the original plugin and slang api to produce the tree and checks.
I think it was rather easy and the Slang framework provides lot of futures that was handled “manualy” in the original plugin.
If somebody interested, the Slang properties plugin is placed here
Please keep in mind that it is early stage and no rules, except one dummy rule, are implemented at the moment.

(Alban Auzeill) #8

Hi Josef, be aware that currently Slang is designed to address programming languages and not structured data (like json files). So, you will probably benefit from none of the existing generic rules.

It seems to be a challenging approach. If you succeed or fail, in any case, I would be interested to look at the successful result or to learn why you have failed. This could influence how Slang will evolve.

May the force be with you.

(Josef Procházka) #9

Hello Alban,

thank you for you encouraging post :slight_smile: .

The plugin is almost ready and most of the rules are re-implemented or replaced with generic slang rules. I need to solve properties encoding handling, add more tests, clean the code licenses and etc.

I know that Slang is not developed for structured text ( but after all all text files can be considered as trees and for these is Slang good match), surprisingly I could use generic rules for almost half of properties rules.

I have made only a tiny change in original Slang sensor as I need to run checks across whole project (similar to CpdVisitor).

We would need to rewrite the properties plugin anyway because we are using it to check security related setting . We can have perfectly tested and analysed all working source code but than we forgot hardcoded credentials in config file or switch of some security framework future.

With Regads

Josef Prochazka