-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: add support for alert location restrictions #17190
Conversation
e087562
to
cf44894
Compare
cf44894
to
3c68245
Compare
3c68245
to
29ca5c3
Compare
Generally looks reasonable, but I do have several stylistic and algorithmic comments. |
29ca5c3
to
3f4f18e
Compare
I will give that a try. The right way to apply alert restrictions on a query depends on what goes into the alert. For a dataflow query, that means whether the alert contains only the sources, the sinks, both the sources and the sinks, or with additional locations in addition to sources or sinks. That context is available only in the I was originally also concerned about alert-restricted predicates and flow configurations from
I am not sure I understand. Can you say more?
Sounds interesting! Where can I find out more? |
This is done. Notes:
For now I am keeping it a separate commit in case we want to further refine the approach. I will fold it into the previous commit before merge. |
I am able to reproduce the |
The
Have you noticed any performance issue if you simply drop the 1000 limit? It might be completely fine without it. If not then there are tricks to apply. The one thing that I alluded to was that we can skip the materialisation of irrelevant line numbers if we replace the If we do somehow run into performance issues dealing with all |
1b0c1d6
to
888db84
Compare
The problem was due to
What I am hearing is that we should not spend too much effort on premature optimization right now. Instead, we can defer improvements until we do observe poor performance, at which point we will have concrete data on exactly what needs to be optimized. That sounds like a good approach. Also, thanks for the edit suggestions! I have incorporated them in the latest push. |
That seems too brittle - and also not very nice to have all those pass-throughs. Perhaps filtering should merely be a flag on the existing configuration instead of a configuration-transforming module. I.e. something like:
|
Thanks for the suggestion! Yes, this approach would be cleaner. I will try to restructure the PR using this new approach in the next few weeks. |
888db84
to
93ba79a
Compare
93ba79a
to
30bbd12
Compare
Hi @aschackmull — the switch for dataflow source+sink filtering is now done via a flag as suggested. Please take another look. Thanks! |
30bbd12
to
2e6f34d
Compare
I had a lot of comments about things to tweak and simplify, so I ended up just pushing a commit. |
a999980
to
2970da0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM now, provided that this passes the usual performance testing in dca.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should limit ourselves to filtering that affects data flow, as the other query result filtering cannot be expected to improve performance.
Dca looks fine, although there is a slight indication that something might be up with |
2970da0
to
75ec8ce
Compare
I have updated the PR accordingly, with a little bit of commit cleanup in the latest force push. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This PR modifies Java queries in the Code Scanning suite to support restricting alerts based on source location, with the restrictions configured through extensible predicates.