Should Script Analyzer deal with binary modules? #447
Comments
|
Looping in @JKeithB here. I agree this seems like a bit of a hole in our moderation strategy. There's a couple approaches that we could take here, with one leveraging FxCop to do static analysis and the other simply analyzing the manifest and Get-Command output of the module after it's imported. I believe @raghushantha will be following with some thoughts on the benefits of each. |
|
Have to agree with y'all, it's a hole in our story. Not as easy to deal with binary modules purely within PSSA, but some of the things you are mentioning appear to be feasible. @raghushantha - we should discuss figure out what options exist that we can use on the Gallery. |
|
When it comes to "moderation" ... at a minimum you should be able to validate the command names and existence of help content 😬 |
|
Anything related to command metadata should be candidates for evaluation on binary modules. Parameter attributes (ensuring that parameters of type PSCredential have a matching Credential type conversion attribute on them, for example), cmdlet attributes, OutputType, verb, noun, SupportsShouldProcess, etc. |
|
Next step here is to enumerate all rules which can be analyzed without source (i.e. via only reflection/Get-Command). |
|
From the community call:
Not today -- it's not quite the same use-case as PSScriptAnalyzer today, since the analysis must be mostly of C# and due to the compilation step there's an added question of what do you run the analysis on; the C# source or the built module asset. There are possible advantages to the latter, but there's more established tooling for the former. We've discussed using Roslyn analysers to improve the module authoring experience, but just in a theoretical "wouldn't it be nice if" way. Certainly since that issue [this issue] (which predates my joining the PS team) I haven't heard much in the way of requests for it, but I'd love to have the discussion about:
|
I want it, because14 years into this PowerShell adventure I'm still policing others, including Microsoft partner teams, about it. I think you're breaking it up wrong though. There is cmdlet linting/analysis, which looks at cmdlet metadata, checks for the obvious things: pluralized nouns, And then there is module analysis, which isn't about binary modules specifically but includes binary modules, and checks the manifest for improper use of wildcards in exports, looks at verb pairings, looks for manual
Post build. Leverage PowerShell's natural ability to inspect and interrogate itself.
Either evolve PSScriptingAnalyzer into just PSAnalyzer, or create a PSModuleAnalyzer. Either would work. The point is for there to be a tool, not for that tool to be a multi-functional tool. |
|
Interestingly the discussion in PowerShell/PowerShell-RFC#263 has evolved in the opposite direction, suggesting:
I think those points make a lot of sense, although I'd also like to be able to check for things beyond the C# like the module layout and the manifest, and in a way that we could apply it to script modules as well. |
|
Another benefit to the roslyn analyzer approach is method body analysis. While it's definitely possible to disassemble the IL after the fact, it becomes a lot more complicated. The use cases I have in mind off the top of my head are:
Both of those should be fairly simple to implement as well. |
|
If the Roslyn analyzers are easy, then implementing those should absolutely be considered. They will bring a lot of value to the community. That said, binary modules are more often created by C# developers than PowerShell scripters. Developers get programming, and (often) know how to read/learn an SDK, but the PowerShell cmdlet design, as well as how to properly set up a module using a manifest, those are things that are very clearly not obvious to them. Without a module analyzer or well written documentation that provides the proper guidance, neither of which have ever been provided, well, you end up with community policing after the fact to try and bring modules in line. If I were to look at where there have been more problems historically, and consider whether those problems lie in improperly configured (binary) cmdlets, in improper module design, or in incorrect implementation details binary cmdlets, while considering the impact to those issues on the community and how they can be corrected, the cmdlet configuration problems as well as improper module design have been more common and their impact has been greater due to common usage scenarios not working as they should, and complexity in correcting those problems due to public interface changes. The internal issues are also important, but I'm 100% sure that the pool of developers who do not know PowerShell very well at all but whose job requires them to create binary modules needs much more help on the design (public interface) of cmdlets and the modules that export those cmdlets more than they need help on the internals. Once something is in place that helps them get the public interfaces correct, then I think going further and helping them with internal code analysis is the right thing to do. |
Easier I should say. The API seems pretty simple, but I haven't made one so I can't vouch for it.
Absolutely. I think a combination of roslyn analyzers and the A default
Yeah I'm with ya, we're trying to solve the same problems. Is there a scenario you're thinking of where a roslyn analyzer wouldn't work but a custom tool would? |
Not that I can think of, no. The details of how this is implemented are far less important to me than the functionality that is made available to guide all module authors in the right direction, with priority given towards where guidance is needed the most. |
|
A roslyn analyser would be great to warn e.g. in the case when a binary cmdlet declares that it implements supportsshouldprocess (because someone probably copy pasted from the web) but never calls the API to check for that, meaning, it definitely does not implement it. With that embarrassing bugs like this one could be avoided: Azure/azure-powershell#13231 (comment) |
Here's a thought that just came to mind while discussing pluralized nouns in more Azure cmdlets with another MVP:
If a module author creates a binary module with cmdlets that have pluralized nouns, I think (haven't specifically tested these scenarios myself) they can package that up in a module in one of two lazy ways:
In both of these scenarios, there is nothing that PSScriptAnalyzer can do to flag issues like pluralized nouns or non-standard verbs, is there? Does PSScriptAnalyzer even check a manifest for pluralized nouns in the exported command names, if they are listed?
I started thinking about this because I was wondering how/why so many pluralized nouns were getting included in released modules from the AzureRM group, and if they use binary cmdlets, this may be one of the reasons why. I'm looking forward to PSScriptAnalyzer evolving into simply PSAnalyzer or perhaps adopting a PSModuleAnalyzer sibling that can check for these types of issues, either by loading modules as part of the inspection or, preferably, by inspecting with reflection or other means the contents of binary modules for issues with command naming and attribute use.
The text was updated successfully, but these errors were encountered: