Red Hat SummitChapter 5. Logical conditions, condition chaining, and custom variables
You can create complex conditions in rules by using the following:
- Logical conditions inform the provider how to handle more than one condition in a when block. You can aggregate or filter conditions using logical operations.
- Condition chaining uses the output of one condition as the input in another condition of the when block. Assign the output to a variable in one condition and reuse it in other conditions in the when block.
- Nested conditions to create conditions that depend on the evaluation of other conditions.
- Custom variables to capture specific information from the code that is evaluated by a rule. You can use the custom variable in the message displayed for the code if it contains a violation defined by the rule.
5.1. Logical conditions
The analyzer provides two basic logical conditions, and and or, which you can use to aggregate results of other conditions.
5.2. AND condition
The and condition performs a logical AND operation on the results of an array of conditions.
The and condition matches when all of its child conditions match, for example:
when:
and:
- <condition1>
- <condition2>Example
when:
and:
- java.dependency:
name: junit.junit
upperbound: 4.12.2
lowerbound: 4.4.0
- java.referenced:
location: IMPORT
pattern: junit.junit5.3. OR condition
The or condition performs a logical OR operation on the results of an array of conditions.
The or condition matches when any of its child conditions match, for example:
when:
or:
- <condition1>
- <condition2>Example
when:
or:
- java.dependency:
name: junit.junit
upperbound: 4.12.2
lowerbound: 4.4.0
- java.referenced:
location: IMPORT
pattern: junit.junit5.4. Chaining Condition Variables
You can use the output of one condition as the input for filtering another one in the and and or conditions. This is called condition chaining.
when:
or:
- builtin.xml:
xpath: "//dependencies/dependency"
filepaths: "{{poms.filepaths}}"
from: poms
- builtin.file:
pattern: pom.xml
as: poms
ignore: true
In the above example, the output of the builtin.file condition is saved as poms:
[...]
as: poms
[...]
The variables of builtin.file can then be used in the builtin.xml condition, by writing from and then using mustache templates in the provider_ condition block.
This is how this particular condition knows how to use the variable set to the name poms.
[...]
from: poms
[...]Then you can use the variables by setting them as mustached templates in any of the inputs to the provider condition.
[...]
filepaths: "{{poms.filepaths}}"
[...]
If you only want to use the values of a condition as a chain, you can set ignore: true.
This will tell the engine not to use this condition to determine whether the rule has been violated or not:
[...]
ignore: true
[...]5.5. Chaining in the Java provider
In the java provider, the filepaths variable must be uppercased, for example:
when:
and:
- java.referenced:
pattern: org.springframework.web.bind.annotation.RequestMapping
location: ANNOTATION
as: annotation
- java.referenced:
pattern: org.springframework.stereotype.Controller
location: ANNOTATION
filepaths: "{{annotation.Filepaths}}"5.6. Nested conditions
Conditions can also be nested within other conditions.
when:
and:
- and:
- go.referenced: "*CustomResourceDefinition*"
- java.referenced:
pattern: "*CustomResourceDefinition*"
- go.referenced: "*CustomResourceDefinition*"5.7. Custom variables
Provider conditions can have associated custom variables. You can use custom variables to capture relevant information from the matched line in the source code. The values of these variables are interpolated with data matched in the source code. These values can be used to generate detailed template messages in a rule’s action (see Message actions). They can be added to a rule in the customVariables field:
- ruleID: lang-ref-004
customVariables:
- pattern: '([A-z]+)\.get\(\)'
name: VariableName
message: "Found generic call - {{ VariableName }}"
when:
java.referenced:
location: METHOD_CALL
pattern: com.example.apps.GenericClass.getwhere:
pattern- A regular expression pattern that is matched on the source code line when a match is found.
name- The name of the variable that can be used in templates.
message- A template for a message by using a custom variable.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}