Groovy Monkey and Syntax Checking
LinkGroovy Monkey is an Eclipse plugin which allows you to quickly script plugins for Eclipse. While I'm not that interested in making a whole bunch of plugins for Eclipse, I can see how this can be useful. I've found it, so far, to be very handy for doing quick syntax checks on code. The better static analysis tools out there do data flow analysis to reduce the potential of false positives (er - non-exploitables), but I like to be a lot more strict. There are some things that almost always end up being dangerous, but those constructs won't end up in a static analysis. If you're trying to convince people to always use <c:out />, then <%= shouldn't be used. So just messing with the example script gives me the ability to add that little check.
Next I'll add in checks for potentially bad data access mechanisms (createStatement, executeQuery(String), etc.) just for flagging for the developer to keep an eye on. The beauty of this is that the results end up in My Tasks instead of some separate perspective.
And yes, for anything but the <%=, I could just write a semantic rule, but this will end up in my task list, and is generally far quicker.
Can you make it a little more clear why you would want to do this instead of using PMD with an XPath expression? For example, you could give an example. Ciao!
ReplyDelete@dre - certainly PMD has been around a lot longer, and is certainly well-suited to doing static analysis. The post was more about that GroovyMonkey was there, was handy for quick-check sort of stuff.
ReplyDeleteIn the very example I gave, it wouldn't be parsed by PMD (http://pmd.sourceforge.net/jspsupport.html) because <%= tags won't be processed, which are the very things you want to get rid of. Yes, you can write a regex to check for those.
My apologies for presenting another half-baked idea.