Noqa comments above tasks should be skipped or treated differently
Let's have this playbook (and I did intentionally put all the noqa
comments above the tasks instead within tasks):
---
- name: Sample playbook
hosts: localhost
tasks:
- name: Create a new Sensu Go user
sensu.sensu_go.user:
password: "{{ lookup('env', 'SENSU_USER_PASSWORD') }}"
when: true
# noqa: W003, E903
- name: Get the payload from the API
uri:
url: "/some-url"
method: GET
user: "username1"
# noqa: E601[fqcn=community.crypto.x509_certificate]
- name: Ensure that the server certificate belongs to the specified private key
community.crypto.x509_certificate:
path: "{{ config_path }}/certificates/server.crt"
privatekey_path: "{{ config_path }}/certificates/server.key"
provider: assertonly
In this case, our current noqa
parsing mechanism puts all noqa
comments for the current task below on the previous tasks (this is because ruamel
attaches those comments to the last element in the previous task). This means that we will not ignore anything in this case.
Click to expand for scan payload
{
"environment": {
"python_version": "3.10.6",
"ansible_version": {
"ansible_core": "2.15.0",
"ansible_base": null,
"ansible": "[core 2.15.0]"
},
"installed_collections": [
{
"fqcn": "amazon.aws",
"version": "6.1.0"
},
{
"fqcn": "community.docker",
"version": "3.4.0"
}
],
"ansible_config": {
"ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR)": "False",
"CONFIG_FILE()": "None"
},
"galaxy_yml": {},
"collection_requirements": {},
"cli_scan_args": {
"parse_values": false,
"include_values": false,
"include_metadata": true,
"rewrite": false,
"display_level": "hint",
"profile": "default",
"skip_checks": [],
"enforce_checks": []
}
},
"tasks": [
{
"task_id": "4a407819-b6c6-41d3-8859-ac38fe77a4de",
"task_args": {
"name": null,
"sensu.sensu_go.user": {
"password": null
},
"when": null
},
"spotter_metadata": {
"file": "/home/user/spotter-cli/playbook.yml",
"line": 5,
"column": 7,
"start_mark_index": 62,
"end_mark_index": 230
},
"spotter_obfuscated": [],
"spotter_noqa": [
{
"event": "W003",
"subevent_code": null,
"fqcn": null
},
{
"event": "E903",
"subevent_code": null,
"fqcn": null
}
]
},
{
"task_id": "85792a81-f2cf-4667-a0ca-065dce75766b",
"task_args": {
"name": null,
"uri": {
"url": null,
"method": null,
"user": null
}
},
"spotter_metadata": {
"file": "/home/user/spotter-cli/playbook.yml",
"line": 11,
"column": 7,
"start_mark_index": 232,
"end_mark_index": 411
},
"spotter_obfuscated": [],
"spotter_noqa": [
{
"event": "E601",
"subevent_code": null,
"fqcn": "community.crypto.x509_certificate"
}
]
},
{
"task_id": "fc371294-7f17-49f7-ae4f-dfde39cc98ce",
"task_args": {
"name": null,
"community.crypto.x509_certificate": {
"path": null,
"privatekey_path": null,
"provider": null
}
},
"spotter_metadata": {
"file": "/home/user/spotter-cli/playbook.yml",
"line": 18,
"column": 7,
"start_mark_index": 413,
"end_mark_index": 688
},
"spotter_obfuscated": [],
"spotter_noqa": []
}
],
"playbooks": [
{
"playbook_id": "16d1b0a8-606d-4d98-95a1-b93ef0858d54",
"plays": [
{
"play_id": "98245ae4-151b-4492-9c00-8effa03bd1f0",
"play_args": {
"name": null,
"hosts": null
},
"spotter_metadata": {
"file": "/home/user/spotter-cli/playbook.yml",
"line": 2,
"column": 3,
"start_mark_index": 6,
"end_mark_index": 688
},
"spotter_obfuscated": []
}
]
}
]
}
Ideally, we would support both syntaxes, but since this brings a lot of trouble we might just ignore these comments above tasks and warn the user what is the right usage here.