NumericBounds Linter #176
NumericBounds Linter #176
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: krishagarwal278 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
docs/linters.md
Outdated
|
|
||
| ## NumericBounds | ||
|
|
||
| The `numericbounds` linter checks that numeric fields (`int32` and `int64`) have appropriate bounds validation markers. |
There was a problem hiding this comment.
What about floats? We discourage them, but people can/do still use them
docs/linters.md
Outdated
| According to Kubernetes API conventions, numeric fields should have bounds checking to prevent values that are too small, negative (when not intended), or too large. | ||
|
|
||
| This linter ensures that: | ||
| - `int32` and `int64` fields have both `+kubebuilder:validation:Minimum` and `+kubebuilder:validation:Maximum` markers |
There was a problem hiding this comment.
We should check for declarative validation markers too if they are in beta at this point
There was a problem hiding this comment.
i didn't add it earlier as i only found +k8s:maximum in the k8s documentation. On exploring further i saw that the markers package does mention it. So i incorporated it 👍🏻
docs/linters.md
Outdated
|
|
||
| This linter ensures that: | ||
| - `int32` and `int64` fields have both `+kubebuilder:validation:Minimum` and `+kubebuilder:validation:Maximum` markers | ||
| - `int64` fields with bounds outside the JavaScript safe integer range are flagged |
There was a problem hiding this comment.
We should also check if an int32 bound is beyond the limits of an int32
docs/linters.md
Outdated
| ### Examples | ||
|
|
||
| **Valid:** Numeric field with proper bounds markers | ||
| ```go | ||
| type Example struct { | ||
| // +kubebuilder:validation:Minimum=0 | ||
| // +kubebuilder:validation:Maximum=100 | ||
| Count int32 | ||
| } | ||
| ``` | ||
|
|
||
| **Valid:** Int64 field with JavaScript-safe bounds | ||
| ```go | ||
| type Example struct { | ||
| // +kubebuilder:validation:Minimum=-9007199254740991 | ||
| // +kubebuilder:validation:Maximum=9007199254740991 | ||
| Timestamp int64 | ||
| } | ||
| ``` | ||
|
|
||
| **Invalid:** Missing bounds markers | ||
| ```go | ||
| type Example struct { | ||
| Count int32 // want: should have minimum and maximum bounds validation markers | ||
| } | ||
| ``` | ||
|
|
||
| **Invalid:** Only one bound specified | ||
| ```go | ||
| type Example struct { | ||
| // +kubebuilder:validation:Minimum=0 | ||
| Count int32 // want: has minimum but is missing maximum bounds validation marker | ||
| } | ||
| ``` | ||
|
|
||
| **Invalid:** Int64 with bounds exceeding JavaScript safe range | ||
| ```go | ||
| type Example struct { | ||
| // +kubebuilder:validation:Minimum=-10000000000000000 | ||
| // +kubebuilder:validation:Maximum=10000000000000000 | ||
| LargeNumber int64 // want: bounds exceed JavaScript safe integer range | ||
| } | ||
| ``` | ||
|
|
There was a problem hiding this comment.
This is probably too much detail for the docs here, we can have this in the package level docs I think
pkg/analysis/numericbounds/doc.go
Outdated
| // +kubebuilder:validation:Maximum=100 | ||
| Count int32 | ||
| } | ||
There was a problem hiding this comment.
Maybe copy the more complex examples you added in the docs to here
There was a problem hiding this comment.
moved it to docs in numericbounds package 👍🏻
| maxSafeInt = 9007199254740991 // 2^53 - 1 | ||
| minSafeInt = -9007199254740991 // -(2^53 - 1) |
There was a problem hiding this comment.
Rename these to Int64 and also add versions for Int32 to check?
| // Report any invalid marker values (e.g., non-numeric values) | ||
| if minErr != nil && !minMissing { | ||
| pass.Reportf(field.Pos(), "field %s has an invalid minimum marker: %v", fieldName, minErr) | ||
| return | ||
| } | ||
| if maxErr != nil && !maxMissing { | ||
| pass.Reportf(field.Pos(), "field %s has an invalid maximum marker: %v", fieldName, maxErr) | ||
| return | ||
| } | ||
|
|
||
| // Report if both markers are missing | ||
| if minMissing && maxMissing { | ||
| pass.Reportf(field.Pos(), "field %s of type %s should have minimum and maximum bounds validation markers", fieldName, ident.Name) | ||
| return | ||
| } | ||
|
|
||
| // Report if only one marker is present | ||
| if minMissing { | ||
| pass.Reportf(field.Pos(), "field %s of type %s has maximum but is missing minimum bounds validation marker", fieldName, ident.Name) | ||
| return | ||
| } | ||
| if maxMissing { | ||
| pass.Reportf(field.Pos(), "field %s of type %s has minimum but is missing maximum bounds validation marker", fieldName, ident.Name) | ||
| return | ||
| } |
There was a problem hiding this comment.
It is ok to report two different messages, one for missing Max, one for missing Min. I don't think we need the complexity of this both missing vs one missing logic you have here
There was a problem hiding this comment.
agreed. This logic is duplicating messages. Now reporting only missing markers 👍🏻
| // Check if it's a slice and unwrap (e.g., []int32) | ||
| if arrayType, ok := expr.(*ast.ArrayType); ok { | ||
| isSlice = true | ||
| expr = arrayType.Elt | ||
|
|
||
| // Handle pointer inside slice (e.g., []*int32) | ||
| if starExpr, ok := expr.(*ast.StarExpr); ok { | ||
| expr = starExpr.X | ||
| } | ||
| } | ||
|
|
||
| return expr, isSlice |
There was a problem hiding this comment.
When we unwrap array element types, we should explain that it is the array element type we are reporting the issue on
| name, | ||
| newAnalyzer(), | ||
| Analyzer, | ||
| true, |
There was a problem hiding this comment.
At the moment, this is only for CRDs (since it's only looking at kubebuilder markers). So cannot be on by default
| // getMarkerNumericValue extracts the numeric value from the first instance of the marker with the given name. | ||
| func getMarkerNumericValue(markerSet markershelper.MarkerSet, markerName string) (float64, error) { | ||
| markerList := markerSet.Get(markerName) | ||
| if len(markerList) == 0 { | ||
| return 0, errMarkerMissingValue | ||
| } | ||
|
|
||
| marker := markerList[0] | ||
| rawValue, ok := marker.Expressions[""] | ||
| if !ok { | ||
| return 0, errMarkerMissingValue | ||
| } | ||
|
|
||
| // Parse as float64 using strconv for better error handling | ||
| value, err := strconv.ParseFloat(rawValue, 64) | ||
| if err != nil { | ||
| return 0, fmt.Errorf("error converting value to number: %w", err) | ||
| } | ||
|
|
||
| return value, nil | ||
| } |
There was a problem hiding this comment.
Check the utils library, I'm sure we have some existing helpers for this
krishagarwal278
force-pushed
the
numericbounds
branch
2 times, most recently
from
16a7234 to
2dd6445
Compare
| // Unwrap pointers and slices to get the underlying type | ||
| fieldType, isSlice := unwrapType(field.Type) | ||
|
|
||
| // Get the underlying numeric type identifier (int32, int64, float32, float64) | ||
| ident := getNumericTypeIdent(pass, fieldType) | ||
| if ident == nil { | ||
| return | ||
| } |
There was a problem hiding this comment.
I wonder if we can reuse
kube-api-linter/pkg/analysis/utils/type_check.go
Lines 33 to 38 in 5fca1e8
There was a problem hiding this comment.
If we need to determine if the field is also a slice, we could also use:
kube-api-linter/pkg/analysis/utils/utils.go
Lines 216 to 232 in 5fca1e8
There was a problem hiding this comment.
Using TypeChecker sounds like a good idea
| // Get minimum and maximum marker values | ||
| minimum, minErr := getMarkerNumericValue(fieldMarkers, minMarkers) | ||
| maximum, maxErr := getMarkerNumericValue(fieldMarkers, maxMarkers) |
There was a problem hiding this comment.
Maybe a good opportunity to export and re-use
kube-api-linter/pkg/analysis/utils/zero_value.go
Lines 290 to 304 in 5fca1e8
| // Extract the actual type name from typeDesc (e.g., "array element type of int32" -> "int32") | ||
| typeName := extractTypeName(typeDesc) | ||
|
|
||
| switch typeName { |
There was a problem hiding this comment.
missing int64 and float64?
| if minimum < minInt32 || minimum > maxInt32 { | ||
| pass.Reportf(field.Pos(), "field %s %s has minimum bound %v that is outside the valid int32 range [%d, %d]", fieldName, typeDesc, minimum, minInt32, maxInt32) | ||
| } | ||
| if maximum < minInt32 || maximum > maxInt32 { | ||
| pass.Reportf(field.Pos(), "field %s %s has maximum bound %v that is outside the valid int32 range [%d, %d]", fieldName, typeDesc, maximum, minInt32, maxInt32) | ||
| } |
There was a problem hiding this comment.
This looks like you might be comparing float64 values to int64 values here? Is that what we want?
There was a problem hiding this comment.
adding cases for int64 and float64 would prevent comparing values of float64 values to int64 right?
| } | ||
|
|
||
| // checkJavaScriptSafeBounds checks if int64 bounds are within JavaScript safe integer range. | ||
| func checkJavaScriptSafeBounds(pass *analysis.Pass, field *ast.Field, fieldName, typeDesc string, minimum, maximum float64) { |
There was a problem hiding this comment.
Do we actually care about "JavaScript safe bounds"? In my eyes, this is just the bounds Kubernetes API conventions are enforcing - not sure why we need 2 separate functions for doing the bound checks?
There was a problem hiding this comment.
The javascript safe bounds is a limitation of JSON. If you go outside of the 2^53 then you have to change the value to a string. So we do care about limiting the bounds here, code layout is a different question
docs/linters.md
Outdated
| ### Configuration | ||
|
|
||
| This linter is **not enabled by default** as it is primarily focused on CRD validation with kubebuilder markers. It can be enabled in your configuration. | ||
|
|
||
| To enable in `.golangci.yml`: | ||
| ```yaml | ||
| linters-settings: | ||
| custom: | ||
| kubeapilinter: | ||
| settings: | ||
| linters: | ||
| enable: | ||
| - numericbounds | ||
| ``` | ||
|
|
||
| See the [package documentation](https://pkg.go.dev/sigs.k8s.io/kube-api-linter/pkg/analysis/numericbounds) for detailed examples and usage. |
There was a problem hiding this comment.
We don't have this for other linters so can probably skip unless there is any specific configuration for this rule
| } | ||
|
|
||
| // checkJavaScriptSafeBounds checks if int64 bounds are within JavaScript safe integer range. | ||
| func checkJavaScriptSafeBounds(pass *analysis.Pass, field *ast.Field, fieldName, typeDesc string, minimum, maximum float64) { |
There was a problem hiding this comment.
The javascript safe bounds is a limitation of JSON. If you go outside of the 2^53 then you have to change the value to a string. So we do care about limiting the bounds here, code layout is a different question
| maxSafeInt32 = 2147483647 // 2^31 - 1 (fits in JS Number) | ||
| minSafeInt32 = -2147483648 // -2^31 (fits in JS Number) |
There was a problem hiding this comment.
These are the same as maxInt32/minInt32, not sure why we would duplicate?
| maxFloat32 = 3.40282346638528859811704183484516925440e+38 // max float32 | ||
| minFloat32 = -3.40282346638528859811704183484516925440e+38 // min float32 |
There was a problem hiding this comment.
Hadn't committed changes for float64 and int64. It's now incorporated in the latest commit
| // Unwrap pointers and slices to get the underlying type | ||
| fieldType, isSlice := unwrapType(field.Type) | ||
|
|
||
| // Get the underlying numeric type identifier (int32, int64, float32, float64) | ||
| ident := getNumericTypeIdent(pass, fieldType) | ||
| if ident == nil { | ||
| return | ||
| } |
There was a problem hiding this comment.
Using TypeChecker sounds like a good idea
| // Validate bounds are within the type's range | ||
| checkBoundsWithinTypeRange(pass, field, fieldName, typeDesc, minimum, maximum) | ||
|
|
||
| // For int64 fields, check if bounds are within JavaScript safe integer range | ||
| checkJavaScriptSafeBounds(pass, field, fieldName, typeDesc, minimum, maximum) |
There was a problem hiding this comment.
We can probably combine bounds within range type checks
k8s-ci-robot
added
the
needs-rebase
krishagarwal278
force-pushed
the
numericbounds
branch
from
8f148c2 to
a68ca3b
Compare
k8s-ci-robot
removed
the
needs-rebase
| const ( | ||
| maxInt32 = 2147483647 // 2^31 - 1 | ||
| minInt32 = -2147483648 // -2^31 | ||
| maxInt64 = 9223372036854775807 // 2^63 - 1 |
There was a problem hiding this comment.
maxInt64 and minInt64 are not used anywhere, so let's remove it.
There was a problem hiding this comment.
good catch. Removed, since we already have maxSafeInt64 and minSafeInt64 👍🏻
|
|
||
| // containsArrayElement checks if the prefix string contains "array element" | ||
| // which indicates we're checking a slice element type. | ||
| func containsArrayElement(prefix string) bool { |
There was a problem hiding this comment.
You can use utilis.IsArrayType which is better than checking whether the prefix has specific strings.
There was a problem hiding this comment.
used IsArrayTypeOrAlias() as it's already exported 👍🏻
krishagarwal278
force-pushed
the
numericbounds
branch
from
a68ca3b to
8260a81
Compare
krishagarwal278
force-pushed
the
numericbounds
branch
from
8260a81 to
9487576
Compare
| - Bounds values are within the type's valid range: | ||
| - int32: full int32 range (±2^31-1) | ||
| - int64: JavaScript-safe range (±2^53-1) per Kubernetes API conventions | ||
| - float32/float64: within their respective ranges |
There was a problem hiding this comment.
Is there any limitation in JSON for the size of a float64?
|
|
||
| // InvalidInt32NoBounds should have bounds markers | ||
| type InvalidInt32NoBounds struct { | ||
| NoBounds int32 // want "field NoBounds is missing minimum bounds validation marker" "field NoBounds is missing maximum bounds validation marker" |
There was a problem hiding this comment.
Nit, probably minimum bound and maximum bound. i.e removing the s (I think this is appropriate english at least)
| // Get minimum and maximum marker values | ||
| minimum, minErr := getMarkerNumericValue(fieldMarkers, minMarkers) | ||
| maximum, maxErr := getMarkerNumericValue(fieldMarkers, maxMarkers) |
|
|
||
| // getMarkerNumericValue extracts the numeric value from the first instance of any of the given marker names. | ||
| // Checks multiple marker names to support both kubebuilder and k8s declarative validation markers. | ||
| func getMarkerNumericValue(markerSet markershelper.MarkerSet, markerNames []string) (float64, error) { |
There was a problem hiding this comment.
Does this define a set precedence for the order of markers that is preferred here? If so, what do we prefer?
Do we care about the value, or just presence of at least one marker?
| // compatibility with JavaScript clients. | ||
| // | ||
| //nolint:cyclop | ||
| func checkBoundsWithinTypeRange(pass *analysis.Pass, field *ast.Field, prefix, typeName string, minimum, maximum float64) { |
There was a problem hiding this comment.
If you were to use generics for these bounds checks, you might be able to avoid int to float to int conversions on the integer bounds checks
I suspect a bounds checking function that takes a boundary, a message, an upper and lower boundary could be leveraged here
5 participants
Numericbounds Linter
Adds a new analyzer that ensures
int32, int64, float32, float64fields have both minimum and maximum bounds validation markers, following Kubernetes API conventions.What it checks
MinimumandMaximummarkers are present on numeric fieldsitems:Minimumanditems:Maximumfor slice elementsFixes #18