In companies and open-source projects, FOSS 3PP license compliance and "correct" use of cryptography are two examples of concerning types of software defects that can have costly consequences, but that are hard to prevent or catch. Sure, there exist CLI scanning tools that can help find potential problems, but when used at all it tends to be late in the cycle, where changing a incompatibly-licensed 3PP can be expensive but necessary.
What if the scanner was run automatically any time the code changes and the result was provided to the developer immediately, right in the editor where they're coding, like syntax or linting errors?
Lucky for us, there is no need to reinvent the wheel. LSP has something called diagnostics that's supported by Eclipse Theia and others, that can provide exactly this in the client. All we need is a language server to provide the diagnostics. A simple one can be created that monitors files opened in editors and runs the CLI tool against them when one has changed. Any violations reported in the tool's output are converted to diagnostics and sent to the client, to be displayed right in the code editor.
In this presentation, we will go over the benefits of using LSP to integrate with tools beyond compilers and present an example of such an integration, done as a proof-of-concept, with an open-source tool called crypto-detector. The key is to create a simple language server that uses the CLI scanning tool on files opened in editors, whenever they change.
Comments Sign in to post comments
Submitted by Marc Dumais on Mon, 2020-06-15 23:51
Vincent Fugnitto, Eclipse Theia committer, will present this with me. I could not add him as a second speaker, he was not found in the tool.