NumericBounds Linter #176
NumericBounds Linter #176
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
docs/linters.md
Outdated
|
|
||
| ## NumericBounds | ||
|
|
||
| The `numericbounds` linter checks that numeric fields (`int32` and `int64`) have appropriate bounds validation markers. |
There was a problem hiding this comment.
What about floats? We discourage them, but people can/do still use them
docs/linters.md
Outdated
| According to Kubernetes API conventions, numeric fields should have bounds checking to prevent values that are too small, negative (when not intended), or too large. | ||
|
|
||
| This linter ensures that: | ||
| - `int32` and `int64` fields have both `+kubebuilder:validation:Minimum` and `+kubebuilder:validation:Maximum` markers |
There was a problem hiding this comment.
We should check for declarative validation markers too if they are in beta at this point
There was a problem hiding this comment.
i didn't add it earlier as i only found +k8s:maximum in the k8s documentation. On exploring further i saw that the markers package does mention it. So i incorporated it 👍🏻
docs/linters.md
Outdated
|
|
||
| This linter ensures that: | ||
| - `int32` and `int64` fields have both `+kubebuilder:validation:Minimum` and `+kubebuilder:validation:Maximum` markers | ||
| - `int64` fields with bounds outside the JavaScript safe integer range are flagged |
There was a problem hiding this comment.
We should also check if an int32 bound is beyond the limits of an int32
docs/linters.md
Outdated
| ### Examples | ||
|
|
||
| **Valid:** Numeric field with proper bounds markers | ||
| ```go | ||
| type Example struct { | ||
| // +kubebuilder:validation:Minimum=0 | ||
| // +kubebuilder:validation:Maximum=100 | ||
| Count int32 | ||
| } | ||
| ``` | ||
|
|
||
| **Valid:** Int64 field with JavaScript-safe bounds | ||
| ```go | ||
| type Example struct { | ||
| // +kubebuilder:validation:Minimum=-9007199254740991 | ||
| // +kubebuilder:validation:Maximum=9007199254740991 | ||
| Timestamp int64 | ||
| } | ||
| ``` | ||
|
|
||
| **Invalid:** Missing bounds markers | ||
| ```go | ||
| type Example struct { | ||
| Count int32 // want: should have minimum and maximum bounds validation markers | ||
| } | ||
| ``` | ||
|
|
||
| **Invalid:** Only one bound specified | ||
| ```go | ||
| type Example struct { | ||
| // +kubebuilder:validation:Minimum=0 | ||
| Count int32 // want: has minimum but is missing maximum bounds validation marker | ||
| } | ||
| ``` | ||
|
|
||
| **Invalid:** Int64 with bounds exceeding JavaScript safe range | ||
| ```go | ||
| type Example struct { | ||
| // +kubebuilder:validation:Minimum=-10000000000000000 | ||
| // +kubebuilder:validation:Maximum=10000000000000000 | ||
| LargeNumber int64 // want: bounds exceed JavaScript safe integer range | ||
| } | ||
| ``` | ||
|
|
There was a problem hiding this comment.
This is probably too much detail for the docs here, we can have this in the package level docs I think
pkg/analysis/numericbounds/doc.go
Outdated
| // +kubebuilder:validation:Maximum=100 | ||
| Count int32 | ||
| } | ||
There was a problem hiding this comment.
Maybe copy the more complex examples you added in the docs to here
There was a problem hiding this comment.
moved it to docs in numericbounds package 👍🏻
| maxSafeInt = 9007199254740991 // 2^53 - 1 | ||
| minSafeInt = -9007199254740991 // -(2^53 - 1) |
There was a problem hiding this comment.
Rename these to Int64 and also add versions for Int32 to check?
| // Check if it's a slice and unwrap (e.g., []int32) | ||
| if arrayType, ok := expr.(*ast.ArrayType); ok { | ||
| isSlice = true | ||
| expr = arrayType.Elt | ||
|
|
||
| // Handle pointer inside slice (e.g., []*int32) | ||
| if starExpr, ok := expr.(*ast.StarExpr); ok { | ||
| expr = starExpr.X | ||
| } | ||
| } | ||
|
|
||
| return expr, isSlice |
There was a problem hiding this comment.
When we unwrap array element types, we should explain that it is the array element type we are reporting the issue on
| name, | ||
| newAnalyzer(), | ||
| Analyzer, | ||
| true, |
There was a problem hiding this comment.
At the moment, this is only for CRDs (since it's only looking at kubebuilder markers). So cannot be on by default
| // getMarkerNumericValue extracts the numeric value from the first instance of the marker with the given name. | ||
| func getMarkerNumericValue(markerSet markershelper.MarkerSet, markerName string) (float64, error) { | ||
| markerList := markerSet.Get(markerName) | ||
| if len(markerList) == 0 { | ||
| return 0, errMarkerMissingValue | ||
| } | ||
|
|
||
| marker := markerList[0] | ||
| rawValue, ok := marker.Expressions[""] | ||
| if !ok { | ||
| return 0, errMarkerMissingValue | ||
| } | ||
|
|
||
| // Parse as float64 using strconv for better error handling | ||
| value, err := strconv.ParseFloat(rawValue, 64) | ||
| if err != nil { | ||
| return 0, fmt.Errorf("error converting value to number: %w", err) | ||
| } | ||
|
|
||
| return value, nil | ||
| } |
There was a problem hiding this comment.
Check the utils library, I'm sure we have some existing helpers for this
krishagarwal278
force-pushed
the
numericbounds
branch
2 times, most recently
from
16a7234 to
2dd6445
Compare
| // Unwrap pointers and slices to get the underlying type | ||
| fieldType, isSlice := unwrapType(field.Type) | ||
|
|
||
| // Get the underlying numeric type identifier (int32, int64, float32, float64) | ||
| ident := getNumericTypeIdent(pass, fieldType) | ||
| if ident == nil { | ||
| return | ||
| } |
There was a problem hiding this comment.
I wonder if we can reuse
kube-api-linter/pkg/analysis/utils/type_check.go
Lines 33 to 38 in 5fca1e8
There was a problem hiding this comment.
If we need to determine if the field is also a slice, we could also use:
kube-api-linter/pkg/analysis/utils/utils.go
Lines 216 to 232 in 5fca1e8
There was a problem hiding this comment.
Using TypeChecker sounds like a good idea
| // Extract the actual type name from typeDesc (e.g., "array element type of int32" -> "int32") | ||
| typeName := extractTypeName(typeDesc) | ||
|
|
||
| switch typeName { |
There was a problem hiding this comment.
missing int64 and float64?
| if minimum < minInt32 || minimum > maxInt32 { | ||
| pass.Reportf(field.Pos(), "field %s %s has minimum bound %v that is outside the valid int32 range [%d, %d]", fieldName, typeDesc, minimum, minInt32, maxInt32) | ||
| } | ||
| if maximum < minInt32 || maximum > maxInt32 { | ||
| pass.Reportf(field.Pos(), "field %s %s has maximum bound %v that is outside the valid int32 range [%d, %d]", fieldName, typeDesc, maximum, minInt32, maxInt32) | ||
| } |
There was a problem hiding this comment.
This looks like you might be comparing float64 values to int64 values here? Is that what we want?
There was a problem hiding this comment.
adding cases for int64 and float64 would prevent comparing values of float64 values to int64 right?
| } | ||
|
|
||
| // checkJavaScriptSafeBounds checks if int64 bounds are within JavaScript safe integer range. | ||
| func checkJavaScriptSafeBounds(pass *analysis.Pass, field *ast.Field, fieldName, typeDesc string, minimum, maximum float64) { |
There was a problem hiding this comment.
Do we actually care about "JavaScript safe bounds"? In my eyes, this is just the bounds Kubernetes API conventions are enforcing - not sure why we need 2 separate functions for doing the bound checks?
There was a problem hiding this comment.
The javascript safe bounds is a limitation of JSON. If you go outside of the 2^53 then you have to change the value to a string. So we do care about limiting the bounds here, code layout is a different question
docs/linters.md
Outdated
| ### Configuration | ||
|
|
||
| This linter is **not enabled by default** as it is primarily focused on CRD validation with kubebuilder markers. It can be enabled in your configuration. | ||
|
|
||
| To enable in `.golangci.yml`: | ||
| ```yaml | ||
| linters-settings: | ||
| custom: | ||
| kubeapilinter: | ||
| settings: | ||
| linters: | ||
| enable: | ||
| - numericbounds | ||
| ``` | ||
|
|
||
| See the [package documentation](https://pkg.go.dev/sigs.k8s.io/kube-api-linter/pkg/analysis/numericbounds) for detailed examples and usage. |
There was a problem hiding this comment.
We don't have this for other linters so can probably skip unless there is any specific configuration for this rule
| } | ||
|
|
||
| // checkJavaScriptSafeBounds checks if int64 bounds are within JavaScript safe integer range. | ||
| func checkJavaScriptSafeBounds(pass *analysis.Pass, field *ast.Field, fieldName, typeDesc string, minimum, maximum float64) { |
There was a problem hiding this comment.
The javascript safe bounds is a limitation of JSON. If you go outside of the 2^53 then you have to change the value to a string. So we do care about limiting the bounds here, code layout is a different question
| maxSafeInt32 = 2147483647 // 2^31 - 1 (fits in JS Number) | ||
| minSafeInt32 = -2147483648 // -2^31 (fits in JS Number) |
There was a problem hiding this comment.
These are the same as maxInt32/minInt32, not sure why we would duplicate?
| maxFloat32 = 3.40282346638528859811704183484516925440e+38 // max float32 | ||
| minFloat32 = -3.40282346638528859811704183484516925440e+38 // min float32 |
There was a problem hiding this comment.
Hadn't committed changes for float64 and int64. It's now incorporated in the latest commit
| // Unwrap pointers and slices to get the underlying type | ||
| fieldType, isSlice := unwrapType(field.Type) | ||
|
|
||
| // Get the underlying numeric type identifier (int32, int64, float32, float64) | ||
| ident := getNumericTypeIdent(pass, fieldType) | ||
| if ident == nil { | ||
| return | ||
| } |
There was a problem hiding this comment.
Using TypeChecker sounds like a good idea
| // Validate bounds are within the type's range | ||
| checkBoundsWithinTypeRange(pass, field, fieldName, typeDesc, minimum, maximum) | ||
|
|
||
| // For int64 fields, check if bounds are within JavaScript safe integer range | ||
| checkJavaScriptSafeBounds(pass, field, fieldName, typeDesc, minimum, maximum) |
There was a problem hiding this comment.
We can probably combine bounds within range type checks
k8s-ci-robot
added
the
needs-rebase
krishagarwal278
force-pushed
the
numericbounds
branch
from
8f148c2 to
a68ca3b
Compare
k8s-ci-robot
removed
the
needs-rebase
| const ( | ||
| maxInt32 = 2147483647 // 2^31 - 1 | ||
| minInt32 = -2147483648 // -2^31 | ||
| maxInt64 = 9223372036854775807 // 2^63 - 1 |
There was a problem hiding this comment.
maxInt64 and minInt64 are not used anywhere, so let's remove it.
There was a problem hiding this comment.
good catch. Removed, since we already have maxSafeInt64 and minSafeInt64 👍🏻
|
|
||
| // containsArrayElement checks if the prefix string contains "array element" | ||
| // which indicates we're checking a slice element type. | ||
| func containsArrayElement(prefix string) bool { |
There was a problem hiding this comment.
You can use utilis.IsArrayType which is better than checking whether the prefix has specific strings.
There was a problem hiding this comment.
used IsArrayTypeOrAlias() as it's already exported 👍🏻
krishagarwal278
force-pushed
the
numericbounds
branch
2 times, most recently
from
8260a81 to
9487576
Compare
docs/linters.md
Outdated
| - Bounds values are within the type's valid range: | ||
| - int32: full int32 range (±2^31-1) | ||
| - int64: JavaScript-safe range (±2^53-1) per Kubernetes API conventions | ||
| - float32/float64: within their respective ranges |
There was a problem hiding this comment.
Is there any limitation in JSON for the size of a float64?
There was a problem hiding this comment.
no, we don't have limitation in json for float64. however, i'm still validating bounds to enforce k8s convention to have numeric fields bounded
|
|
||
| // InvalidInt32NoBounds should have bounds markers | ||
| type InvalidInt32NoBounds struct { | ||
| NoBounds int32 // want "field NoBounds is missing minimum bounds validation marker" "field NoBounds is missing maximum bounds validation marker" |
There was a problem hiding this comment.
Nit, probably minimum bound and maximum bound. i.e removing the s (I think this is appropriate english at least)
| // compatibility with JavaScript clients. | ||
| // | ||
| //nolint:cyclop | ||
| func checkBoundsWithinTypeRange(pass *analysis.Pass, field *ast.Field, prefix, typeName string, minimum, maximum float64) { |
There was a problem hiding this comment.
If you were to use generics for these bounds checks, you might be able to avoid int to float to int conversions on the integer bounds checks
I suspect a bounds checking function that takes a boundary, a message, an upper and lower boundary could be leveraged here
krishagarwal278
force-pushed
the
numericbounds
branch
2 times, most recently
from
2aa9995 to
36f5a50
Compare
krishagarwal278
force-pushed
the
numericbounds
branch
from
36f5a50 to
68d9c70
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: krishagarwal278 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
docs/linters.md
Outdated
| - Numeric fields have both `+kubebuilder:validation:Minimum` and `+kubebuilder:validation:Maximum` markers | ||
| - K8s declarative validation markers (`+k8s:minimum` and `+k8s:maximum`) are also supported |
There was a problem hiding this comment.
I would swap the way we talk about these as we expect the k8s versions to take precedence in the long term
|
|
||
| **Note:** While `+k8s:minimum` is documented in the official Kubernetes declarative validation spec, `+k8s:maximum` is not yet officially documented but is supported by this linter for forward compatibility and consistency. | ||
|
|
||
| This linter is **not enabled by default** as it is primarily focused on CRD validation with kubebuilder markers. |
There was a problem hiding this comment.
This is fine for now, I expect we will flip this in the future
| return nil, kalerrors.ErrCouldNotGetInspector | ||
| } | ||
|
|
||
| inspect.InspectFields(func(field *ast.Field, _ extractjsontags.FieldTagInfo, markersAccess markershelper.Markers, _ string) { |
There was a problem hiding this comment.
The final argument in this function is called qualifiedName. Please use this argument instead of working out your own field names here. This provides consistent naming across all linters
Or is there an issue making this work with the typechecker?
There was a problem hiding this comment.
using qualifiedFieldName just like it's being used in arrayofstruct, commentstart, conflictingmarkers, and other linters 👍🏻
| // For array elements, update prefix to include type information | ||
| // e.g., "field Ports array element pointer" -> "field Ports array element type of int32" | ||
| if isSlice { | ||
| prefix = buildArrayElementPrefix(prefix, ident.Name) | ||
| } |
There was a problem hiding this comment.
I thought at least some of this was handled by the type checker 🤔
There was a problem hiding this comment.
Removed buildArrayElementPrefix entirely 👍🏻
now using qualifiedFieldName directly from inspector and utils.IsArrayTypeOrAlias() to detect arrays
| // buildArrayElementPrefix updates the prefix for array elements to include type information. | ||
| // Replaces TypeChecker's suffix (like "pointer" or "type X") with "type of {typeName}". | ||
| // Example: "field Ports array element pointer" -> "field Ports array element type of int32". | ||
| func buildArrayElementPrefix(prefix, typeName string) string { | ||
| idx := strings.Index(prefix, "array element") | ||
| if idx == -1 { | ||
| return prefix | ||
| } | ||
|
|
||
| return prefix[:idx+len("array element")] + " type of " + typeName | ||
| } |
…ames, and other reviews
krishagarwal278
force-pushed
the
numericbounds
branch
from
68d9c70 to
a6609de
Compare
JoelSpeed
left a comment
JoelSpeed
left a comment
There was a problem hiding this comment.
One suggestion for a generics improvement, but then I think this is good to go, thanks @krishagarwal278
| // checkBoundInRange checks if an integer bound value is within the valid range. | ||
| // Uses generics to avoid type conversions. | ||
| func checkBoundInRange[T constraints.Integer](pass *analysis.Pass, field *ast.Field, prefix string, value float64, minBound, maxBound T, boundType, typeName string, extraMsg ...string) { | ||
| if value < float64(minBound) || value > float64(maxBound) { | ||
| msg := fmt.Sprintf("%s has %s bound %%v that is outside the %s range [%%d, %%d]", prefix, boundType, typeName) | ||
| if len(extraMsg) > 0 { | ||
| msg += ". " + extraMsg[0] | ||
| } | ||
|
|
||
| pass.Reportf(field.Pos(), msg, value, minBound, maxBound) | ||
| } | ||
| } | ||
|
|
||
| // checkFloatBoundInRange checks if a float bound value is within the valid range. | ||
| func checkFloatBoundInRange[T constraints.Float](pass *analysis.Pass, field *ast.Field, prefix string, value float64, minBound, maxBound T, boundType, typeName string) { | ||
| if value < float64(minBound) || value > float64(maxBound) { | ||
| pass.Reportf(field.Pos(), "%s has %s bound %v that is outside the valid %s range", prefix, boundType, value, typeName) | ||
| } | ||
| } |
There was a problem hiding this comment.
Check how we did the GetMarkerNumericValue function implementation to work for both floats and integers, we should unify these using the same pattern (a shared number interface that accepts both floats and integers)
There was a problem hiding this comment.
agreed. Latest commit now has the same pattern 👍🏻 i.e. one function for both int and float bounds
5 participants
Numericbounds Linter
Adds a new analyzer that ensures
int32, int64, float32, float64fields have both minimum and maximum bounds validation markers, following Kubernetes API conventions.What it checks
MinimumandMaximummarkers are present on numeric fieldsitems:Minimumanditems:Maximumfor slice elementsFixes #18