Include enforcement date in warnings for future effective_on violations#3412
Include enforcement date in warnings for future effective_on violations#3412Acepresso wants to merge 2 commits into
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
🤖 Review · |
|
🤖 Finished Review · ✅ Success · Started 3:26 PM UTC · Completed 3:31 PM UTC |
Review — ⚠ Changes RequestedPR: #3412 — Include enforcement date in warnings for future effective_on violations OverviewThe production code changes are well-structured. Splitting the However, two of the three acceptance test snapshot changes are incorrect and will cause test failures. Findings🔴 Incorrect snapshot expectations for violation test casesSeverity: high | File: The snapshot updates for "using attestation time as effective time" (line ~1410) and "future failure is a deny when using effective-date flag" (line ~2014) are incorrect. Both snapshots are under Why this is wrong: In both test scenarios, the effective time is set to 2100 (via Only the first snapshot change — "future failure is converted to a warning" (line ~360, under Code trace: // In CategorizeResults (both Legacy and Unified):
case "failure":
if getSeverity(result) == severityWarning {
// not taken (no severity metadata)
} else if !isResultEffective(result, effectiveTime) {
// NOT taken when effectiveTime=2100, effective_on=2099
// because isResultEffective returns true (2099 < 2100)
result.Message = formatFutureEnforcementMessage(result)
warnings = append(warnings, result)
} else {
failures = append(failures, result) // ← THIS branch is taken
}Remediation: Revert the snapshot changes for the two violation test cases. Only the "future failure is converted to a warning" snapshot (under 🟡 Missing test for severity=warning + future effective_on interactionSeverity: low | File: The refactoring splits What looks good
Previous runReview of #3412 — Include enforcement date in warnings for future effective_on violationsVerdict: comment · 1 medium finding SummaryThis PR enhances the warning messages for policy violations that have future The implementation is clean and well-structured:
No security concerns — the Findings1. Acceptance test snapshot not updated —
|
| Severity | medium |
| Category | test-adequacy |
| File | features/__snapshots__/validate_image.snap |
| Line | 360 |
The acceptance test scenario "future failure is converted to a warning" (features/validate_image.feature:310) uses the future_deny.rego example policy, which emits a denial with msg: "Fails in 2099" and effective_on: "2099-01-01T00:00:00Z". Since no --effective-time flag is passed, the current time is used, and the failure is demoted to a warning.
After this PR, the warning message will be enhanced to:
Fails in 2099. This will become a failure starting on 2099-01-01T00:00:00Z
The snapshot framework's timestampRegex replaces RFC 3339 timestamps, so the stored snapshot would become:
"msg": "Fails in 2099. This will become a failure starting on ${TIMESTAMP}"But the current snapshot still expects:
"msg": "Fails in 2099"This will cause the acceptance test to fail. The two other scenarios using this policy ("future failure is a deny when using effective-date flag" and "using attestation time as effective time") are unaffected because they set the effective time to 2100, making the rule effective — so the failure is not demoted and the message is not enhanced.
Remediation: Update the snapshot by running UPDATE_SNAPS=true make acceptance (or the relevant subset), or manually update line 360 of features/__snapshots__/validate_image.snap to reflect the new message format.
Labels: PR modifies evaluator warning message formatting
Previous run (2)
Review of PR #3412 — Include enforcement date in warnings for future effective_on violations
Verdict: Request changes
Summary
This PR enhances warning messages when the CLI demotes a deny result to a warning due to a future effective_on date. The new formatFutureEnforcementMessage helper appends the enforcement date to the message text (e.g., ". This will become a failure starting on 2025-01-01T00:00:00Z"). Both LegacyPostEvaluationFilter.CategorizeResults and UnifiedPostEvaluationFilter.CategorizeResults are updated with the same logic. Unit tests for the new function are well-structured and cover edge cases (nil metadata, non-string values, empty strings, trailing periods).
Findings
🔴 High: Acceptance test snapshot not updated
File: features/__snapshots__/validate_image.snap, line 360
The acceptance test scenario "future failure is converted to a warning" (features/validate_image.feature:310) uses the future_deny.rego example policy, which produces a deny result with effective_on: "2099-01-01T00:00:00Z". This result gets demoted from failure to warning by CategorizeResults.
With this PR's changes, the demoted warning message will change from:
"Fails in 2099"
to:
"Fails in 2099. This will become a failure starting on 2099-01-01T00:00:00Z"
After the snapshot framework's timestamp normalization (via timestampRegex in acceptance/snaps/snaps.go), the actual output would be "Fails in 2099. This will become a failure starting on ${TIMESTAMP}", but the snapshot still expects "msg": "Fails in 2099". This will cause the acceptance test to fail.
Remediation: Update the snapshot entry at features/__snapshots__/validate_image.snap line 360 to:
"msg": "Fails in 2099. This will become a failure starting on ${TIMESTAMP}",Alternatively, run the acceptance tests with snapshot update mode enabled to regenerate the snapshot automatically.
🟡 Low: Shallow copy shares underlying Metadata map
File: internal/evaluator/filters.go, lines 1001–1002 and 1129–1130
The pattern enhancedResult := result creates a struct-level shallow copy. Since Result.Metadata is a map[string]interface{}, both the original and the copy share the same map reference. This is currently safe because only the Message field (a string) is modified on the copy. However, if future changes also modify metadata on the enhanced result, the mutation would silently affect the original. Consider documenting this constraint in a comment, or performing a deep copy of the map if metadata modifications are ever needed.
What looks good
- The
formatFutureEnforcementMessagefunction is clean and handles edge cases well (nil metadata, non-string effective_on, empty string). - The
strings.TrimSuffix(originalMessage, ".")approach avoids double periods when messages already end with.. - Splitting the
ifcondition (getSeverity == severityWarning || !isResultEffective) into two branches is a clear and readable refactor. - The unit test in
TestConftestEvaluatorEvaluateSeveritywas correctly updated to expect the enhanced message. - The enhancement only applies to failures being demoted (not to existing warning rules), avoiding duplicate annotations.
- Test coverage for
formatFutureEnforcementMessageis thorough with 6 test cases.
This review was performed against commit b822c50.
Previous run (3)
Review — Approve
PR: #3412 — Include enforcement date in warnings for future effective_on violations
Author: Acepresso · Status: Draft · Files changed: 3 · Diff: +111 / −3
Summary
When the CLI demotes a deny/failure result to a warning because its effective_on date is in the future, the warning message is now enhanced to indicate when enforcement begins (e.g., "The required 'cpe' label is missing. This will become a failure starting on 2025-01-01T00:00:00Z").
The change introduces a helper function formatFutureEnforcementMessage and applies it in both LegacyPostEvaluationFilter.CategorizeResults and UnifiedPostEvaluationFilter.CategorizeResults. The helper is well-guarded: it returns the original message unchanged when metadata is nil, the effective_on key is missing, or the value is non-string or empty. Implicitly, the isResultEffective gate in the calling code ensures only validly-parseable future dates reach the enhancement path.
Findings
All findings are low severity — none are blocking.
1. strings.TrimRight vs strings.TrimSuffix — subtle behavior difference
Severity: low · File: internal/evaluator/filters.go · Line: ~1233
strings.TrimRight(originalMessage, ".") removes all trailing characters in the cutset, not just a single trailing period. If a message ever ends with "..." (e.g., an ellipsis), all three dots are stripped. strings.TrimSuffix(originalMessage, ".") would remove exactly one trailing period, which is the likely intent.
In practice, policy violation messages rarely end with ellipses, so the risk is cosmetic only.
Suggested fix:
return fmt.Sprintf("%s. This will become a failure starting on %s",
strings.TrimSuffix(originalMessage, "."), effectiveOnStr)2. Duplicated logic across Legacy and Unified filter implementations
Severity: low · File: internal/evaluator/filters.go · Lines: ~1000–1008, ~1125–1133
The same 7-line block (inner if !isResultEffective → create enhancedResult → append) is copy-pasted into both LegacyPostEvaluationFilter.CategorizeResults and UnifiedPostEvaluationFilter.CategorizeResults. If this logic changes in the future (e.g., message format update, additional guards), both sites must be updated in lockstep.
Consider extracting a small helper like:
func appendWithEnhancement(result Result, effectiveTime time.Time, warnings *[]Result) {
if !isResultEffective(result, effectiveTime) {
result.Message = formatFutureEnforcementMessage(result)
}
*warnings = append(*warnings, result)
}This would eliminate the duplication and make future changes single-site.
3. Edge case: severity: warning + future effective_on produces misleading message
Severity: low · File: internal/evaluator/filters.go · Lines: ~1000, ~1125
When a deny result carries both severity: warning (demotes it to a warning by annotation) and a future effective_on date, the outer condition getSeverity(result) == severityWarning || !isResultEffective(result, effectiveTime) is satisfied by both disjuncts. The inner if !isResultEffective(...) then fires, appending "This will become a failure starting on ." However, after that date passes, the severity: warning annotation still keeps the result as a warning — it never actually becomes a failure. The message is technically misleading.
This requires contradictory rule configuration (severity: warning plus a future enforcement date is unusual), so real-world impact is negligible. No fix needed now, but worth a comment in the code if the team agrees.
Verification
- ✅ The
formatFutureEnforcementMessagehelper is thoroughly unit-tested (6 cases: valid date, missing metadata, non-string value, empty string, nil metadata, trailing period) - ✅ The existing
TestConftestEvaluatorEvaluateSeverityintegration test correctly updated expected output - ✅
isResultEffectivereturnstruefor unparseable dates, preventing the enhancement branch from executing with invalid date strings — good implicit validation - ✅ No cross-repo contract changes —
Result.Messageis user-facing text, not an API boundary - ✅ No security concerns
- ⚠ No test coverage for the
UnifiedPostEvaluationFilter.CategorizeResultspath (the duplicated logic), though the implementation is identical
|
🤖 Finished Review · ✅ Success · Started 1:46 PM UTC · Completed 1:56 PM UTC |
…olations When the CLI demotes a deny result to a warning due to a future effective_on date, the warning message is now enhanced to indicate when enforcement begins. Before: "The required 'cpe' label is missing" After: "The required 'cpe' label is missing. This will become a failure starting on 2025-01-01T00:00:00Z" This applies to both sources of effective_on: rule annotations and rule_data items. The effective_on date is included as-is (RFC3339 format). Ref: https://redhat.atlassian.net/browse/EC-1901 Assisted-by: Claude Opus 4.6
|
🤖 Finished Review · ✅ Success · Started 2:30 PM UTC · Completed 2:39 PM UTC |
Superseded by updated review
|
🤖 Finished Review · ✅ Success · Started 2:55 PM UTC · Completed 3:14 PM UTC |
When the CLI demotes a deny result to a warning due to a future effective_on date, the warning message is now enhanced to indicate when enforcement begins.
Before: "The required 'cpe' label is missing"
After: "The required 'cpe' label is missing. This will become a failure starting on 2025-01-01T00:00:00Z"
This applies to both sources of effective_on: rule annotations and rule_data items. The effective_on date is included as-is (RFC3339 format), matching the pattern used by trusted_task's future_deny_rule warnings.
No duplicate warnings for trusted_task rules. The enhancement only applies to failures being demoted, not to existing warning rules like
future_deny_rule.Test plan
formatFutureEnforcementMessagecovering: valid effective_on, missing metadata, non-string value, empty string, nil metadataTestConftestEvaluatorEvaluateSeverityupdated and passingec validateagainst a policy with a futureeffective_ondate and verify the warning message includes the enforcement dateRef: https://redhat.atlassian.net/browse/EC-1901
Assisted-by: Claude Opus 4.6