Add java rule EC24 : Optimize Database SQL Queries (Clause LIMIT) #20
Conversation
dedece35
changed the title
…hange EC80 to EC24
…pdate CHANGELOG.md
| @@ -67,7 +67,7 @@ | |||
| <google.re2j>1.7</google.re2j> | |||
|
|
|||
| <!-- temporary version waiting for real automatic release in ecocode repository --> | |||
| <ecocode-rules-specifications.version>1.5.0</ecocode-rules-specifications.version> | |||
| <ecocode-rules-specifications.version>1.5.1-SNAPSHOT</ecocode-rules-specifications.version> | |||
There was a problem hiding this comment.
Maybe we can wait for the next version of the artifact instead of using a snapshot here?
There was a problem hiding this comment.
waiting for approvement of this implementation before releasing ecocode-rules-specifications
| dummyCall("SELECT user FROM myTable LIMIT 50"); // Compliant | ||
| } | ||
|
|
||
| @Query("select t from Todo t where t.status != 'COMPLETED'") // Noncompliant {{Optimize Database SQL Queries (Clause LIMIT)}} |
There was a problem hiding this comment.
In the JavaScript plugin, I added the WHERE keyword in the list of limiting keywords so as not to be too strict either. We could consider that this query already performs a stricter selection than all the data in the table. I don't know what your opinion is on this? maybe it lacks measure too :p
|
This rule is going to be very low quality, I don't think it should be merged at all. |
|
This PR has been automatically marked as stale because it has no activity for 30 days. |
HI @Djoums, I'm ok with you with this rule hasn't an optimal quality, but ... to be homogenous with JS language that already has implemented this rule (check "where" and "limit" clauses), I think we can integrate the implementation in Java language and maybe in python, and php language. What do you think ? |
dedece35
added
🗃️ rule
|
Hi @dedece35 , it's a product choice really : is a low quality rule better than nothing ? IMO not in this case, because it is so limited that I don't see a use case for it, on top of being very prone to false positives/true negatives. This rule may be helpful when developers build quick models, because they tend to quickly hard code sql queries to save time. But that's precisely when they don't need rules like this enforced. When it comes to actual production code that requires quality (which is what we're targeting really) :
|
|
Hi @Djoums and @utarwyn (@jhertout), If we aren't all ok with this rule integration, if we are all ok with NO integration, next we flag this rule in our rule array to study more the implementation. But, the consequence are (I have no problem with it) :
Do we deal with only one use case ? or do we delete this rule for study it later ? |
|
I think that any rule dealing with sql query content shouldn't be handled by a static analyzer (Sonar, Roslyn or any other), this is also the case for the "select *" rule. I'm fine with going for the simplest case, but it's probably not going to be very helpful, especially for production level code. |
|
Hello! I agree that the implementation of this rule is very basic currently. However I find you a little bit though with what has been done. I think this rule is important and it would be a shame not to include it in our plugins. We should have in mind that we will not be able to cover 100% of use cases, but it will always be better than 0%. As long as we don’t get false positives.
I don't understand the idea behind this: how can we deal with SQL queries if this not through a static analyzer? Do not handle them at all? I think it’s possible to do basic static analysis like we have done here.
I think it's possible to check if a variable or string is passed in a
I don't understand? You can perform prepared statements with variables but this rule reads the selection part of the query. So it shouldn’t change anything.
I agree with you that nowadays we often do not use basic SQL queries but an ORM instead. So it could be an improvement to support some famous ORM tools in our implementations. I already have some ideas to do it in JavaScript. I leave you the final choice, but I think we should keep this rule and continue to iterate on it to improve our implementations. |
|
All I'm saying is that it will be closer to 5% rather than 100%. And given that it will be very simplistic, that it has the potential for many false positives/true negatives, and that the poor quality will possibly hurt our plugin image, I don't think it's worth it. But I'm not trying to block it, just giving my opinion.
Static analyzers can analyze static queries, by definition, but many are dynamic (constructed in several steps, with conditionals, function calls, etc). If what the rule does is just scan all the code base for strings that contain "select *", that is really poor imo and prone to errors. And for "LIMIT X" this is even worse, how do you identify strings that should/shouldn't have it appended ? If I write : string myStr = "SELECT myField FROM myTable"; // Are you going to warn here ?
myStr += " LIMIT 30";The only way I see to properly analyze any query is at runtime, in the DAL or the DB engine, because they are fully formed at that point. |
|
This PR has been automatically marked as stale because it has no activity for 30 days. |
implement issue green-code-initiative/ecoCode#239
old PR : green-code-initiative/ecoCode#221 (duplicated because of stale state and no come back from original developer, thus I copied and corrected the code with review feddbacks)