mcandre
Warn on unnecessary shell commands in non-shell scripts
As a developer, I want to be warned earlier when application code (not shell scripts) try to shell out for common behaviors that are already provided by libraries, so that I can build faster, leaner, more secure, more cross-platform applications.
Warn on common shell commands that should probably be replaced with pure application code, when referenced in source files that are not shell scripts, not documentation text files.
Common shell commands ripe for replacement:
- jq
- jq.exe
- wget
- wget.exe
- curl
- curl.exe
- awk/gawk/nawk
- awk.exe/gawk.exe/nawk.exe
Stank will use very primitive, exact name matching to perform this check. I don't want to see curl mentioned anywhere in my Python scripts!
One side effect of using exact matching is that we reject library calls to libraries named jq (case sensitive). Some of these libraries are pure application code (too bad, you can probably just use the standard library!), others are native libraries (gross, C/C++ dependencies in my scripting language!), and still others are dirt simple wrappers around, you guessed it, shell calls (yuck, bleugh, nasty, oh the humanity!)
On the other hand, there are plenty of ways to get around this check. That's okay. If we want to profile the behavior at runtime for opened processes, we can do that too! For now, we want a decent ROC curve, and an exact match of a small list of common programs + the Windows executable editions, is a good start.
