Update check for use of GlideRecordSecure on Client Callable Script Includes

Question

Update check for use of GlideRecordSecure on Client Callable Script Includes

niamccash opened this issue a year ago · 9 comments

Create new Linter Check type Instance Scan for use of GlideRecord Secure on Client Callable Script Includes

As per https://docs.servicenow.com/bundle/utah-api-reference/page/script/server-scripting/concept/c_ScriptIncludes.html#title_client-callable-script-includes

Note: there is already an existing Table Check for this. This issue is for a Linter type check.

Answer 1 · 2023-10-11T19:14:17.000Z

Hi @niamccash I just had a chat with a friend who is deep into the instance scan and he recommended to do this with Scritp only check, rather than Linter check.
His arguments are:

Linter Check is not specifically Script Include, it will run on all scripts.
we can add a condition to check only the script include table, but it will still run all of the time, which is bad practioce.

let me know if you still insist to have a Linter check or I can take it over and create a Script only check.
Thank you

Answer 2 · 2023-10-11T19:51:26.000Z

@MartinStoyanoff That's good to know. Thanks for sharing.
Could the Script only check catch instances where GlideRecord use is commented out?

I like Linter checks because it does check for actual code use and ignores things like

// var gr = new GlideRecord('incident');

Where devs may have commented out old code instead of removing.

Answer 3 · 2023-10-13T13:52:49.000Z

Hi @niamccash
Should I start with the linter check then?

Answer 4 · 2023-10-13T14:57:26.000Z

Hi @aman2519.

I'm waiting for @MartinStoyanoff's input but I don't see the harm in having multiple checks. If you want to create the Linter check and submit a PR, I will happily accept.

As there will be multiple check types that scan for the same thing, it would be nice to have some comments in the code to help explain how the Linter check is different than the Table check and a Script Only check.

As an added challenge, see if you can add a condition to your Linter check to only check the script include table.

Answer 5 · 2023-10-16T13:17:31.000Z

@aman2519 you can take it and implement the linter check.
@niamccash to your question, it will check commented code as well. What I pointed out in my previous comment is an input from Mark Roethof. I am not an instance scan expert at all.

Answer 6 · 2023-10-20T18:59:54.000Z

@MartinStoyanoff @niamccash For checking commented code, there are some out-of-the-box checks which look to be something like that... I haven't validated it myself. See for example:
https://your-instance.service-now.com/nav_to.do?uri=scan_column_type_check.do?sys_id=dfd6ccb8db796510dd95b7e8f49619eb

Answer 7 · 2023-10-20T19:02:57.000Z

@niamccash Linter Check could still work fine if its for a specific table, then you need to start the check with something like engine.current.getTableName() == 'lalala' else return. Downside... the Linter Check will run for several minutes, while the Script Only Check or Table Check will run only for a few seconds.

Answer 8 · 2024-09-29T16:32:42.000Z

@niamccash wanna keep this issue open? What are the latest requirements? :)

Answer 9 · 2024-09-30T13:15:34.000Z

@Lacah The table check is done but there's still opportunity for someone to do a Linter check if they wanted to. But perhaps a new Issue would be easier and more appropriate, so I'll close this one for now.