You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
The PR updates Opengrep to 1.17.0 and introduces new i18n rules, but several issues should prevent merging in its current state. The static analysis patterns for Python number formatting and C++ std::setprecision are overly broad and will likely cause high false-positive rates in non-user-facing code like logs or data serialization. Additionally, the PR is missing a required test source file (Order.cpp), lacks a description, and contains a potential credential exposure in the Dockerfile. These implementation gaps undermine the reliability of the new rules.
About this PR
The source file 'Order.cpp' referenced in the expected test results (results.xml) is missing from the PR diff. This prevents full validation of the new C++ i18n rules.
The Dockerfile contains a redacted secret token ([REDACTED:AWS_SECRET]) in a curl command. This indicates a hardcoded credential pattern in the build process which should be replaced with build secrets or environment variables.
The PR lacks a description, providing no context for the added i18n rules or the dependency update. Please provide a summary of the changes and the rationale for the specific rule configurations.
Test suggestions
Detect hardcoded string concatenation in Python print() calls\n- [x] Detect hardcoded date format strings in Python strftime()\n- [x] Detect fixed-point number formatting specifiers in Python f-strings\n- [x] Detect hardcoded string literals in C++ std::cout streams\n- [x] Detect hardcoded date format strings in C++ strftime()\n- [x] Detect usage of std::setprecision for number formatting in C++
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
The global regex :\.[0-9]+f is too generic and will flag matches in comments, documentation, or technical strings (like other regexes). Update the rule codacy.python.i18n.no-hardcoded-number-format to use structural Semgrep patterns for f-strings and .format() calls instead of a global pattern-regex.
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
Suggestion: This fallback error message is hardcoded and won't be translated, which is inconsistent with the i18n practices being established. Since the new 'no-hardcoded-print-concat' rule only flags concatenation, this f-string is missed. Use a translation wrapper: print(_("Language {lang} not supported").format(lang=lang)).
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
Suggestion: This rule will flag technical formatting that doesn't require localization (e.g., logging or data serialization). Narrow the codacy.cpp.i18n.no-hardcoded-number-format rule to only flag std::setprecision when it's part of a stream expression involving std::cout or similar user-facing streams.
The reason will be displayed to describe this comment to others. Learn more.
⚪ LOW RISK
Suggestion: The rationale for flagging hardcoded number formatting is that decimal separators (period vs. comma) are locale-dependent. Using :.Nf forces a period, which is incorrect for many locales. Consider adding this context to the rule description to help users understand the i18n impact.
The reason will be displayed to describe this comment to others. Learn more.
locale.setlocale(locale.LC_ALL, current_locale) is passed values like "en"/"fr", which are not valid locale identifiers on many systems (commonly raises locale.Error: unsupported locale setting). Consider mapping language codes to concrete locales (e.g., "en_US.UTF-8", "fr_FR.UTF-8") and setting the locale once when switching languages (with a safe fallback) rather than inside the per-order loop.
The reason will be displayed to describe this comment to others. Learn more.
summary() calls locale.currency(total, grouping=True) without ensuring a usable locale has been set. If the process locale is the default "C" locale (or if list_orders() hasn’t run yet / setlocale fails), this can raise ValueError: Currency formatting is not possible using the 'C' locale. Set the locale before currency formatting (or handle failures) to keep this sample runnable.
The reason will be displayed to describe this comment to others. Learn more.
CI/README build examples pass --build-arg TOOL_VERSION=$(cat .tool_version), but this Dockerfile only defines/uses OPENGREP_VERSION. As a result, the build arg has no effect and .tool_version can drift from the opengrep binary version. Consider renaming the ARG to TOOL_VERSION (or updating CI/docs to pass OPENGREP_VERSION) and wiring it through consistently.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
No description provided.