Page MenuHomePhabricator
Create Task
Maniphest T4348

Provide a workflow for "auditing a codebase" via Nuance or some new tool
Open, WishlistPublic
Actions

Assigned To
None
Authored By
epriestley
Jan 27 2014, 5:27 PM
Tags
Referenced Files
None
Subscribers
amckinley
asherkin
avivey
benjamin.cohen-solal
btrahan
cspeckmim
eadler
View All 19 Subscribers
Tokens
"Like" token, awarded by siepkes."Like" token, awarded by ralph.van.etten."Like" token, awarded by cspeckmim.

Description

An occasional request is roughly:

I have an existing codebase, and want to audit the whole thing. How can I do this / create an audit for every commit?

I'm not sure this is really ever an especially valuable thing to do, but we don't have any answer right now, beyond "you probably don't actually want to do that". One issue with this approach is that it's almost certainly not the best one, even if auditing is desirable: a file-oriented approach is much better than a commit-oreinted approach, because you have no way to tell if a bug you spot was fixed later when auditing commit-by-commit.

Facebook had a tool for doing manual file operations against the codebase ("Mochi", I think?), where it would make a small task for every file and had some tools to track progress, assign files, mark them completed, etc. This was used to translate the codebase, and I think a few other times for other tasks. My sense was that it was not hugely popular/effective, but did seem like a reasonable solution to the i18n issue, at least.

Building a similar tool might make sense, and it could be used to express "audit a codebase" (this audit wouldn't be very good, but it would make most of the people who want this happy). It might also make sense to try to plug most of this workflow into Nuance, since the actual mechanical work (human processing of a big queue of stuff, locking items, etc.) is a good fit.

This request is rare and I question how useful it ever really is. It seems like the kind of thing that sounds good on paper but is probably not ever actually effective. The number of hours required to seriously audit a codebase in a comprehensive way is just enormous, and I think looking at a codebase commit-by-commit or file-by-file isn't an effective way to audit it comprehensively: it's fine for stuff like i18n, where the task was "find all untranslated strings and mark them for translation", but the most important things to catch in audit are large ideas which span across commits and files (e.g., "the security model makes unsafe assumptions in its core, which are violated at the edges"). I would guess very few engineers can identify broad problems like that by examining a codebase file-by-file.

Related Objects

Event Timeline

epriestley created this task.Jan 27 2014, 5:27 PM
epriestley raised the priority of this task from to Wishlist.
epriestley updated the task description. (Show Details)
epriestley added a project: Diffusion.
epriestley added subscribers: epriestley, btrahan, asherkin.
benjamin.cohen-solal closed this task as a duplicate.Mar 5 2014, 10:55 AM

✘ Merged into T4555.

epriestley reopened this task as Open.Mar 5 2014, 2:42 PM
epriestley added a subscriber: benjamin.cohen-solal.

◀ Merged tasks: T4555.

avivey added a subscriber: avivey.Oct 31 2014, 9:30 PM
epriestley mentioned this in T5722: Support meta-audit of arbitrary baskets of nonadjacent commits.Dec 8 2014, 7:23 PM

T5722 mentions a use case for this related to regulatory compliance (roughly, period audit if segments of a codebase). This is similar to the Mochi/i18n use cases.

cspeckmim awarded a token.Dec 8 2014, 7:29 PM
cspeckmim added a subscriber: cspeckmim.
liuxinyu970226 added a subscriber: liuxinyu970226.Feb 5 2015, 12:22 PM
ralph.van.etten added a subscriber: ralph.van.etten.Feb 9 2015, 12:14 PM
chad mentioned this in T7264: In differential, it would be interesting to know which commit affected a given line.Feb 14 2015, 2:49 AM
avivey mentioned this in T8273: Discussion about existing source code.May 20 2015, 9:23 PM
avivey merged a task: T8273: Discussion about existing source code.
avivey added subscribers: fabe, joshuaspence, timor.
eadler added a subscriber: eadler.Jun 9 2015, 1:58 AM
jrioux added a subscriber: jrioux.Sep 3 2015, 12:19 PM
epriestley merged a task: T5744: Create obvious way to create an audit from Diffusion.Jan 5 2016, 9:17 PM
epriestley added a subscriber: wotte.
epriestley added a comment.Jan 5 2016, 9:19 PM

T5744 mentions another narrower and more reasonable use case (get specific badness which matches some pattern fixed), which is similar to the Mochi/i18n stuff.

ralph.van.etten awarded a token.Jan 8 2016, 3:59 PM
epriestley mentioned this in T8612: Improve handling of "large" changesets.Jan 8 2016, 11:16 PM
chad mentioned this in Q323: Audit history of file.Feb 26 2016, 4:06 AM
kaidowei added a subscriber: kaidowei.Apr 7 2016, 11:00 AM
mjklaim added a subscriber: mjklaim.Aug 24 2016, 6:11 PM
epriestley mentioned this in T11676: For task with many dependencies, cannot scroll horizontally in Task Graph for certain widths (overflow is clipped).Sep 21 2016, 2:37 PM
epriestley moved this task from Backlog to Far Future on the Diffusion board.Feb 2 2017, 3:57 PM
avivey mentioned this in Z1336: General Chat.Apr 4 2017, 10:35 PM
chad mentioned this in Q618: Open audit for whole branch.May 16 2017, 10:44 PM
avivey added a comment.Sep 23 2017, 8:38 PM

For record-keeping, this was asked again in https://discourse.phabricator-community.org/t/469

hskiba added a subscriber: hskiba.Jun 27 2018, 12:37 PM
siepkes awarded a token.Oct 28 2019, 12:40 PM
Herald added a subscriber: amckinley. · View Herald TranscriptOct 28 2019, 12:40 PM
siepkes added a subscriber: siepkes.Oct 28 2019, 12:42 PM
Phabricator · Built by Phacility