Figure out sub-field spanning #240
Description
#233 highlights a piece of non-ideal user confusion: zizmor operates at the layer of YAML element spans at the moment, meaning that many findings have "identical" spans because their actual findings are really substrings, etc within a YAML string.
For example, these two findings look like duplicates, but are really slightly different spans within the same parent span:
info[template-injection]: code injection via template expansion
--> /Users/wtan/Projects/zizmor/docs.yml:55:9
|
55 | - name: Update Docs Reference Section and Push Changes
| ---------------------------------------------------- info: this step
56 | continue-on-error: true
57 | run: |
| _________-
58 | | python docs/build_reference.py
... |
66 | | echo "No changes to commit"
67 | | fi
| |____________- info: github.head_ref may expand into attacker-controllable code
|
= note: audit confidence → Low
info[template-injection]: code injection via template expansion
--> /Users/wtan/Projects/zizmor/docs.yml:55:9
|
55 | - name: Update Docs Reference Section and Push Changes
| ---------------------------------------------------- info: this step
56 | continue-on-error: true
57 | run: |
| _________-
58 | | python docs/build_reference.py
... |
66 | | echo "No changes to commit"
67 | | fi
| |____________- info: github.ref may expand into attacker-controllable code
|
= note: audit confidence → Low
I need to figure out a good way to represent and highlight these.
h/t @Ninja3047