False positive: style/external-reference about regal HOT 2 CLOSED

Briefly looked into this now, and it's really the use of the unification operator (=) that's the culprit here. Unification is neat, but really hard to work with when using the AST alone. It is so because we'll need to determine whether a var is an input var or an output var, and if it's defined anywhere else in the scope, and not necessarily in order.

To provide an example, this would be a valid rule:

weird if {
    x == 5
    y == 1
    
    y = 1
    x = 5
}

While this is a compile time error:

weird if {
    x == 5
    y == 1
    
    y := 1
    x := 5
}

So rather than doing some unverified_header, unverified_payload, I'd recommend using the assignment operator (:=) to avoid this.

[unverified_header, unverified_payload] = decode_jwt(jwt)

->

[unverified_header, unverified_payload] := decode_jwt(jwt)

That will come with the additional benefit of having strict mode flag unverified_payload as unused:

1 error occurred: policy.rego:26: rego_compile_error: assigned var unverified_payload unused

I'd like to one day make a larger effort to have Regal deal with unification, in whatever way that may be... and that's even one of the first issues created in #4

But that'll be something much larger, and I don't think we can do this as a bugfix. So I'll close this for now provided there's a good workaround, and we'll tackle this in #4 when we get there. Perhaps a custom (and optional) rule to avoid the unification operator altogether could be an interesting first step towards something more nuanced 🙂

Either way, thanks for reporting this! And keep filing issues when you encounter them. Much appreciated!

from regal.

Thanks @Od1nB 👍 I'll try to get a fix in for the next release.

from regal.