GLITCH 2.0.0

[Nfsaavedra]

GLITCH 2.0.0 Release Notes

This major release introduces significant new features, including an interactive repair system (Infrafix), a Rego policy engine for smell detection, and extensive improvements to all parsers and the intermediate representation.

---

Highlights

• Interactive Repair System (Infrafix): Automatically generate and apply patches to fix IaC issues
• Rego Policy Engine: Design and security smells can now be analyzed via Rego queries
• Enhanced Parsers: Major improvements to Ansible, Chef, Puppet, Terraform, and GitHub Actions parsers
• Richer Intermediate Representation: Extended IR with better position tracking and new expression types

---

New Features

Interactive Repair (Infrafix)

A new CLI subcommand glitch infrafix enables interactive repair of IaC scripts using constraint solving with Z3.

Usage:

glitch infrafix --tech <tech> --pid <process_id> <path_to_file>

Components:

• glitch/repair/interactive/main.py - Orchestration layer for the repair workflow
• glitch/repair/interactive/solver.py - Z3-based constraint solver for patch generation
• glitch/repair/interactive/compiler/ - DeltaP compiler for translating IR to constraints
• glitch/repair/interactive/tracer/ - System call tracer for runtime analysis
• glitch/repair/interactive/llm_solver.py - LLM integration for repair suggestions

Capabilities:

• Trace running processes to identify affected filesystem paths
• Compile IaC scripts to DeltaP constraints
• Generate candidate patches using Z3 solver
• Present unified diffs for review
• Apply selected patches to source files
• Support for packages, services, users, and file resources
• Memory limits and timeouts for solver execution

Rego Policy Engine Integration

Smell detection can now be performed using Rego queries, enabling declarative policy-based analysis.

New Components:

• glitch/rego/engine.py - Bridge between Rego engine and GLITCH analysis pipeline
• glitch/rego/rego_python/ - Python wrapper for the Go-based Rego library
• glitch/rego/queries/ - Rego query files for smell detection

Design Smell Queries (6):

Query File	Smell
design_avoid_comments.rego	Excessive comments
design_imperative_abstraction.rego	Imperative abstraction patterns
design_long_resource.rego	Long resource definitions
design_misplaced_attribute.rego	Misplaced attributes
design_multifaceted_abstraction.rego	Multifaceted abstractions
implementation_too_many_variables.rego	Too many variables

Security Smell Queries (13):

Query File	Smell
sec_def_admin.rego	Admin by default
sec_empty_pass.rego	Empty password
sec_full_permission_filesystem.rego	Full filesystem permissions
sec_hard_pass.rego	Hardcoded password
sec_hard_secr.rego	Hardcoded secrets
sec_hard_user.rego	Hardcoded username
sec_https.rego	HTTP without TLS
sec_invalid_bind.rego	Invalid IP binding
sec_no_default_switch.rego	Missing default in switch
sec_no_int_check.rego	No integrity check
sec_obsolete_command.rego	Obsolete commands
sec_susp_comm.rego	Suspicious comments
sec_weak_crypt.rego	Weak cryptography

Rego Library:

• glitch/rego/queries/library/glitch_lib.rego - Shared helper functions for Rego queries

Installation:
Pre-built binaries are available for Linux, macOS, and Windows. See README.md for download links and build instructions.

---

Parser Improvements

Ansible Parser (glitch/parsers/ansible.py)

• Support for become directive
• Improved Jinja2 expression handling (filters, pow operator, expressions without quotes)
• Better hierarchical variable support
• Support for set_fact module
• Enhanced node position tracking (line, column, end_line, end_column)

Chef Parser (glitch/parsers/chef.py)

• Support for brace_block and method_add_block constructs
• Improved handling of do blocks inside atomic units
• Better case statement parsing with proper line tracking
• Support for AddArgs construct
• Enhanced handling of classes, methods, and modules
• Improved string parsing (heredocs, interpolation)

Puppet Parser (glitch/parsers/puppet.py)

• Temporary handling of chaining operators
• Improved conditional statement handling
• Better support for strings without quotes
• Enhanced case statement line tracking
• Consistent $ prefix for variable references
• Improved selector expression support

Terraform Parser (glitch/parsers/terraform.py)

• Complete refactoring for better maintainability
• Support for function calls (with and without arguments)
• Support for conditional expressions (ternary operator)
• Support for operations (arithmetic, comparison, logical)
• Support for locals blocks
• Fixed string interpolation parsing
• Better handling of dynamic blocks

GitHub Actions Parser (glitch/parsers/gha.py)

• Enhanced position tracking for all elements
• Improved handling of workflow structures

---

Intermediate Representation Enhancements

New Expression Types

• Undef - Represents undefined values
• AddArgs - Ruby additional arguments construct
• BlockExpr - Block expressions

Enhanced ElementInfo

All IR elements now include comprehensive position information:

• line - Starting line number
• column - Starting column number
• end_line - Ending line number
• end_column - Ending column number

UnitBlock Improvements

• Added num_lines field to track file line counts (needed for Rego analysis)
• Improved as_dict() serialization for Rego compatibility
• Enhanced __repr__ for atomic units

New Constructs

• ConditionalStatement now includes is_top flag
• Better support for KeyValue pairs in hash structures
• Enhanced FunctionCall with anonymous function support

---

Test Suite Reorganization

Tests have been moved from glitch/tests/ to project root tests/:

tests/
├── base_test.py           # Shared test utilities
├── cli/                   # CLI tests
├── design/                # Design smell tests
│   ├── ansible/
│   ├── chef/
│   ├── gha/
│   ├── puppet/
│   └── terraform/
├── hierarchical/          # Hierarchical variable tests
├── parser/                # Parser unit tests
│   ├── ansible/
│   ├── chef/
│   ├── gha/
│   ├── puppet/
│   └── terraform/
├── repair/                # Interactive repair tests
│   └── interactive/
└── security/              # Security smell tests
    ├── ansible/
    ├── chef/
    ├── puppet/
    └── terraform/

---

CI/CD Improvements

New Workflows

• Rego Python Build (.github/workflows/rego_python.yml)
  • Cross-platform binary compilation (Linux, macOS, Windows)
  • Multi-architecture support (amd64, arm64)
  • Automated artifact packaging

Updated Workflows

• Lint (.github/workflows/lint.yml)
  • Updated Python version handling

---

Breaking Changes

Configuration Changes

• Added glitch/configs/default.json for Rego configuration
• Updated glitch/configs/terraform.ini with new smell definitions
• INI to JSON conversion happens automatically at runtime

API Changes

• CLI now uses subcommands: glitch lint, glitch repr, glitch infrafix
• Security analysis visitor moved to package structure
• Test imports changed due to test directory relocation

---

Dependencies

New Dependencies

• z3-solver (^4.12.4.0) - Constraint solver for interactive repair
• typing-extensions (^4.12.2) - Extended typing support
• pyright (1.1.408) - Static type checking

Updated Dependencies

• pandas updated to 2.3.3
• puppetparser updated to 0.2.14
• Various dependency version bumps

Custom Dependencies

• Jinja2 - Using fork with token location support
• python-hcl2 - Using branch with HCL2 reverse transformer

---

Configuration

Type Checking

Strict type checking is now enforced via pyright:

[tool.pyright]
typeCheckingMode = "strict"
stubPath = "stubs"

New Stubs

• Updated stubs/z3.pyi for Z3 solver
• Updated stubs/ruamel/yaml/nodes.pyi

---

Migration Guide

For CLI Users

# Old (1.x)
glitch --tech ansible path/to/file

# New (2.0)
glitch lint --tech ansible path/to/file

For Rego Users

1. Download the appropriate Rego binary for your platform
2. Place it in glitch/rego/rego_python/src/rego_python/bin/
3. Verify installation: python -c "from glitch.rego.rego_python.src.rego_python import run_rego; print('OK')"

---

Contributors

Thanks to all contributors who made this release possible.

---

Full Changelog

For the complete list of changes, see the commit history.