[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests(snyk): assert upper bounds #9308

Merged
merged 9 commits into from
Jul 20, 2019
Merged

tests(snyk): assert upper bounds #9308

Changes from 8 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
eafb5f9
deps(snyk): do not allow * in semver
connorjclark Jun 28, 2019
a24a38e
assert upper bounds
connorjclark Jun 28, 2019
a006050
update test name
connorjclark Jun 28, 2019
ba9bc7c
add comment
connorjclark Jul 8, 2019
e01212b
Update lighthouse-core/test/audits/dobetterweb/no-vulnerable-librarie…
connorjclark Jul 9, 2019
6ec1ae1
semver.Range
connorjclark Jul 9, 2019
441d4f8
merge
connorjclark Jul 9, 2019
55bf357
comments
connorjclark Jul 9, 2019
4653ba1
update
connorjclark Jul 10, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions lighthouse-core/test/audits/dobetterweb/no-vulnerable-libraries-test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
const NoVulnerableLibrariesAudit =
require('../../../audits/dobetterweb/no-vulnerable-libraries.js');
const assert = require('assert');
const semver = require('semver');

/* eslint-env jest */
describe('Avoids front-end JavaScript libraries with known vulnerabilities', () => {
Expand Down Expand Up @@ -99,3 +100,41 @@ describe('Avoids front-end JavaScript libraries with known vulnerabilities', ()
assert.equal(auditResult.score, 1);
});
});

// https://github.com/npm/node-semver/issues/166#issuecomment-245990039
function hasUpperBound(rangeString) {
const range = new semver.Range(rangeString);
if (!range) return false;

// For every subset ...
for (const subset of range.set) {
// Upperbound exists if...

// < or <= is in one of the subset's clauses (= gets normalized to >= and <).
if (subset.some(comparator => comparator.operator.match(/^</))) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this entirely works. A rangeString of '*' ends up throwing here, for instance.

We have an untested homegrown solution vs a tested (by semver) but ugly gtr solution...

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A rangeString of '*' ends up throwing here, for instance.

Isn't that kinda desired behavior? :)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this entirely works. A rangeString of '*' ends up throwing here, for instance.

Fixed.

We have an untested homegrown solution vs a tested (by semver) but ugly gtr solution...

Added tests.

continue;
}

// Subset has a prerelease tag (operator will be empty).
if (subset.length === 1 && subset[0].operator === '') {
continue;
}

// No upperbound for this subset.
return false;
}

return true;
}

describe('every snyk vulnerability has an upper bound', () => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs an it() or changed to it and nested in a describe() above, otherwise on failures you end up with

Screen Shot 2019-07-10 at 11 52 18

for (const vulns of Object.values(NoVulnerableLibrariesAudit.snykDB.npm)) {
for (const vuln of vulns) {
for (const semver of vuln.semver.vulnerable) {
if (!hasUpperBound(semver)) {
assert.fail(`invalid semver: ${semver}. Must contain an upper bound`);
}
}
}
}
});