tests(snyk): assert upper bounds #9308
Conversation
|
Yeah I think we need to be stronger than no |
|
We'll need a process for anything more than just When snyk does its updating (the PR it auto-magically opens), is there a way for us to hook into it and make our changes on top? |
|
Yes, there's a script in our repo they run to trim it down, would be a good place for this. |
Every entry has an upper bound - good. is a hard one to grok (and luckily each clause is already given an upperbound) I actually thought there would be some entries with no upperbound, but I didn't see any. So let's just add the assertion that there isn't one, and address it if it ever gets triggered. |
|
|
||
| const clauses = semver.split('||'); | ||
| for (const clause of clauses) { | ||
| if (!clause.trim().startsWith('=') && !clause.includes('<')) { |
There was a problem hiding this comment.
maybe give a few examples here for easier parsing? I had to go checkout the snapshot to see why it's includes('<') but .trim().startsWith('=')
There was a problem hiding this comment.
I had to go checkout the snapshot to see why it's
includes('<')but.trim().startsWith('=')
hmm, I still don't understand why that's the case :).
Isn't something like '=5.0 >=10' valid with no upper bound? But it wouldn't fail this check. Or '<5.0 >=10'? Maybe I just don't understand what we're checking here :)
There was a problem hiding this comment.
well those aren't real ranges :)
I suppose it's a meta question of if we should be checking to see that they're valid ranges at all
There was a problem hiding this comment.
well those aren't real ranges :)
why aren't they? Isn't '=5.0 >=10' just saying 5.x or anything over 10 is vulnerable?
There was a problem hiding this comment.
well those aren't real ranges :)
this
valid ranges at all
doesn't make sense to validate snyk like that imo
There was a problem hiding this comment.
a space is an AND
OR is either || or a separate entry in the vulnerable array
so while it might technically be valid, nothing will ever satisfy the range '=5 >=10'
There was a problem hiding this comment.
semver package's validRange just verifies the string conforms to the grammar defined here: https://github.com/npm/node-semver/blob/ce6190e2b681700dcc5d7309fe8eda99941f712d/range.bnf not that the range is satisfiable.
There was a problem hiding this comment.
so while it might technically be valid, nothing will ever satisfy the range '=5 >=10'
Ah, I see your point, but it could also be '=11 >= 10'. I assume most of these are auto generated, so it doesn't seem out of the realm of possibility. See my other comment for one possibility rather than getting clever and hoping these ranges always make sense :)
There was a problem hiding this comment.
Ah, I see your point, but it could also be '=11 >= 10'
oh, no, wait, that's wrong. So I'll have to fall back to hand waving about invalid ranges :)
There was a problem hiding this comment.
doesn't make sense to validate snyk like that imo
didnt realize how easy it'd be to use semver to validate the ranges, sooo nvm. it's done indirectly with this test now.
lighthouse-core/test/audits/dobetterweb/no-vulnerable-libraries-test.js
Outdated
Show resolved
Hide resolved
|
|
||
| const clauses = semver.split('||'); | ||
| for (const clause of clauses) { | ||
| if (!clause.trim().startsWith('=') && !clause.includes('<')) { |
There was a problem hiding this comment.
I had to go checkout the snapshot to see why it's
includes('<')but.trim().startsWith('=')
hmm, I still don't understand why that's the case :).
Isn't something like '=5.0 >=10' valid with no upper bound? But it wouldn't fail this check. Or '<5.0 >=10'? Maybe I just don't understand what we're checking here :)
…s-test.js Co-Authored-By: Brendan Kenny <bckenny@gmail.com>
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
|
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
|
I guess one question would be do we strictly require an upper bound? If there's an earlier valid version, should that be sufficient? If not, and we want to stick with requiring an upper bound, we could just use |
@connorjclark points out they use |
|
(I was hoping for |
|
kind of like what I was doing, but normalizes the ranges w/ |
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
|
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
| // Upperbound exists if... | ||
|
|
||
| // < or <= is in one of the subset's clauses (= gets normalized to >= and <). | ||
| if (subset.some(comparator => comparator.operator.match(/^</))) { |
There was a problem hiding this comment.
I'm not sure this entirely works. A rangeString of '*' ends up throwing here, for instance.
We have an untested homegrown solution vs a tested (by semver) but ugly gtr solution...
There was a problem hiding this comment.
A rangeString of '*' ends up throwing here, for instance.
Isn't that kinda desired behavior? :)
There was a problem hiding this comment.
I'm not sure this entirely works. A rangeString of '*' ends up throwing here, for instance.
Fixed.
We have an untested homegrown solution vs a tested (by semver) but ugly gtr solution...
Added tests.
| return true; | ||
| } | ||
|
|
||
| describe('every snyk vulnerability has an upper bound', () => { |
There was a problem hiding this comment.
needs an it() or changed to it and nested in a describe() above, otherwise on failures you end up with
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
|
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
see #8409 (comment)
Should
<=Xbe added to the end of everysemver.vulnerable, where X = the latest release within that major version?