Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test: add test that check project generation using snapshot testing #103

Merged
merged 6 commits into from
Dec 2, 2021

Conversation

derberg
Copy link
Member

@derberg derberg commented Dec 2, 2021

This PR is the best example that shows how to add to template tests based on snapshot testing. All files in the PR are needed for any other project except for:

@derberg derberg marked this pull request as ready for review December 2, 2021 15:35
@derberg derberg requested a review from fmvilas December 2, 2021 15:38
test/ integration.test.js Outdated Show resolved Hide resolved
test/ integration.test.js Outdated Show resolved Hide resolved
@derberg derberg requested a review from fmvilas December 2, 2021 16:04
fmvilas
fmvilas previously approved these changes Dec 2, 2021
@derberg
Copy link
Member Author

derberg commented Dec 2, 2021

@fmvilas now I know why I did not use Math.random as then I would have to ask sonar cloud to ignore security in tests... Are you very strongly opinionated about not using crypto? I think it is better really

@derberg derberg requested a review from fmvilas December 2, 2021 17:05
@fmvilas
Copy link
Member

fmvilas commented Dec 2, 2021

I'm not opinionated but Sonar Cloud says:

When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

As the Math.random() function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead.

I don't think it's our case here. We should be fine with random. If an attacker guesses the next random number, good for them! 😂

@derberg
Copy link
Member Author

derberg commented Dec 2, 2021

@fmvilas I'm not afraid of a real security issues, these are tests. Just that there are 2 options:

  • we use crypto and do not add any sonar cloud config file
  • we use Math and add sonar clound config file where we tell it to ignore security checks in tests

I prefer first option as it means one less file 😄

@fmvilas
Copy link
Member

fmvilas commented Dec 2, 2021

Isn't there a way to ignore SonarCloud on that line only? Like eslint-disable or similar? If that's not possible then yeah, let's go for crypto.

Another option is not to use Math.random but to use Date.now(), which gives you a timestamp and would do the trick as well.

@derberg
Copy link
Member Author

derberg commented Dec 2, 2021

@fmvilas love it, added Date.now().toString() instead!

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 2, 2021

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

Copy link
Member

@fmvilas fmvilas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@derberg derberg merged commit 4ad438a into asyncapi:master Dec 2, 2021
@derberg derberg deleted the addsnapshottests branch December 2, 2021 17:23
@asyncapi-bot
Copy link
Contributor

🎉 This PR is included in version 0.11.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants