-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests(snyk): assert upper bounds #9308
Conversation
Yeah I think we need to be stronger than no |
We'll need a process for anything more than just When snyk does its updating (the PR it auto-magically opens), is there a way for us to hook into it and make our changes on top? |
Yes, there's a script in our repo they run to trim it down, would be a good place for this. |
Every entry has an upper bound - good.
is a hard one to grok (and luckily each clause is already given an upperbound) I actually thought there would be some entries with no upperbound, but I didn't see any. So let's just add the assertion that there isn't one, and address it if it ever gets triggered. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
|
||
const clauses = semver.split('||'); | ||
for (const clause of clauses) { | ||
if (!clause.trim().startsWith('=') && !clause.includes('<')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe give a few examples here for easier parsing? I had to go checkout the snapshot to see why it's includes('<')
but .trim().startsWith('=')
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had to go checkout the snapshot to see why it's
includes('<')
but.trim().startsWith('=')
hmm, I still don't understand why that's the case :).
Isn't something like '=5.0 >=10'
valid with no upper bound? But it wouldn't fail this check. Or '<5.0 >=10'
? Maybe I just don't understand what we're checking here :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well those aren't real ranges :)
I suppose it's a meta question of if we should be checking to see that they're valid ranges at all
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well those aren't real ranges :)
why aren't they? Isn't '=5.0 >=10'
just saying 5.x or anything over 10 is vulnerable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well those aren't real ranges :)
this
valid ranges at all
doesn't make sense to validate snyk like that imo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a space is an AND
OR
is either ||
or a separate entry in the vulnerable
array
so while it might technically be valid, nothing will ever satisfy the range '=5 >=10'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
semver package's validRange
just verifies the string conforms to the grammar defined here: https://github.com/npm/node-semver/blob/ce6190e2b681700dcc5d7309fe8eda99941f712d/range.bnf not that the range is satisfiable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so while it might technically be valid, nothing will ever satisfy the range '=5 >=10'
Ah, I see your point, but it could also be '=11 >= 10'
. I assume most of these are auto generated, so it doesn't seem out of the realm of possibility. See my other comment for one possibility rather than getting clever and hoping these ranges always make sense :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I see your point, but it could also be '=11 >= 10'
oh, no, wait, that's wrong. So I'll have to fall back to hand waving about invalid ranges :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doesn't make sense to validate snyk like that imo
didnt realize how easy it'd be to use semver
to validate the ranges, sooo nvm. it's done indirectly with this test now.
lighthouse-core/test/audits/dobetterweb/no-vulnerable-libraries-test.js
Outdated
Show resolved
Hide resolved
|
||
const clauses = semver.split('||'); | ||
for (const clause of clauses) { | ||
if (!clause.trim().startsWith('=') && !clause.includes('<')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had to go checkout the snapshot to see why it's
includes('<')
but.trim().startsWith('=')
hmm, I still don't understand why that's the case :).
Isn't something like '=5.0 >=10'
valid with no upper bound? But it wouldn't fail this check. Or '<5.0 >=10'
? Maybe I just don't understand what we're checking here :)
…s-test.js Co-Authored-By: Brendan Kenny <[email protected]>
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
I guess one question would be do we strictly require an upper bound? If there's an earlier valid version, should that be sufficient? If not, and we want to stick with requiring an upper bound, we could just use |
@connorjclark points out they use |
(I was hoping for |
kind of like what I was doing, but normalizes the ranges w/ |
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
// Upperbound exists if... | ||
|
||
// < or <= is in one of the subset's clauses (= gets normalized to >= and <). | ||
if (subset.some(comparator => comparator.operator.match(/^</))) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this entirely works. A rangeString
of '*'
ends up throwing here, for instance.
We have an untested homegrown solution vs a tested (by semver) but ugly gtr
solution...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A rangeString of '*' ends up throwing here, for instance.
Isn't that kinda desired behavior? :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this entirely works. A rangeString of '*' ends up throwing here, for instance.
Fixed.
We have an untested homegrown solution vs a tested (by semver) but ugly gtr solution...
Added tests.
return true; | ||
} | ||
|
||
describe('every snyk vulnerability has an upper bound', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is a net positive, even if about 27 lines longer than my really good gazillions idea :)
let's land
see #8409 (comment)
Should
<=X
be added to the end of everysemver.vulnerable
, where X = the latest release within that major version?