[NSP] badge with tests #1156
[NSP] badge with tests #1156
Conversation
paulmelnikow
added
the
service-badge
|
Hi! Thanks for this. Could you review the CI logs? The new service tests didn't run in the first CI pass, though I added brackets around |
|
I can't get the test to run locally via |
|
Does |
|
Got it! The local testing issue was a timing problem (the tests timeout if it takes more than 5 seconds to start - not sure why it takes so long on my machine). As for the badge generator it was a minor match-related bug. |
service-tests/nsp.js
Outdated
|
|
||
| t.create('get a package that does not exist') | ||
| .get('/npm/some-unknown-package.json') | ||
| .expectJSONTypes(Joi.object().keys({name: 'nsp', value: 'n/a'})) |
There was a problem hiding this comment.
Is it possible to distinguish between package not found and a server error? In the first case, it would be good to provide a more helpful error message. In the second case, would you please use invalid, which is consistent with the other badges?
There was a problem hiding this comment.
That's fair. Any preferred colorscheme for each? How would you recommend catching server errors?
There was a problem hiding this comment.
I'd suggest figuring out what a response looks like for a non-existent package, and testing for that specifically. Once you've identified and excluded that case, if available === false I'd say that's a server error.
Most of the other badges use the default color for errors.
service-tests/nsp.js
Outdated
|
|
||
| t.create('get a package without vulnerabilities') | ||
| .get('/npm/bronze.json') | ||
| .expectJSONTypes(Joi.object().keys({name: 'nsp', value: 'no known vulnerabilities'})) |
There was a problem hiding this comment.
Since these are both literals, you can write this a bit more concisely:
.expectJSON({ name: 'nsp', value: 'no known vulnerabilities' })
server.js
Outdated
| if (response !== null && response.statusCode === 404) { | ||
| badgeData.text[1] = 'invalid'; | ||
| } else if (error !== null || jsonResults === undefined) { | ||
| badgeData.text[1] = 'error'; |
There was a problem hiding this comment.
Though error might be more descriptive, for consistency, this one should be invalid. The one before should be something like package not found.
By the way, does NSP support scoped packages like @cycle/core? If so could you add a test to make sure it works for that too? It might require different quoting or a different regex.
There was a problem hiding this comment.
It looks like NSP supports scoped packages. I'll update the implementation to support them.
There was a problem hiding this comment.
I'll also add support for specific package versions - perhaps /nsp/npm/l/:package.:format for the latest version and /nsp/npm/v/:package/:version.:format for a specific version?
There was a problem hiding this comment.
To be consistent with the other badges, /nsp/npm/:package.:format for latest and /nsp/npm/:package/:version.:format for specific.
/l/ usually means license and /v/ means version. The equivalent here would be something like /nsp/count/npm/, if you thought there might be badges for other kinds of nsp data in the future.
|
I'm not sure why this latest build failed - I'm not using any escape characters where it claims I am [actual line], but I was able to add support for both version and scoped package in this latest commit. Locally I'm not getting the error at all. |
|
Travis tests on a commit created by merging your branch into master, which explains line number discrepancies with the branch (and tooling discrepancies). If you merge latest master into your dev branch and push that, you'll have parity locally with CI. Don't forget to |
server.js
Outdated
|
|
||
| sendBadge(format, badgeData); | ||
| } else { | ||
| nspRequestOptions.body.package.version = body.version; |
There was a problem hiding this comment.
Perhaps this would be easier to reason about if it passed the version into getNspResults as a parameter.
|
|
||
| const t = new ServiceTester({id: 'nsp', title: 'Node Security Platform'}) | ||
|
|
||
| const formats = { |
There was a problem hiding this comment.
I love the idea of generating a bunch of tests!
service-tests/nsp.js
Outdated
|
|
||
| const formatsKeys = Object.keys(formats) | ||
|
|
||
| for (let i = 0, len = formatsKeys.length; i < len; i++) { |
There was a problem hiding this comment.
You could write it like this:
Object.keys(formats).forEach(format => {
});
server.js
Outdated
| const pieces = match.input.split('/'); | ||
| let badgeData = getBadgeData('nsp', data); | ||
| let format = ''; | ||
| let nspRequestOptions = { |
There was a problem hiding this comment.
Since these identifiers are not reassigned, they can all be const.
templates/flat-square-template.svg
Outdated
| <text x="{{=((it.widths[0]+it.logoWidth+it.logoPadding)/2)*10}}" y="140" transform="scale(0.1)">{{=it.escapeXml(it.text[0])}}</text> | ||
| <text x="{{=(it.widths[0]+it.widths[1]/2-1)*10}}" y="140" transform="scale(0.1)">{{=it.escapeXml(it.text[1])}}</text> | ||
| <text x="{{=(((it.widths[0]+it.logoWidth+it.logoPadding)/2)+1)*10}}" y="140" transform="scale(0.1)" textLength="{{=(it.widths[0]-(10+it.logoWidth+it.logoPadding))*10}}" lengthAdjust="spacing">{{=it.escapeXml(it.text[0])}}</text> | ||
| <text x="{{=(it.widths[0]+it.widths[1]/2-1)*10}}" y="140" transform="scale(0.1)" textLength="{{=(it.widths[1]-10)*10}}" lengthAdjust="spacing">{{=it.escapeXml(it.text[1])}}</text> |
There was a problem hiding this comment.
Could you reset these files? e.g. git checkout master templates/flat-square-template.svg, and then commit, should do it.
server.js
Outdated
|
|
||
| request(npmURL, npmRequestOptions, (error, response, body) => { | ||
| if (response !== null && response.statusCode === 404) { | ||
| // NOTE: in POST requests nsp does not distinguish between 'package not found' and 'no known vulnerabilities'. To keep consistency in the use case where a version is provided (which skips `getNpmVersionThenNspResults()` altogether) we'll say 'no known vulnerabilities' since it is technically true in both cases |
There was a problem hiding this comment.
Could you break this comment around 80 characters for legibility?
server.js
Outdated
| // D: /nsp/npm/@:scope/:package/:version.:format | ||
| const pieces = match.input.split('/'); | ||
| const badgeData = getBadgeData('nsp', data); | ||
| const nspRequestOptions = { |
There was a problem hiding this comment.
It's difficult to understand how data is flowing between the main body of this badge provider and the local functions. To make this clearer, could you declare this nspRequestOptions structure inside getNspResults instead? You could pass in the package name as a parameter, like you're doing with the package version.
server.js
Outdated
| }); | ||
| } | ||
|
|
||
| function separateAndSetFormat (str = '') { |
There was a problem hiding this comment.
This is confusing. Could you pull the format out of the regex match and assign it right up top? That way this can be a pure function / would not need to set format. It's the way all the other badges handle it.
|
Much clearer, thank you! |
A continuation of #803. Scoped to
nsp/npm/:package:formatfor future-proofing.