-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[NSP] badge with tests #1156
[NSP] badge with tests #1156
Conversation
Hi! Thanks for this. Could you review the CI logs? The new service tests didn't run in the first CI pass, though I added brackets around |
I can't get the test to run locally via |
Does |
Got it! The local testing issue was a timing problem (the tests timeout if it takes more than 5 seconds to start - not sure why it takes so long on my machine). As for the badge generator it was a minor match-related bug. |
service-tests/nsp.js
Outdated
|
||
t.create('get a package that does not exist') | ||
.get('/npm/some-unknown-package.json') | ||
.expectJSONTypes(Joi.object().keys({name: 'nsp', value: 'n/a'})) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to distinguish between package not found and a server error? In the first case, it would be good to provide a more helpful error message. In the second case, would you please use invalid, which is consistent with the other badges?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's fair. Any preferred colorscheme
for each? How would you recommend catching server errors?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest figuring out what a response looks like for a non-existent package, and testing for that specifically. Once you've identified and excluded that case, if available === false
I'd say that's a server error.
Most of the other badges use the default color for errors.
service-tests/nsp.js
Outdated
|
||
t.create('get a package without vulnerabilities') | ||
.get('/npm/bronze.json') | ||
.expectJSONTypes(Joi.object().keys({name: 'nsp', value: 'no known vulnerabilities'})) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since these are both literals, you can write this a bit more concisely:
.expectJSON({ name: 'nsp', value: 'no known vulnerabilities' })
server.js
Outdated
if (response !== null && response.statusCode === 404) { | ||
badgeData.text[1] = 'invalid'; | ||
} else if (error !== null || jsonResults === undefined) { | ||
badgeData.text[1] = 'error'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Though error might be more descriptive, for consistency, this one should be invalid. The one before should be something like package not found.
By the way, does NSP support scoped packages like @cycle/core? If so could you add a test to make sure it works for that too? It might require different quoting or a different regex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like NSP supports scoped packages. I'll update the implementation to support them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll also add support for specific package versions - perhaps /nsp/npm/l/:package.:format
for the latest version and /nsp/npm/v/:package/:version.:format
for a specific version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be consistent with the other badges, /nsp/npm/:package.:format
for latest and /nsp/npm/:package/:version.:format
for specific.
/l/
usually means license and /v/
means version. The equivalent here would be something like /nsp/count/npm/
, if you thought there might be badges for other kinds of nsp data in the future.
I'm not sure why this latest build failed - I'm not using any escape characters where it claims I am [actual line], but I was able to add support for both version and scoped package in this latest commit. Locally I'm not getting the error at all. |
Travis tests on a commit created by merging your branch into master, which explains line number discrepancies with the branch (and tooling discrepancies). If you merge latest master into your dev branch and push that, you'll have parity locally with CI. Don't forget to |
server.js
Outdated
|
||
sendBadge(format, badgeData); | ||
} else { | ||
nspRequestOptions.body.package.version = body.version; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps this would be easier to reason about if it passed the version into getNspResults
as a parameter.
|
||
const t = new ServiceTester({id: 'nsp', title: 'Node Security Platform'}) | ||
|
||
const formats = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I love the idea of generating a bunch of tests!
service-tests/nsp.js
Outdated
|
||
const formatsKeys = Object.keys(formats) | ||
|
||
for (let i = 0, len = formatsKeys.length; i < len; i++) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could write it like this:
Object.keys(formats).forEach(format => {
});
server.js
Outdated
const pieces = match.input.split('/'); | ||
let badgeData = getBadgeData('nsp', data); | ||
let format = ''; | ||
let nspRequestOptions = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since these identifiers are not reassigned, they can all be const
.
templates/flat-square-template.svg
Outdated
<text x="{{=((it.widths[0]+it.logoWidth+it.logoPadding)/2)*10}}" y="140" transform="scale(0.1)">{{=it.escapeXml(it.text[0])}}</text> | ||
<text x="{{=(it.widths[0]+it.widths[1]/2-1)*10}}" y="140" transform="scale(0.1)">{{=it.escapeXml(it.text[1])}}</text> | ||
<text x="{{=(((it.widths[0]+it.logoWidth+it.logoPadding)/2)+1)*10}}" y="140" transform="scale(0.1)" textLength="{{=(it.widths[0]-(10+it.logoWidth+it.logoPadding))*10}}" lengthAdjust="spacing">{{=it.escapeXml(it.text[0])}}</text> | ||
<text x="{{=(it.widths[0]+it.widths[1]/2-1)*10}}" y="140" transform="scale(0.1)" textLength="{{=(it.widths[1]-10)*10}}" lengthAdjust="spacing">{{=it.escapeXml(it.text[1])}}</text> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you reset these files? e.g. git checkout master templates/flat-square-template.svg
, and then commit, should do it.
server.js
Outdated
|
||
request(npmURL, npmRequestOptions, (error, response, body) => { | ||
if (response !== null && response.statusCode === 404) { | ||
// NOTE: in POST requests nsp does not distinguish between 'package not found' and 'no known vulnerabilities'. To keep consistency in the use case where a version is provided (which skips `getNpmVersionThenNspResults()` altogether) we'll say 'no known vulnerabilities' since it is technically true in both cases |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you break this comment around 80 characters for legibility?
server.js
Outdated
// D: /nsp/npm/@:scope/:package/:version.:format | ||
const pieces = match.input.split('/'); | ||
const badgeData = getBadgeData('nsp', data); | ||
const nspRequestOptions = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's difficult to understand how data is flowing between the main body of this badge provider and the local functions. To make this clearer, could you declare this nspRequestOptions
structure inside getNspResults
instead? You could pass in the package name as a parameter, like you're doing with the package version.
server.js
Outdated
}); | ||
} | ||
|
||
function separateAndSetFormat (str = '') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is confusing. Could you pull the format out of the regex match and assign it right up top? That way this can be a pure function / would not need to set format
. It's the way all the other badges handle it.
Much clearer, thank you! |
A continuation of #803. Scoped to
nsp/npm/:package:format
for future-proofing.