@W-11267235@: violation messages use a semicolon instead of a line break in json format #723
Conversation
| export class RuleResultRecombinator { | ||
|
|
||
| public static async recombineAndReformatResults(results: RuleResult[], format: OUTPUT_FORMAT, executedEngines: Set<string>): Promise<RecombinedRuleResults> { | ||
| public static async recombineAndReformatResults(results: RuleResult[], format: OUTPUT_FORMAT, executedEngines: Set<string>, verboseViolations = false): Promise<RecombinedRuleResults> { |
There was a problem hiding this comment.
Is it okay to use a default param like this to avoid affecting the method signature everywhere else?
| export class RuleResultRecombinator { | ||
|
|
||
| public static async recombineAndReformatResults(results: RuleResult[], format: OUTPUT_FORMAT, executedEngines: Set<string>): Promise<RecombinedRuleResults> { | ||
| public static async recombineAndReformatResults(results: RuleResult[], format: OUTPUT_FORMAT, executedEngines: Set<string>, verboseViolations = false): Promise<RecombinedRuleResults> { |
| // in the json format we need to replace new lines in the message | ||
| // for the first line (ending with a colon) we will replace it with a space | ||
| // for following lines, we will replace it with a semicolon and a space | ||
| violation.message = violation.message.replace(/:\n/g, ': ').replace(/\n/g, '; '); |
There was a problem hiding this comment.
You may wish to check what that does to non-RetireJS violations. I.e., scan something with both retirejs and eslint violations, and use verbose violations to see what the output looks like.
It's unlikely to cause any problems, but it's still probably worth taking a quick check.
There was a problem hiding this comment.
Good point, I am going to add a check so this only happens when the engine is retire-js, just to be safe.
|
|
||
| if (verboseViolations) { | ||
| for (const result of results) { | ||
| if (result.engine === 'retire-js') { |
There was a problem hiding this comment.
Don't use retire-js as a hardcoded string.
Add this import:
import {ENGINE} from '../../Constants'; and then change this line to if (result.engine === ENGINE.RETIRE_JS) {`
gkjung
force-pushed
the
d/W-11267235
branch
2 times, most recently
from
0ee1c9b to
5ec6b5a
Compare
…eak in json format
How to message originally looked:
jquery 3.1.0 has known vulnerabilities:\nseverity: medium; summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; CVE: CVE-2019-11358; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b\nseverity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS; CVE: CVE-2020-11022; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/\nseverity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS; CVE: CVE-2020-11023; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/New format to remove \n:
jquery 3.1.0 has known vulnerabilities: severity: medium; summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; CVE: CVE-2019-11358; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b; severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS; CVE: CVE-2020-11022; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/; severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS; CVE: CVE-2020-11023; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/