test: use go-vcr to mock osv.dev bulk query calls#2200
Conversation
b304d09 to
8a43656
Compare
869d0fd to
6b3c1df
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #2200 +/- ##
==========================================
- Coverage 67.83% 67.68% -0.16%
==========================================
Files 171 172 +1
Lines 13019 13147 +128
==========================================
+ Hits 8831 8898 +67
- Misses 3503 3551 +48
- Partials 685 698 +13 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
b08f834 to
8777f4f
Compare
1d5beb7 to
41df179
Compare
Hopefully the readme explains most of this, but at a high-level this introduces a new tool based off `osv-scanner` to make it easy to test API changes. Tests are provided as "cassettes" which we use `go-vcr` to load since that has the bonus benefit of being [compatible with cassettes we'll be using in `osv-scanner`](google/osv-scanner#2200), though we do format the `request.body` to be multi-line so it's easier to understand what the query under test is. --------- Co-authored-by: Rex P <106129829+another-rex@users.noreply.github.com>
another-rex
left a comment
There was a problem hiding this comment.
It works!
@G-Rath PTAL, and I think we might need to move update script to a bot or similar so we can update the snapshots without having to run windows.
G-Rath
left a comment
There was a problem hiding this comment.
(I can't approve this since it's my own PR)
looks good, lets get this landed before the snapshots change again 😅 (which I think they already have...)
|
One thing I want to do before merging is to do the formatting similar to how it's done on osv.dev. Right now it's really hard to see the diff when updating cassettes. |



This is an attempt to make our CI easier to work with day-to-day by introducing
go-vcras a proxy to record and replay certain HTTP requests, with our "update snapshots" workflow being updated to also update these records.The idea is this will let us continue effectively testing against real external APIs but let us decide when those external APIs change by way of updating the HTTP records (terms cassettes, in keeping with the VCR metaphor).
For now I've just focused on the osv.dev client, setting up
go-vcrto record interactions with any endpoint aside from/v1/vulns/<id>since those requests have huge responses making the cassettes easily balloon beyond 5mb per file - while these do somewhat frequently change, I'm hoping that their day-to-day changes won't be as noisy and especially considering its the response of the bulk query endpoint that leads to the specific vuln lookups so since they're being recorded things should be a lot more predictable.I've structured things so that a recording client is created per top-level test so that a single cassette is used for any subtests, and a
X-Test-Nameheader is included in each request via a secondhttp.Clientwith a customRoundTripperthat gets created in each subtest wrapping the recording client, which allows us to sort the interactions afterwards giving us a stable diff when regenerating.I have also included a custom hook to remove unneeded headers to both further reduce the noise in diffs and the size of the cassettes overall; the only header I'm on the fence about is the
Dateheader since that relates to caching and its technically possible for code to check that for determining if data should be re-fetched, but I think it's best to omit it for now given its present in every single request (ideally I'd like to have it be updated only when something else changes, but that doesn't seem possible without a lot more work).Finally, one notable downside for us to keep an eye on is with keeping the cassettes up to date: the nature of this functionality means its inherently hard for such a library to determine if a particular record is obsolete or needs to be generated as (among other things) that would most likely require making the request in the first place e.g. if we change what headers are excluded but don't explicitly regenerate everything, I don't think CI will complain - thankfully, the worse case is that this should get caught by our "update snapshots" workflow