fix(tests): use CVE-free fixture packages so clean-scan e2e tests don't depend on the advisory DB#727
Open
SAY-5 wants to merge 1 commit into
Open
fix(tests): use CVE-free fixture packages so clean-scan e2e tests don't depend on the advisory DB#727SAY-5 wants to merge 1 commit into
SAY-5 wants to merge 1 commit into
Conversation
…'t depend on the advisory DB Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Several e2e fixtures resolve real npm packages (
lodash,express) and assert a clean exit, so a newly published CVE for the pinned version flips the scan exit code and breaks unrelated tests. This swaps those resolved packages for fixture-only names that no advisory can match.Why this change
CI syncs the live advisory DB before the e2e suite, then runs scans with
--offline. A fixture that pinslodash@4.17.21/express@4.18.2and expects exit 0 only stays green while no matching critical CVE exists in the DB. When one lands, the "clean" scan exits 1, which is what caused the 28 failures in the v1.25.0 release run (issue #726).What changed
SAFE_PKG/SAFE_PLATFORM_PARENT/SAFE_PLATFORM_BINARYconstants to the e2e harness for fixture-only package names.lodash/expressentries in clean-exit fixtures with those names (the override targetgoneand OA001 behaviour are unchanged; the orphan still fires because it is absent from the tree).looksLikePlatformBinary()matches on thelinuxtoken, not the package identity, so OA006 still fires.Validation
npm run buildandnpm testpass (851 tests). To confirm DB-independence I copied the synced advisory DB, injected a synthetic critical advisory forlodashandexpress, and scanned both old and new fixtures with--offline-db: the old fixtures exit 1, the new fixtures stay exit 0.User-facing impact
Does this change:
Test-only change; no runtime behaviour is affected.
Notes
Follows option 1 from the issue (fixtures use packages that cannot acquire advisories).
Closes #726