cve-bin-tool
cve-bin-tool copied to clipboard
ci: autoupdate JS libraries
This PR adds cron workflow that attempts to update bootstrap and plotly.js libraries. After updating it then runs test_output_html
test, generates mock HTML report and uploads it as workflow run artifact. Opened PR contains the link to the workflow run.
For further discussion see #1402, this probably shouldn't be merged until we have better tests (the only one right now seems to be always passing).
Codecov Report
Merging #1410 (f8e8923) into main (fb695cb) will increase coverage by
10.61%
. The diff coverage isn/a
.
@@ Coverage Diff @@
## main #1410 +/- ##
===========================================
+ Coverage 77.76% 88.38% +10.61%
===========================================
Files 323 325 +2
Lines 7565 7575 +10
Branches 1237 1238 +1
===========================================
+ Hits 5883 6695 +812
+ Misses 1418 613 -805
- Partials 264 267 +3
Flag | Coverage Δ | |
---|---|---|
longtests | 77.80% <ø> (+0.04%) |
:arrow_up: |
win-longtests | 87.38% <ø> (?) |
Flags with carried forward coverage won't be shown. Click here to find out more.
Impacted Files | Coverage Δ | |
---|---|---|
cve_bin_tool/checkers/__init__.py | 95.45% <0.00%> (ø) |
|
test/test_data/dhcpcd.py | 100.00% <0.00%> (ø) |
|
cve_bin_tool/checkers/dhcpcd.py | 100.00% <0.00%> (ø) |
|
cve_bin_tool/version_scanner.py | 85.13% <0.00%> (+0.67%) |
:arrow_up: |
cve_bin_tool/merge.py | 80.32% <0.00%> (+0.81%) |
:arrow_up: |
cve_bin_tool/helper_script.py | 85.58% <0.00%> (+0.90%) |
:arrow_up: |
cve_bin_tool/parsers/java.py | 74.24% <0.00%> (+1.51%) |
:arrow_up: |
test/test_checkers.py | 95.16% <0.00%> (+1.61%) |
:arrow_up: |
test/test_extractor.py | 95.97% <0.00%> (+2.01%) |
:arrow_up: |
cve_bin_tool/output_engine/util.py | 88.15% <0.00%> (+2.63%) |
:arrow_up: |
... and 24 more |
:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more
Flagging as this as blocked due to the test problem, but if you don't mind leaving it open it should be very useful later.
@terriko, is it something you are still interested in? I have synced my fork and now getting failures on cache updates every day which is annoying. If this PR is no longer desirable I would just delete my fork (and maybe later reforked without enabling scheduled Actions).
Blocker to this PR was the lack of sufficient HTML tests.
Can we switch it so the job either doesn't run or the scheduling runs once per year? I think the code is still useful and we're getting further with the html tests, but I don't think we're ready to merge it yet unless it runs less frequently.
Also, I highly recommend disabling the cache jobs on forks. I did file a bug #1950 to see if we can fix that particular job, but you should be able to disable it yourself in github actions. https://docs.github.com/en/actions/managing-workflow-runs/disabling-and-enabling-a-workflow (and that actually says scheduled jobs should be disabled automatically so... i guess I need to look into what's happening here more carefully)
I highly recommend disabling the cache jobs on forks
Oh, I didn't know it's possible to disable specific workflows, thank you!
that actually says scheduled jobs should be disabled automatically so... i guess I need to look into what's happening here more carefully
That's correct but I have enabled it in my fork previously when crafting some scheduled workflows (including this PR actually 😄).
Can we switch it so the job either doesn't run or the scheduling runs once per year?
Sure, I can do it tomorrow. Is 00:00 UTC on the 2nd January of every year okay? It's the cron used in SPDX workflow.
Works for me! Thanks for this; keeping a PR open for a full year is definitely next-level contribution and I really appreciate it!
@terriko, I have updated the schedule
A couple of issues:
- Bandit doesn't like calling urllib: should I just
# nosec
these calls? - I have triggered the workflow manually in my fork but it failed when testing HTML with
sqlite3.OperationalError: unable to open database file
. Log here. This worked last year.
Yeah, bandit lists anything that might need periodic code review.
The only thing that looks maybe problematic is the tagname construction in the last one, but the json parser should catch most potential problems in the url construction. We might be able to defang it a bit more just to avoid a malicious tag from having "../" in it or something, but if someone's man-in-the-middle'ing the whole plotly website to make impossible tags we probably have bigger problems.
Go ahead and # nosec
them for now. I review everything marked as nosec as part of my release prep anyhow so it won't get forgotten.
As for the sql error: let's get this PR merged even if it's broken, and we'll resolve when we're ready to run the code regularly. @BreadGenie has encountered some really weird errors while updating the HTML tests so we may have to do some re-working anyhow.
Go ahead and
# nosec
them for now.
@terriko, done