Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API refactor module to be more independent #34

Merged

Conversation

NightJar
Copy link
Contributor

@NightJar NightJar commented May 25, 2018

As part of a greater piece of work with site summaries (cf.
bringyourownideas/silverstripe-maintenance#39). This commit tidies class
definitions and makes the import slightly more efficient. Abstractions are
added to relate to the Package object from the aforementioned module.
Unit tests have been added to ensure tidy standards in future maintenance.

resolves #1 (although technically it was already resolved).

@NightJar NightJar mentioned this pull request May 25, 2018
As part of a greater piece of work with site summaries (cf.
bringyourownideas/silverstripe-maintenance). This commit tidies class
definitions and makes the import slightly more efficient. Abstractions are
added to relate to the Package object from the aforementioned module.
Unit tests have been added to ensure tidy standards in future maintenance.
@NightJar NightJar force-pushed the pulls/1/refactor branch from 0abbe4a to 5701642 Compare May 28, 2018 04:05
Copy link
Contributor

@robbieaverill robbieaverill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall! I've left some specific comments, but also there's generally a huge lack of PHPDocs on methods and classes

composer.json Outdated
},
"replace": {
"spekulatius/silverstripe-composer-security-checker": "self.version"
},
"suggest": {
"friendsofsilverstripe/silverstripe-maintenance": "Display advisory information via Site Summary Report",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The package name has changed =)

composer.json Outdated
"sensiolabs/security-checker": "^3.0",
"symbiote/silverstripe-queuedjobs": "^2.8",
"friendsofsilverstripe/silverstripe-maintenance": "^0.3"
"silverstripe/framework": "^3",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's introduce ^3.2 which matches bringyourownideas/silverstripe-maintenance

/**
* @return CVECheckTask
*/
public function getCVECheckTask()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please name the getters/setters the same as the property? I.e. setCheckTask(CheckTask $checkTask)

}

/**
* @param CVECheckTask
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing variable name - can you please type hint the class in the argument too?

* @param SecurityChecker $securityChecker
* @return CVECheckTask $this
*/
public function setSecurityChecker($securityChecker)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please type hint SecurityChecker


// use the security checker of
$checker = $this->getSecurityChecker();
$alerts = $checker->check(BASE_PATH . DIRECTORY_SEPARATOR . 'composer.lock');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like we should use the ComposerLoader from silverstripe-maintenance for something here, at the least to remove the reliance on the physical path of composer.lock from this code (and leave it to ComposerLoader)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. This library has it's own logic for reading and parsing the lock file, and only requires the path in the check method.
  2. ComposerLoader requires a base path, which means either specifying manually still, or relying on BASE_PATH as it is here.
  3. There is no way at current to extract the lock path from ComposerLoader (only the parsed contents).
  4. This modules does not require silverstripe-maintenance, nor is it intended to.
  5. This task is for checking the main installation only, not another at some arbitrary location, nor does it provide the ability to upload and check random lock files.

Conclusion:
ComposerLoader should not be used for this. Although I could add a setter/getter for a lock path, defaulting to what is currently set, I feel it is unnecessary.


// Is this vulnerability known? No, lets add it.
if ((int) $vulnerability->count() === 0) {
$vulnerability = new CVE();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE::create()

}

// remove all entries which are resolved (no longer $validEntries)
$removeOldCVEs = SQLDelete::create('CVE');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please quote the table name to ensure that this works across DB drivers

$removable = CVE::get()->exclude(array('ID' => $validEntries));
if ($removable->exists()) {
// Be careful not to remove all CVEs on the case that entry is valid
$removeOldCVEs = $removeOldCVEs->addWhere('ID', $removable->column('ID'));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quotes for columns

$checkTask->setSecurityChecker($securityCheckerMock);

$preCheck = CVE::get();
$this->assertEquals(0, $preCheck->count(), 'database is empty to begin with');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$this->assertCount(0, $preCheck, '...

Show the information in summary to users looking at the SiteSummary report
on screen. This includes the ability to see a tag notifying which modules
have alerts issued for them, a form level warning alerting users that some
modules have alerts (as they may not display on the first page), and the
ability to expand an individual module's information to display the alerts
that have been issued (in a summary of title, ID number and externa link)
@NightJar NightJar force-pushed the pulls/1/refactor branch from 23028c8 to 079a9d5 Compare May 29, 2018 09:58
For screen rendering devices - as per design team feedback. The text
denoting an action is present is removed, and the toggle switch for
revealing that information is shifted to the badge itself.
@NightJar
Copy link
Contributor Author

Design review is done, this is ready for final review :)

@NightJar NightJar mentioned this pull request May 29, 2018
1 task
.editorconfig Outdated
@@ -10,6 +10,13 @@ indent_style = space
insert_final_newline = true
trim_trailing_whitespace = true

[*.md]
trim_trailing_whitespace = false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👎

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😮

Copy link
Contributor

@robbieaverill robbieaverill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, nice work! I've left a couple of comments to add translations, but otherwise looks good

public function updateBadges(&$badges)
{
if ($this->owner->SecurityAlerts()->exists()) {
$badges['RISK: Security'] = 'warning security-alerts__toggler';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please make this label translatable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh whoops, yep :>

@@ -0,0 +1,4 @@
<p>
<strong>Security alert</strong><br />
<% if Count > 1 %>Notices have<% else %>A notice has<% end_if %> been issued for <strong>$Count</strong> of your modules. Review and updating is recommended.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add translations

@robbieaverill
Copy link
Contributor

Can you add a branch alias (1.x-dev) to composer.json while you're at it?

@robbieaverill robbieaverill changed the base branch from master to 1 May 30, 2018 04:59
*
* @param array $badges in the format of [title => type]
*/
public function updateBadges(&$badges)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hoping this will change in the other PR so will expect this to change

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ooh, good call; derp.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep needs updating now to use an ArrayList

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is done :>

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PHPDoc still needs updating

<% if Count > 1 %>
<%t SecuirtyAlertSummary.NOTICES_HAVE "Notices have" %>
<% else %>
<%t SecuirtyAlertSummary.NOTICE_HAS "A notice has" %>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On reflection I don’t like how these translations are split up. It provides no context to translators and they might get confused about it. Also typos in the key :-)

/**
* Describes a known security issue of an installed Composer package
*/
class CVE extends DataObject
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last thing- the vulnerabilities are not always assigned CVEs (ours aren’t for example), so maybe the original name or something like PackageVulnerability would be better- what do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: Should the SS security ID then be put in place of the CVE ID?
i.e. SS-2015-014 when accessing ->CVE?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, because this module can work for any PHP packages not just SilverStripe packages. Maybe choose something generic like "Identifier"

@NightJar NightJar force-pushed the pulls/1/refactor branch from af35d4a to dce1f04 Compare May 30, 2018 21:07
Switch away from hard coded English.
@NightJar NightJar force-pushed the pulls/1/refactor branch from dce1f04 to 0196327 Compare May 31, 2018 04:27
Use sensible names, and also fix a few bug discovered by altering the
tests with more data and cases (such as the SQLDelete statement). CVE
DataObject is now SecurityAlerts, as not all alerts are assigned CVE
identifiers. To that end if there is another identifier (such as the one
SilverStripe use as a title prefix) then this is set instead. As such the
property is renamed 'Identifier' as opposed to 'CVE'.
@NightJar NightJar force-pushed the pulls/1/refactor branch from 0196327 to fd37c29 Compare May 31, 2018 04:40
Copy link
Contributor

@robbieaverill robbieaverill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome!


/**
* @param SecurityAlertCheckTask $checkTask
* @return SecurityAlertCheckJob
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer return $this, but this is also true

@robbieaverill robbieaverill merged commit b37a6dd into bringyourownideas:1 May 31, 2018
@robbieaverill robbieaverill deleted the pulls/1/refactor branch May 31, 2018 05:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants