-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API refactor module to be more independent #34
API refactor module to be more independent #34
Conversation
As part of a greater piece of work with site summaries (cf. bringyourownideas/silverstripe-maintenance). This commit tidies class definitions and makes the import slightly more efficient. Abstractions are added to relate to the Package object from the aforementioned module. Unit tests have been added to ensure tidy standards in future maintenance.
0abbe4a
to
5701642
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall! I've left some specific comments, but also there's generally a huge lack of PHPDocs on methods and classes
composer.json
Outdated
}, | ||
"replace": { | ||
"spekulatius/silverstripe-composer-security-checker": "self.version" | ||
}, | ||
"suggest": { | ||
"friendsofsilverstripe/silverstripe-maintenance": "Display advisory information via Site Summary Report", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The package name has changed =)
composer.json
Outdated
"sensiolabs/security-checker": "^3.0", | ||
"symbiote/silverstripe-queuedjobs": "^2.8", | ||
"friendsofsilverstripe/silverstripe-maintenance": "^0.3" | ||
"silverstripe/framework": "^3", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's introduce ^3.2
which matches bringyourownideas/silverstripe-maintenance
src/Jobs/CVECheckJob.php
Outdated
/** | ||
* @return CVECheckTask | ||
*/ | ||
public function getCVECheckTask() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please name the getters/setters the same as the property? I.e. setCheckTask(CheckTask $checkTask)
src/Jobs/CVECheckJob.php
Outdated
} | ||
|
||
/** | ||
* @param CVECheckTask |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing variable name - can you please type hint the class in the argument too?
src/Tasks/CVECheckTask.php
Outdated
* @param SecurityChecker $securityChecker | ||
* @return CVECheckTask $this | ||
*/ | ||
public function setSecurityChecker($securityChecker) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please type hint SecurityChecker
src/Tasks/CVECheckTask.php
Outdated
|
||
// use the security checker of | ||
$checker = $this->getSecurityChecker(); | ||
$alerts = $checker->check(BASE_PATH . DIRECTORY_SEPARATOR . 'composer.lock'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like we should use the ComposerLoader from silverstripe-maintenance for something here, at the least to remove the reliance on the physical path of composer.lock from this code (and leave it to ComposerLoader)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- This library has it's own logic for reading and parsing the lock file, and only requires the path in the check method.
- ComposerLoader requires a base path, which means either specifying manually still, or relying on
BASE_PATH
as it is here. - There is no way at current to extract the lock path from ComposerLoader (only the parsed contents).
- This modules does not require silverstripe-maintenance, nor is it intended to.
- This task is for checking the main installation only, not another at some arbitrary location, nor does it provide the ability to upload and check random lock files.
Conclusion:
ComposerLoader should not be used for this. Although I could add a setter/getter for a lock path, defaulting to what is currently set, I feel it is unnecessary.
src/Tasks/CVECheckTask.php
Outdated
|
||
// Is this vulnerability known? No, lets add it. | ||
if ((int) $vulnerability->count() === 0) { | ||
$vulnerability = new CVE(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CVE::create()
src/Tasks/CVECheckTask.php
Outdated
} | ||
|
||
// remove all entries which are resolved (no longer $validEntries) | ||
$removeOldCVEs = SQLDelete::create('CVE'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please quote the table name to ensure that this works across DB drivers
src/Tasks/CVECheckTask.php
Outdated
$removable = CVE::get()->exclude(array('ID' => $validEntries)); | ||
if ($removable->exists()) { | ||
// Be careful not to remove all CVEs on the case that entry is valid | ||
$removeOldCVEs = $removeOldCVEs->addWhere('ID', $removable->column('ID')); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quotes for columns
tests/CVECheckTaskTest.php
Outdated
$checkTask->setSecurityChecker($securityCheckerMock); | ||
|
||
$preCheck = CVE::get(); | ||
$this->assertEquals(0, $preCheck->count(), 'database is empty to begin with'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$this->assertCount(0, $preCheck, '...
9b283ce
to
7746d57
Compare
857de7d
to
23028c8
Compare
Show the information in summary to users looking at the SiteSummary report on screen. This includes the ability to see a tag notifying which modules have alerts issued for them, a form level warning alerting users that some modules have alerts (as they may not display on the first page), and the ability to expand an individual module's information to display the alerts that have been issued (in a summary of title, ID number and externa link)
23028c8
to
079a9d5
Compare
For screen rendering devices - as per design team feedback. The text denoting an action is present is removed, and the toggle switch for revealing that information is shifted to the badge itself.
Design review is done, this is ready for final review :) |
.editorconfig
Outdated
@@ -10,6 +10,13 @@ indent_style = space | |||
insert_final_newline = true | |||
trim_trailing_whitespace = true | |||
|
|||
[*.md] | |||
trim_trailing_whitespace = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👎
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😮
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, nice work! I've left a couple of comments to add translations, but otherwise looks good
public function updateBadges(&$badges) | ||
{ | ||
if ($this->owner->SecurityAlerts()->exists()) { | ||
$badges['RISK: Security'] = 'warning security-alerts__toggler'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please make this label translatable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh whoops, yep :>
templates/SecurityAlertSummary.ss
Outdated
@@ -0,0 +1,4 @@ | |||
<p> | |||
<strong>Security alert</strong><br /> | |||
<% if Count > 1 %>Notices have<% else %>A notice has<% end_if %> been issued for <strong>$Count</strong> of your modules. Review and updating is recommended. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add translations
Can you add a branch alias (1.x-dev) to composer.json while you're at it? |
* | ||
* @param array $badges in the format of [title => type] | ||
*/ | ||
public function updateBadges(&$badges) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm hoping this will change in the other PR so will expect this to change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ooh, good call; derp.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep needs updating now to use an ArrayList
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is done :>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PHPDoc still needs updating
templates/SecurityAlertSummary.ss
Outdated
<% if Count > 1 %> | ||
<%t SecuirtyAlertSummary.NOTICES_HAVE "Notices have" %> | ||
<% else %> | ||
<%t SecuirtyAlertSummary.NOTICE_HAS "A notice has" %> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On reflection I don’t like how these translations are split up. It provides no context to translators and they might get confused about it. Also typos in the key :-)
src/Models/CVE.php
Outdated
/** | ||
* Describes a known security issue of an installed Composer package | ||
*/ | ||
class CVE extends DataObject |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Last thing- the vulnerabilities are not always assigned CVEs (ours aren’t for example), so maybe the original name or something like PackageVulnerability would be better- what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: Should the SS security ID then be put in place of the CVE ID?
i.e. SS-2015-014
when accessing ->CVE
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, because this module can work for any PHP packages not just SilverStripe packages. Maybe choose something generic like "Identifier"
af35d4a
to
dce1f04
Compare
Switch away from hard coded English.
dce1f04
to
0196327
Compare
Use sensible names, and also fix a few bug discovered by altering the tests with more data and cases (such as the SQLDelete statement). CVE DataObject is now SecurityAlerts, as not all alerts are assigned CVE identifiers. To that end if there is another identifier (such as the one SilverStripe use as a title prefix) then this is set instead. As such the property is renamed 'Identifier' as opposed to 'CVE'.
0196327
to
fd37c29
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome!
|
||
/** | ||
* @param SecurityAlertCheckTask $checkTask | ||
* @return SecurityAlertCheckJob |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prefer return $this
, but this is also true
As part of a greater piece of work with site summaries (cf.
bringyourownideas/silverstripe-maintenance#39). This commit tidies class
definitions and makes the import slightly more efficient. Abstractions are
added to relate to the Package object from the aforementioned module.
Unit tests have been added to ensure tidy standards in future maintenance.
resolves #1 (although technically it was already resolved).