Conversation
Add test_emu_security.py covering: - requirements.txt: CVE warning comment for pyminizip dependency - hook.py: parseable by ast.parse, defines enable() and name variable - YAML validation: conf/ files are parseable, data/ files checked if present (skipped when data is not yet populated)
|
There was a problem hiding this comment.
Pull request overview
Adds a new security-focused pytest module for the emu plugin to prevent common packaging/configuration regressions (dependency risk documentation, plugin entrypoint sanity, and YAML validity).
Changes:
- Add tests to enforce a CVE/vulnerability warning comment near the
pyminiziprequirement. - Add tests to ensure
hook.pyis parseable and declares expected plugin entrypoint fields (async def enable,name). - Add tests to validate YAML files under
conf/and (optionally)data/.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+70
to
+98
| def test_hook_defines_enable_function(self): | ||
| """hook.py must define an async 'enable' function.""" | ||
| with open(HOOK_PATH, 'r') as f: | ||
| source = f.read() | ||
| tree = ast.parse(source) | ||
| enable_funcs = [ | ||
| node for node in ast.walk(tree) | ||
| if isinstance(node, ast.AsyncFunctionDef) and node.name == 'enable' | ||
| ] | ||
| assert len(enable_funcs) > 0, ( | ||
| "hook.py must define an 'async def enable(...)' function" | ||
| ) | ||
|
|
||
| def test_hook_defines_plugin_name(self): | ||
| """hook.py should define a 'name' variable.""" | ||
| with open(HOOK_PATH, 'r') as f: | ||
| source = f.read() | ||
| tree = ast.parse(source) | ||
| name_assignments = [ | ||
| node for node in ast.walk(tree) | ||
| if isinstance(node, ast.Assign) | ||
| and any( | ||
| isinstance(target, ast.Name) and target.id == 'name' | ||
| for target in node.targets | ||
| ) | ||
| ] | ||
| assert len(name_assignments) > 0, ( | ||
| "hook.py should define a 'name' variable for the plugin" | ||
| ) |
Comment on lines
+24
to
+48
| with open(REQUIREMENTS_PATH, 'r') as f: | ||
| content = f.read() | ||
|
|
||
| # Verify pyminizip is listed | ||
| assert 'pyminizip' in content, ( | ||
| "pyminizip not found in requirements.txt" | ||
| ) | ||
|
|
||
| # Check for a CVE-related comment near the pyminizip line | ||
| lines = content.splitlines() | ||
| found_cve_comment = False | ||
| for i, line in enumerate(lines): | ||
| if 'pyminizip' in line.lower(): | ||
| # Check this line and surrounding lines for CVE warning | ||
| context_start = max(0, i - 2) | ||
| context_end = min(len(lines), i + 3) | ||
| context = '\n'.join(lines[context_start:context_end]) | ||
| if 'cve' in context.lower() or 'vulnerab' in context.lower(): | ||
| found_cve_comment = True | ||
| break | ||
| assert found_cve_comment, ( | ||
| "requirements.txt should have a comment warning about known " | ||
| "CVEs for pyminizip (e.g., '# WARNING: pyminizip has known " | ||
| "CVE vulnerabilities')" | ||
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tests/test_emu_security.pywith security-focused tests for the emu pluginrequirements.txtincludes a CVE warning comment for the pyminizip dependencyhook.pyis parseable, definesasync def enable(), and sets a pluginnameconf/are valid;data/YAML checked when present (skipped otherwise)Test plan
pytest plugins/emu/tests/test_emu_security.py -vfrom caldera root