Skip to content

Optimize tests for v3 #1007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eyalk007 wants to merge 2 commits into
base: v3_er
Choose a base branch
from
Open

Optimize tests for v3 #1007

eyalk007 wants to merge 2 commits into from

Conversation

@eyalk007
Copy link
Collaborator

@eyalk007 eyalk007 commented Dec 23, 2025

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.
  • Update documentation about new features / new supported technologies

We dont need to install the package managers anymore
we only need them for the fix part meaning only for hte package manager suite

@eyalk007
Optimize test workflow by removing unnecessary package manager instal…
8c06d3a 
…lations

Only Package Handlers tests need all package managers installed since they test the fix functionality.
Other test suites (Unit, Scan Repository, Scan Pull Request) don't need npm, Python, pipenv, poetry, Mono, dotnet, NuGet, Pnpm, Java, or Conan installations.

This will significantly speed up test execution for non-Package Handler test suites.
@eyalk007 eyalk007 self-assigned this Dec 23, 2025
@eyalk007 eyalk007 added the ignore for release Automatically generated release notes label Dec 23, 2025
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Dec 23, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 23, 2025
@eyalk007
Add Go module caching to integration tests
0c32df9 
Added Go module cache (~/go/pkg/mod) to all integration test jobs:
- github-integration
- azure-integration (ubuntu, windows, macos)
- gitlab-integration (ubuntu, windows, macos)
- bitbucket-server-integration (macos)

This matches the caching already used in the main tests and Pretest jobs.
Subsequent test runs will restore cached Go modules (~5s) instead of
re-downloading them (~30-60s).
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Dec 23, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 23, 2025
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Dec 23, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 23, 2025
eranturgeman
eranturgeman reviewed Dec 24, 2025
View reviewed changes
eranturgeman
eranturgeman reviewed Dec 24, 2025
View reviewed changes
.github/workflows/test.yml
${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-
${{ runner.os }}-go-
# Package managers are only needed for Package Handlers tests (fix functionality)
Copy link
Contributor

@eranturgeman eranturgeman Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about integration tests that run Scan-pr and Scan-repo commands and require to perform actual upgrades and dependencies resolutions?

eranturgeman
eranturgeman reviewed Dec 24, 2025
View reviewed changes
Copy link
Contributor

@eranturgeman eranturgeman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

workflows changes in Frogbot only applied after merge, therefore the changes you've made cannot be validated in the tests execution of this PR (running agains the old yml files)
please validate all tests are passing in your fork

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 8 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done Not Found
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
8 Issues Found 1 High
7 Medium
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026 

body

at utils/testsutils.go (line 250)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
high
High		 Deserializing untrusted data without validation
Full description

Vulnerability Details
Rule ID: go-unsafe-deserialization

Overview

Unsafe deserialization in Go occurs when a program deserializes untrusted
data with a potentially dangerous deserializer. Deserialization is the
process of converting serialized data (data that has been converted into a
format that can be easily transmitted or stored) back into its original
form. In some ("unsafe") serialization protocols, if an attacker is able
to manipulate the serialized data, they may be able to execute arbitrary
code or perform other malicious actions when the data is deserialized.

Vulnerable example

import (
    "github.com/go-yaml/yaml"
    "net/http"
)

func storeHandler(w http.ResponseWriter, r *http.Request) {
    var data map[string]interface{}
    yaml.Unmarshal([]byte(r.URL.Query().Get("data")), &data) // NOT OK
}

This code uses yaml.Unmarshal to deserialize untrusted data from the
user, with a potentially dangerous deserializer.

Remediation

import (
    "github.com/go-yaml/yaml"
    "net/http"
)

func storeHandler(w http.ResponseWriter, r *http.Request) {
    var data map[string]interface{}
    yaml.UnmarshalStrict([]byte(r.URL.Query().Get("data")), &data) // SAFE
}

Using yaml.UnmarshalStrict solves the problem by ensuring a safe
serialization protocol.

Code Flows
Vulnerable data flow analysis result

↘️ r.Body (at utils/testsutils.go line 243)

↘️ io.ReadAll(r.Body) (at utils/testsutils.go line 243)

↘️ body (at utils/testsutils.go line 243)

↘️ body (at utils/testsutils.go line 250)

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026 

content

at utils/testsutils.go (line 196)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile("../testdata/configprofile/configProfileExample.json") (at utils/testsutils.go line 176)

↘️ content (at utils/testsutils.go line 176)

↘️ content (at utils/testsutils.go line 196)

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026 

content

at utils/testsutils.go (line 205)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile("../testdata/configprofile/configProfileExample.json") (at utils/testsutils.go line 202)

↘️ content (at utils/testsutils.go line 202)

↘️ content (at utils/testsutils.go line 205)

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026 

file

at scanrepository/scanrepository_test.go (line 781)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(fmt.Sprintf("%s.tar.gz", projectName)) (at scanrepository/scanrepository_test.go line 779)

↘️ file (at scanrepository/scanrepository_test.go line 779)

↘️ file (at scanrepository/scanrepository_test.go line 781)

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026 

discussions

at scanpullrequest/scanpullrequest_test.go (line 1085)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "list_merge_request_discussion_items.json")) (at scanpullrequest/scanpullrequest_test.go line 1083)

↘️ discussions (at scanpullrequest/scanpullrequest_test.go line 1083)

↘️ discussions (at scanpullrequest/scanpullrequest_test.go line 1085)

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026 

repoFile

at scanpullrequest/scanpullrequest_test.go (line 1036)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "sourceBranch.gz")) (at scanpullrequest/scanpullrequest_test.go line 1034)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1034)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1036)

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026 

repoFile

at scanpullrequest/scanpullrequest_test.go (line 1043)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "targetBranch.gz")) (at scanpullrequest/scanpullrequest_test.go line 1041)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1041)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1043)

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026 

comments

at scanpullrequest/scanpullrequest_test.go (line 1050)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "commits.json")) (at scanpullrequest/scanpullrequest_test.go line 1048)

↘️ comments (at scanpullrequest/scanpullrequest_test.go line 1048)

↘️ comments (at scanpullrequest/scanpullrequest_test.go line 1050)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eranturgeman eranturgeman eranturgeman approved these changes

@orto17 orto17 orto17 approved these changes

Assignees

@eyalk007 eyalk007

Labels

ignore for release Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@eyalk007 @eranturgeman @orto17