akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
11e575d6ccc7da8bb309f8f0b6e4f3e2a15830d2
Charon/docs/reports/qa_report.md
GitHub Actions 11e575d6cc fix: stabilize e2e test suite and auth configuration 
- Standardized E2E base URL to 127.0.0.1 to resolve cookie domain 401 errors
- Updated playwright config to strictly exclude security tests from main shards
- Refactored waitForModal helper to prevent strict mode violations on complex modals
- Fixed leak of crowdsec diagnostics tests into standard chromium project
2026-02-06 07:43:26 +00:00

8.1 KiB
Raw Blame History

QA Report - Phase 6 Audit (Playwright Config Update)

Date: February 6, 2026 Trigger: Update of playwright.config.js to separate and sequence security tests. Auditor: QA Security Engineer (Gemini 3 Pro)

1. Executive Summary

The Phase 6 Audit was performed to validate the new Playwright configuration which splits security tests into a separate project that runs prior to standard browser tests.

Status: 🔴 FAILED

While the configuration successfully enforced the execution order (security tests ran first), the security tests themselves failed due to authentication issues in the test environment. This failure, combined with the new dependency structure, caused the majority of the standard E2E suite (1964 tests) to be skipped.

Security scans identified 1 High-severity misconfiguration in the Dockerfile and 2 High-severity vulnerabilities in the container base image.

2. E2E Test Execution Analysis

Execution Order Verification

  • Result: Verified
  • Observation: The security-tests project executed before chromium, firefox, and webkit projects as configured.

Test Results

  • Total Tests Run: 219
  • Passed: 201
  • Failed: 18
  • Skipped / Not Run: 1,964
  • Pass Rate: ~9% (of total suite) / 91% (of executed tests)

Failure Analysis

The 18 failed tests were all within the security-tests project. The failures were consistent 401 Unauthorized errors during test setup/teardown helpers.

Key Error:

Failed to enable Cerberus: Error: Failed to set cerberus to true: 401 {"error":"Authorization header required"}

Impacted Areas:

  1. Security Helpers: setSecurityModuleEnabled(), getSecurityStatus(), configureAdminWhitelist() in tests/utils/security-helpers.ts.
  2. Tests:
    • security-enforcement/acl-enforcement.spec.ts
    • security-enforcement/combined-enforcement.spec.ts
    • security-enforcement/crowdsec-enforcement.spec.ts
    • security-enforcement/rate-limit-enforcement.spec.ts
    • security-enforcement/waf-enforcement.spec.ts
    • security/acl-integration.spec.ts (Also failed finding UI modals)

Root Cause Hypothesis: The test environment (charon-e2e container) requires authentication for the management API (/api/v1/security/*), but the test helper functions are failing to provide a valid Authorization header or session cookie in the current context.

Blocking Issue: Because chromium etc. depend on security-tests, the failure of the security suite prevented the standard browser tests from running.

3. Security Scan Findings

Trivy Filesystem Scan

  • Command: trivy fs /projects/Charon --skip-dirs .cache
  • Findings:
    • Dockerfile: 1 🔴 HIGH Misconfiguration
      • ID: DS-0002
      • Message: "Image user should not be 'root'"
      • Resolution: Add USER <non-root> instruction.

Trivy Docker Image Scan

  • Target: charon:local (Debian 13.3)
  • Findings:
    • Total: 2 🔴 HIGH Vulnerabilities
    • CVE-2026-0861 (libc-bin, libc6): Integer overflow in memalign leading to heap corruption.
    • Status: Fix available in upstream Debian (upgrade required).

4. Recommendations & Next Steps

Immediate Actions (Blockers)

  1. Fix Test Authentication: Investigate tests/utils/security-helpers.ts. Ensure it properly authenticates (e.g., logs in via UI or uses a valid API token) before attempting to configure security modules. Inspect .env usage in the E2E container.
  2. Fix UI Interaction: Investigate waitForModal failures in acl-integration.spec.ts. The UI might have changed, breaking the locator "/edit|proxy/i".

Security Remediation

  1. Dockerfile Hardening: implementation of a non-root user in the Dockerfile.
  2. Base Image Update: Re-pull the base image (debian:bookworm-slim or equivalent) to pick up the patch for CVE-2026-0861, or ensure apt-get upgrade runs during build.

Configuration Adjustment

  • Consider Fail-Open for Dev: While serial execution is good for CI, consider if local development requires dependencies: ['security-tests'] to be strict, or if we can allow specific headers/tokens to bypass this for easier debugging.

5. Conclusion

The separation of security tests is sound, but the current state of the security test suite is unstable. Prioritize fixing the 401 errors in the security helpers to unblock the rest of the E2E suite.

QA Report: Project Health Check (Previous)

Date: 2026-02-05 Version: v0.18.13 Scope: Full project health check via pre-commit hooks and YAML validation.

Executive Summary

Category Status Details
YAML Syntax PASS All YAML files are valid
Pre-commit Hooks PASS All hooks passed (after version fix)
Version Sync PASS .version synced with git tag v0.18.13
File Consistency PASS No trailing whitespace or end-of-file issues
LFS Usage PASS No untracked large files

Overall Status: APPROVED - The codebase is clean and compliant with all quality gates.

1. YAML Syntax Validation

Results

  • Status: PASS
  • Command: pre-commit run check-yaml --all-files
  • Output:
check yaml...............................................................Passed

Analysis

  • All YAML files (workflows, config, docker-compose) are syntactically correct.
  • No parsing errors detected.

2. Pre-commit Hook Validation

Results

  • Status: PASS
  • Command: pre-commit run --all-files (alias qa-precommit-all)
  • Issues Found:
    • Initial Run: FAIL - .version (v0.17.1) did not match Git tag (v0.18.13).
    • Resolution: Updated .version file to v0.18.13.
    • Final Run: PASS

Hook Details

Hook Status Notes
fix end of files Pass
trim trailing whitespace Pass
check yaml Pass
check for added large files Pass
dockerfile validation Pass
Go Vet Pass
golangci-lint (Fast) Pass
Check .version matches tag Pass Fixed: synced to v0.18.13
LFS large files check Pass
Prevent CodeQL DB commits Pass
Prevent data/backups commits Pass
Frontend TypeScript Check Pass
Frontend Lint (Fix) Pass

3. Version Synchronization

Issue Detected

The .version file contained v0.17.1 while the latest git tag was v0.18.13, causing the version check hook to fail.

Remediation

Executed:

echo "v0.18.13" > /projects/Charon/.version

This aligns the project version file with the source control tag.

4. Final Verification

A final run of all checks confirmed the project is in a consistent state:

fix end of files.........................................................Passed
trim trailing whitespace.................................................Passed
check yaml...............................................................Passed
check for added large files..............................................Passed
dockerfile validation....................................................Passed
Go Vet...................................................................Passed
golangci-lint (Fast Linters - BLOCKING)..................................Passed
Check .version matches latest Git tag....................................Passed
Prevent large files that are not tracked by LFS..........................Passed
Prevent committing CodeQL DB artifacts...................................Passed
Prevent committing data/backups files....................................Passed
Frontend TypeScript Check................................................Passed
Frontend Lint (Fix)......................................................Passed

5. Recommendations

  1. Commit Changes: Commit the updated .version file.
  2. Proceed: The codebase is ready for further development or release processes.

QA Report generated: 2026-02-05 Agent: QA Security Engineer Validation Type: Health Check

Reference in New Issue View Git Blame Copy Permalink