akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
26fde2d6496ddb65b8c11949c01e4be7e2b0e74d
Charon/docs/reports/qa_report_pr754.md
GitHub Actions d89b86675c chore: Add comprehensive tests for notification and permission handlers 
- Implement tests for classifyProviderTestFailure function to cover various error scenarios.
- Enhance notification provider handler tests for token validation, type change rejection, and missing provider ID.
- Add tests for permission helper functions to ensure proper admin authentication checks.
- Expand coverage for utility functions in user handler and docker service tests, including error extraction and socket path handling.
- Introduce a QA report for PR #754 highlighting coverage metrics and security findings related to Gotify and webhook notifications.
2026-02-26 02:22:08 +00:00

4.9 KiB
Raw Blame History

QA Report — PR #754: Enable and Test Gotify and Custom Webhook Notifications

Branch: feature/beta-release Date: 2026-02-25 Auditor: QA Security Agent

Summary

# Check Result Details
1 Local Patch Coverage Preflight WARN 79.5% overall (threshold 90%), 78.3% backend (threshold 85%) — advisory only
2 Backend Coverage ≥ 85% PASS 87.0% statement / 87.3% line (threshold 87%)
3 Frontend Coverage ≥ 85% PASS 88.21% statement / 88.97% line (threshold 85%)
4 TypeScript Type Check PASS Zero errors
5 Pre-commit Hooks PASS All 15 hooks passed
6a Trivy Filesystem Scan PASS 0 CRITICAL/HIGH in project code (findings only in Go module cache)
6b Docker Image Scan WARN 1 HIGH in Caddy transitive dep (CVE-2026-25793, nebula v1.9.7 → fixed 1.10.3)
6c CodeQL (Go + JavaScript) PASS 0 errors, 0 warnings across both languages
7 GORM Security Scan PASS 0 CRITICAL/HIGH (2 INFO suggestions: missing indexes on UserPermittedHost)
8 Go Vulnerability Check PASS No vulnerabilities found

Detailed Findings

1. Local Patch Coverage Preflight

  • Status: WARN (advisory, not blocking per policy)
  • Overall patch coverage: 79.5% (threshold: 90%)
  • Backend patch coverage: 78.3% (threshold: 85%)
  • Artifacts generated but test-results/ directory was not persisted at repo root
  • Action: Consider adding targeted tests for uncovered changed lines in notification service/handler

2. Backend Unit Test Coverage

  • Status: PASS
  • Statement coverage: 87.0%
  • Line coverage: 87.3%
  • All tests passed (0 failures)

3. Frontend Unit Test Coverage

  • Status: PASS
  • Statement coverage: 88.21%
  • Branch coverage: 80.58%
  • Function coverage: 85.20%
  • Line coverage: 88.97%
  • All tests passed (0 failures)
  • Coverage files generated: lcov.info, coverage-summary.json, coverage-final.json

4. TypeScript Type Check

  • Status: PASS
  • tsc --noEmit completed with zero errors

5. Pre-commit Hooks

  • Status: PASS
  • All hooks passed:
    • fix end of files
    • trim trailing whitespace
    • check yaml
    • check for added large files
    • shellcheck
    • actionlint (GitHub Actions)
    • dockerfile validation
    • Go Vet
    • golangci-lint (Fast Linters - BLOCKING)
    • Check .version matches latest Git tag
    • Prevent large files not tracked by LFS
    • Prevent committing CodeQL DB artifacts
    • Prevent committing data/backups files
    • Frontend TypeScript Check
    • Frontend Lint (Fix)

6a. Trivy Filesystem Scan

  • Status: PASS
  • Scanned backend/ and frontend/ directories: 0 CRITICAL, 0 HIGH
  • Full workspace scan found 3 CRITICAL + 14 HIGH across Go module cache dependencies (not project code)
  • Trivy misconfig scanner crashed (known Trivy bug in ansible parser — nil pointer dereference in discovery.go:82). Vuln scanner completed successfully.

6b. Docker Image Scan

  • Status: WARN (not blocking — upstream dependency)
  • Image: charon:local
  • 1 HIGH finding:
    • CVE-2026-25793github.com/slackhq/nebula v1.9.7 (in usr/bin/caddy binary)
    • Description: Blocklist evasion via ECDSA Signature Malleability
    • Fixed in: v1.10.3
    • Impact: Caddy transitive dependency, not Charon code
  • Remediation: Upgrade Caddy to a version that pulls nebula ≥ 1.10.3 when available

6c. CodeQL Scans

  • Status: PASS
  • Go: 0 errors, 0 warnings
  • JavaScript: 0 errors, 0 warnings (347/347 files scanned)
  • SARIF outputs: codeql-results-go.sarif, codeql-results-javascript.sarif

7. GORM Security Scan

  • Status: PASS
  • Scanned: 41 Go files (2207 lines), 2 seconds
  • 0 CRITICAL, 0 HIGH, 0 MEDIUM
  • 2 INFO suggestions:
    • backend/internal/models/user.go:109UserPermittedHost.UserID missing index
    • backend/internal/models/user.go:110UserPermittedHost.ProxyHostID missing index

8. Go Vulnerability Check

  • Status: PASS
  • govulncheck ./... — No vulnerabilities found

Gotify Token Security Review

  • No Gotify tokens found in logs, test artifacts, or API examples
  • No tokenized URL query parameters exposed in diagnostics or output
  • Token handling follows json:"-" pattern (verified via HasToken computed field approach in PR)

Recommendation

GO / NO-GO: GO (conditional)

All blocking gates pass. Two advisory warnings exist:

  1. Patch coverage (79.5% overall, 78.3% backend) is below advisory thresholds but not a blocking gate per current policy
  2. Docker image has 1 HIGH CVE in Caddy's transitive dependency (nebula) — upstream fix required, not actionable in Charon code

Conditions:

  • Track nebula CVE-2026-25793 remediation as a follow-up issue when a Caddy update incorporates the fix
  • Consider adding targeted tests for uncovered changed lines in notification service/handler to improve patch coverage
Reference in New Issue View Git Blame Copy Permalink