139 lines
4.9 KiB
Markdown
139 lines
4.9 KiB
Markdown
# QA Report — PR #754: Enable and Test Gotify and Custom Webhook Notifications
|
|
|
|
**Branch:** `feature/beta-release`
|
|
**Date:** 2026-02-25
|
|
**Auditor:** QA Security Agent
|
|
|
|
---
|
|
|
|
## Summary
|
|
|
|
| # | Check | Result | Details |
|
|
|---|-------|--------|---------|
|
|
| 1 | Local Patch Coverage Preflight | **WARN** | 79.5% overall (threshold 90%), 78.3% backend (threshold 85%) — advisory only |
|
|
| 2 | Backend Coverage ≥ 85% | **PASS** | 87.0% statement / 87.3% line (threshold 87%) |
|
|
| 3 | Frontend Coverage ≥ 85% | **PASS** | 88.21% statement / 88.97% line (threshold 85%) |
|
|
| 4 | TypeScript Type Check | **PASS** | Zero errors |
|
|
| 5 | Pre-commit Hooks | **PASS** | All 15 hooks passed |
|
|
| 6a | Trivy Filesystem Scan | **PASS** | 0 CRITICAL/HIGH in project code (findings only in Go module cache) |
|
|
| 6b | Docker Image Scan | **WARN** | 1 HIGH in Caddy transitive dep (CVE-2026-25793, nebula v1.9.7 → fixed 1.10.3) |
|
|
| 6c | CodeQL (Go + JavaScript) | **PASS** | 0 errors, 0 warnings across both languages |
|
|
| 7 | GORM Security Scan | **PASS** | 0 CRITICAL/HIGH (2 INFO suggestions: missing indexes on UserPermittedHost) |
|
|
| 8 | Go Vulnerability Check | **PASS** | No vulnerabilities found |
|
|
|
|
---
|
|
|
|
## Detailed Findings
|
|
|
|
### 1. Local Patch Coverage Preflight
|
|
|
|
- **Status:** WARN (advisory, not blocking per policy)
|
|
- Overall patch coverage: **79.5%** (threshold: 90%)
|
|
- Backend patch coverage: **78.3%** (threshold: 85%)
|
|
- Artifacts generated but `test-results/` directory was not persisted at repo root
|
|
- **Action:** Consider adding targeted tests for uncovered changed lines in notification service/handler
|
|
|
|
### 2. Backend Unit Test Coverage
|
|
|
|
- **Status:** PASS
|
|
- Statement coverage: **87.0%**
|
|
- Line coverage: **87.3%**
|
|
- All tests passed (0 failures)
|
|
|
|
### 3. Frontend Unit Test Coverage
|
|
|
|
- **Status:** PASS
|
|
- Statement coverage: **88.21%**
|
|
- Branch coverage: **80.58%**
|
|
- Function coverage: **85.20%**
|
|
- Line coverage: **88.97%**
|
|
- All tests passed (0 failures)
|
|
- Coverage files generated: `lcov.info`, `coverage-summary.json`, `coverage-final.json`
|
|
|
|
### 4. TypeScript Type Check
|
|
|
|
- **Status:** PASS
|
|
- `tsc --noEmit` completed with zero errors
|
|
|
|
### 5. Pre-commit Hooks
|
|
|
|
- **Status:** PASS
|
|
- All hooks passed:
|
|
- fix end of files
|
|
- trim trailing whitespace
|
|
- check yaml
|
|
- check for added large files
|
|
- shellcheck
|
|
- actionlint (GitHub Actions)
|
|
- dockerfile validation
|
|
- Go Vet
|
|
- golangci-lint (Fast Linters - BLOCKING)
|
|
- Check .version matches latest Git tag
|
|
- Prevent large files not tracked by LFS
|
|
- Prevent committing CodeQL DB artifacts
|
|
- Prevent committing data/backups files
|
|
- Frontend TypeScript Check
|
|
- Frontend Lint (Fix)
|
|
|
|
### 6a. Trivy Filesystem Scan
|
|
|
|
- **Status:** PASS
|
|
- Scanned `backend/` and `frontend/` directories: **0 CRITICAL, 0 HIGH**
|
|
- Full workspace scan found 3 CRITICAL + 14 HIGH across Go module cache dependencies (not project code)
|
|
- Trivy misconfig scanner crashed (known Trivy bug in ansible parser — nil pointer dereference in `discovery.go:82`). Vuln scanner completed successfully.
|
|
|
|
### 6b. Docker Image Scan
|
|
|
|
- **Status:** WARN (not blocking — upstream dependency)
|
|
- Image: `charon:local`
|
|
- **1 HIGH finding:**
|
|
- **CVE-2026-25793** — `github.com/slackhq/nebula` v1.9.7 (in `usr/bin/caddy` binary)
|
|
- Description: Blocklist evasion via ECDSA Signature Malleability
|
|
- Fixed in: v1.10.3
|
|
- Impact: Caddy transitive dependency, not Charon code
|
|
- **Remediation:** Upgrade Caddy to a version that pulls nebula ≥ 1.10.3 when available
|
|
|
|
### 6c. CodeQL Scans
|
|
|
|
- **Status:** PASS
|
|
- **Go:** 0 errors, 0 warnings
|
|
- **JavaScript:** 0 errors, 0 warnings (347/347 files scanned)
|
|
- SARIF outputs: `codeql-results-go.sarif`, `codeql-results-javascript.sarif`
|
|
|
|
### 7. GORM Security Scan
|
|
|
|
- **Status:** PASS
|
|
- Scanned: 41 Go files (2207 lines), 2 seconds
|
|
- **0 CRITICAL, 0 HIGH, 0 MEDIUM**
|
|
- 2 INFO suggestions:
|
|
- `backend/internal/models/user.go:109` — `UserPermittedHost.UserID` missing index
|
|
- `backend/internal/models/user.go:110` — `UserPermittedHost.ProxyHostID` missing index
|
|
|
|
### 8. Go Vulnerability Check
|
|
|
|
- **Status:** PASS
|
|
- `govulncheck ./...` — No vulnerabilities found
|
|
|
|
---
|
|
|
|
## Gotify Token Security Review
|
|
|
|
- No Gotify tokens found in logs, test artifacts, or API examples
|
|
- No tokenized URL query parameters exposed in diagnostics or output
|
|
- Token handling follows `json:"-"` pattern (verified via `HasToken` computed field approach in PR)
|
|
|
|
---
|
|
|
|
## Recommendation
|
|
|
|
### GO / NO-GO: **GO** (conditional)
|
|
|
|
All blocking gates pass. Two advisory warnings exist:
|
|
|
|
1. **Patch coverage** (79.5% overall, 78.3% backend) is below advisory thresholds but not a blocking gate per current policy
|
|
2. **Docker image** has 1 HIGH CVE in Caddy's transitive dependency (nebula) — upstream fix required, not actionable in Charon code
|
|
|
|
**Conditions:**
|
|
- Track nebula CVE-2026-25793 remediation as a follow-up issue when a Caddy update incorporates the fix
|
|
- Consider adding targeted tests for uncovered changed lines in notification service/handler to improve patch coverage
|