[Coverage Report] Test Coverage Report — 2026-06-15 #5042
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-22T15:24:01.772Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
Overall coverage is strong. All four metrics are well above the configured thresholds (statements: 38%, branches: 30%, functions: 35%, lines: 38%), though several individual files have branch coverage below 80%.
Security-Critical File Status
host-iptables.ts+ all sub-moduleshost-iptables-rules.tssquid-config.ts(entry)squid/access-rules.tssquid/acl-generator.tssquid/domain-acl.tssquid/validation.tssquid/config-sections.tssquid/policy-manifest.tsdomain-patterns.tsdocker-manager.tscli.tsPer-File Branch Coverage — Files Below 80%
commands/validators/network-options.tsservices/agent-volumes/etc-mounts.ts/etcfilesystem exposure controllogs/log-parser.tsservices/agent-volumes/docker-host-staging.tslogs/audit-enricher.tsservices/agent-volumes/workspace-mounts.tscommands/validators/log-and-limits.tsworkdir-setup.tssquid/policy-manifest.ts(functions)🔍 Notable Findings
1.
commands/validators/network-options.ts— 50% branch coverage (security config gate)This is the validation entry point for all network-security options: Docker host detection, DNS server selection, upstream proxy configuration, domain allow/block lists, and DinD path-prefix resolution. Only 5 of 10 branches are exercised. The uncovered branches most likely include:
dockerHostCheck.valid === falsewarning path (external Docker host detected)dindHint && !dockerHostPathPrefixcompound condition (ARC/DinD split-filesystem warning)Both are warning-only paths today, but they gate security-relevant configuration decisions. A future regression that accidentally silences or skips them would be undetected without branch-level tests.
2.
squid/policy-manifest.ts— 70% function coverage (3 of 10 functions untested)generatePolicyManifest()builds the structured ACL manifest used for audit log enrichment. Three functions are completely untested. Looking at the source, the three untested code paths are the conditional rule-generation branches for: HTTP-only domain rules (allow-http-only-plain,allow-http-only-regex), HTTPS-only domain rules (allow-https-only-plain,allow-https-only-regex), and explicit blocked-domain regex patterns (deny-blocked-regex). Each of these maps to a distinct Squidhttp_accessdirective. If the manifest diverges from the actual Squid config in these protocol-specific cases, the audit enricher will misattribute allowed/denied traffic.3.
logs/log-parser.ts— 68.57% branch coverage (22 of 70 branches uncovered)The log parser interprets every Squid audit event. Its 22 uncovered branches likely include: entries where
destIpordestPortis-(no upstream connection established), decision codes that are neitherTCP_DENIEDnorNONEvariants (e.g.,TCP_MISS,TCP_HIT,TCP_REFRESH_UNMODIFIED), and theisAllowedthree-way classification logic. Gaps here mean that legitimate traffic types may be misclassified inawf logs stats/awf logs summaryoutput — a security audit correctness issue.4.
services/agent-volumes/etc-mounts.ts— 67.85% branch coverage (9 of 28 branches uncovered)This module decides which
/etcfiles are bind-mounted into the agent container's chroot — a direct security boundary. The uncovered branches include thesynthesizeIdentityFilefailure path (returnsundefinedon write error), theresolveUniqueNamecollision-counter loop, and conditional logic that adds synthesized/etc/passwdor/etc/groupentries when the runner's UID/GID are absent. An untested failure in this path could cause the agent to run as the wrong user identity or skip a required identity mapping.📈 Recommendations
🔴 High — Cover
commands/validators/network-options.tsbranch gapsAdd tests for the two uncovered warning branches: (a)
checkDockerHost()returningvalid: false(external TCP Docker host) and (b)dockerHostPathPrefixResolution.dindHint === truewith no prefix set. These are the conditions where AWF detects ARC/DinD split-filesystem setups. Without branch coverage, a code change that silently breaks DinD detection would ship unnoticed.🟡 Medium — Add protocol-specific domain tests for
squid/policy-manifest.tsAdd
generatePolicyManifest()test cases with:(internal.corp/redacted) — verifiesallow-http-only-plain` rule is generated.allow-https-only-plain.blockedDomainslist that includes a regex pattern (e.g.,*.evil.example) — verifiesdeny-blocked-regexrule is emitted.This ensures the manifest accurately reflects the Squid ACL for all domain protocol variants and the audit enricher correlates log events correctly.
🟡 Medium — Expand
logs/log-parser.tswith real-world decision-code variantsAdd unit tests covering:
destIp:destPortis-:-(proxy-denied before upstream connection)TCP_MISS,TCP_HIT,TCP_MEM_HIT, andTCP_REFRESH_UNMODIFIEDdecision codes (should be classified asisAllowed: true)NONE/prefix variants (should be classified as noise, not counted as allowed or denied)These cases occur regularly in production Squid logs and directly affect the accuracy of
awf logs statssecurity summaries.Beta Was this translation helpful? Give feedback.
All reactions