[Coverage Report] Test Coverage Report — 2026-06-15 #5062
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-22T21:12:16.338Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-15
Overall Coverage
🛡️ Security-Critical Path Status
📋 Coverage Table (files < 80% stmts or security-critical)
src/commands/validators/network-options.tssrc/cli.tssrc/domain-patterns.tssrc/docker-manager.tssrc/host-iptables.tssrc/squid-config.tsGenerated by test-coverage-reporter workflow. Trigger:
workflow_dispatch🔍 Notable Findings
1.
commands/validators/network-options.ts— lowest coverage in the project (66.66% lines, 50% branches)7 of 21 lines and 5 of 10 branches are uncovered. The missing paths are all warning branches for anomalous Docker host configurations:
DOCKER_HOSTdetected → redirect warning--docker-host-path-prefixsetThese branches guard ARC/DinD network isolation correctness. An uncovered warning path isn't just cosmetic — it means the logic that detects misconfigured environments has never been exercised.
2.
logs/log-parser.ts— 68.57% branch coverage (22 of 70 branches uncovered)The Squid audit log parser has the lowest branch coverage in the codebase. Key uncovered paths in
parseAuditJsonlLine:[2001:db8::1]:443format, lines 178–189)tsepoch fallback (line 218–220)extractDomainfallback URL parsing (try/catch path, lines 135–142)Missing branches here means malformed or IPv6-addressed log entries could be silently dropped, producing gaps in the security audit trail.
3.
domain-patterns.ts— 4 uncovered branches (94.52% of 73 branches covered)Overall coverage is good, but this file generates Squid ACL rules, so every uncovered branch is a potential domain allowlist bypass. The 4 remaining uncovered branches likely include edge cases in wildcard validation or backslash rejection in
validateDomainOrPattern. Given the security-critical role of this file, 100% branch coverage should be the target.4.
logs/audit-enricher.ts— 74.13% branch coverage (15 of 58 branches uncovered)The audit enricher classifies network traffic for reporting. With 15 uncovered branches, there are realistic log-entry shapes that have never been fed through the classifier. Misclassification bugs here produce incorrect allowed/denied totals in
awf logs statsoutput.📈 Recommendations
🔴 High — Test
commands/validators/network-options.tsDinD/external-host warning branchesMock
process.env.DOCKER_HOSTto a non-loopback TCP address (e.g.,(192.168.1.5/redacted) and callvalidateNetworkOptions({}). Assert thatlogger.warnis called with the external-host message. Repeat with a non-standard Unix socket path (e.g.,/var/run/docker-alt.sock`) to hit the DinD hint branch. These are straightforward unit tests that would bring the file from 50% → ~90% branch coverage.🔴 High — Improve
logs/log-parser.tsbranch coverage (68.57% → 90%+)Add test cases to the existing
log-parser.test.ts:parseAuditJsonlLinewithdest: "[2001:db8::1]:443"(IPv6 bracketed format)parseAuditJsonlLinewithtimestamp: "not-a-date"andts: 1234567890(invalid ISO + valid legacy fallback)parseAuditJsonlLinewithdest: "192.168.1.1"and no port (bare IP, no colon)extractDomainviaparseLogLinewith a CONNECT URL containing no colon (no port to strip)These edge cases correspond to real log entries that arise from non-standard client tooling or IPv6 infrastructure.
🟡 Medium — Achieve 100% branch coverage in
domain-patterns.tsInspect the 4 uncovered branches using
coverage/lcov-report/src/domain-patterns.ts.html. Likely candidates: passing a domain containing a backslash (triggers the\rejection path invalidateDomainOrPattern), an empty-string input, or a wildcard-only pattern (*). Because this file's output feeds directly into Squid ACL rules, 100% branch coverage provides a stronger guarantee that no input can produce a mis-generated ACL line.Beta Was this translation helpful? Give feedback.
All reactions