New rake check - compare root url: to filename (without suffix)#1069
New rake check - compare root url: to filename (without suffix)#1069jasnow wants to merge 1 commit into
Conversation
|
Hint: If you want to see all the failed check, change the start date to 2000 and you will see all of them. |
| url = advisory["url"] | ||
|
|
||
| # Extract last path segment from URL | ||
| url_root = File.basename(URI.parse(url).path) |
There was a problem hiding this comment.
I wonder if it would be useful to instead assert something like
expect(url).to include(filename_root)
resulting in a message like
expected "https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj" to include "CVE-2026-41493"
Then the assertion would pass on URLs like https://www.cve.org/CVERecord?id=CVE-2026-45363 (see "/gems/jwt/CVE-2026-45363.yml").
| # Skip advisories older than start_date and old OSVDB advisories. | ||
| if advisory["date"] >= start_date and !filename_root.start_with?("OSVDB") | ||
| expect(filename_root).to eq(url_root), | ||
| "Expected filename '#{filename_root}' DOES NOT to match URL root '#{url_root}'" |
There was a problem hiding this comment.
This string is not used as the error message. RSpec will generate the right message based on the assertion. It can be removed.
| filename_root = File.basename(path, ".yml") | ||
|
|
||
| # 5/24/2026: May 9, 2026 is earliest start date with no failed checks. | ||
| start_date = Date.new(2026, 5, 9) |
There was a problem hiding this comment.
I like this approach. I've heard this approach called "ratcheting", where you set a linting policy that is immediately in effect for new code/reports, but allows older code to pass; and then have the ability to then gradually apply it to the rest of the codebase/reports.
2 participants
Based on @simi's feedback during the past week or two, I tried to create a new "rake" lint check (rule) for root
url:== basename(filenname).First, since this is a new rule and the large number of failed checks on existing advisories, I decided to pick a start date to start applying it. I found that advisories with
date:> "2026-05-09" all passed. I know this is a compromise but I hope the team agree that the new check is worth the compromise.Second, I skipped the OSVDB advisories because they are very old and that database was removed from the web and internet archive.