build: Enable tsec checks for critical packages. #43108
Conversation
pullapprove
bot
requested review from
AndrewKushnir,
atscott,
filipesilva and
JiaLiPassion
|
@josephperrott This is the PR that enables TT static analysis for the core package. Could you take a look? |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the |
Thanks @uraj for sending us this PR! I'm supportive of adding tsec to our repo.
Overall I like where this is heading, I left a few comments primarily asking for clarification on your intention here.
If we could change the PR to run these tests via bazel, then that would be better, but I can't easily estimate how much more work that would be. @josephperrott might have a better understanding. Maybe running it via the new https://bazelbuild.github.io/rules_nodejs/ that autogenerate bazel rules for npm binaries (see the babel example in that link) would make it trivial if we can collect all the right inputs easily.
Please take a look at the other comments. Thank you again.
| "outDir": ".tsec", | ||
| "types": ["node"] | ||
| }, | ||
| "files": ["zone.ts"] |
There was a problem hiding this comment.
is it right that you included just the zone.ts, shouldn't files under browser/* and others be included as well?
There was a problem hiding this comment.
The original plan is to only check core, which only depends zone.d.ts but not anything in browser/* (in terms of type checking). Do we actually want to check browser/*? If so, I can include it as one of the to-be-checked packages.
packages/core/tsconfig-tsec.json
Outdated
| "extends": "../tsconfig-tsec-base.json", | ||
| "compilerOptions": { | ||
| "composite": true, | ||
| "outDir": ".tsec" |
There was a problem hiding this comment.
I'm not too keen on writing these files into the working directory. I see that it's .gitignored but it still feels icky.
how difficult is it to run tsec under bazel?
There was a problem hiding this comment.
Tsetse (the checker engine used by tsec) used to be part of @bazel/typescript, but the support was discontinued due to the TS team being understaffed.
I tried to hack this a bit, and it turns out to need quite some work. To effectively manage dependencies with bazel, all tsconfig-tsec.json files need to be generated rather than being hand-written. The TypeScript compiler provided by bazel has a few augmentations to make this easier, but tsec is not that different from the vanilla tsc.
I can discuss with my TL whether we should support using tsec with bazel in the future (I have a prototype that can handle TS libraries with only node_modules dependencies). For now I think we have two options as temporary compromises:
- Make tsec place all the generated declaration files at a location outside of the working directory, e.g.,
/tmp/tsecor${PROJECT_ROOT}/.tsec. - Stop using project references so that I can turn on
noEmit. That way tsec won't generate any files in the working directory, at the cost of loosing incremental compilation. This, however, may not be feasible, due to zone.js/lib producing an global-scoped file zone.d.ts (without any exports), which is tricky to handle in anoEmitconfiguration.
What do you think?
There was a problem hiding this comment.
I was able to do certain amount of bazel integration. There are several caveats though.
- tsconfig-tsec.json files are still not auto-generated and have to be maintained manually to make it consistent with BUILD.bazel. The maintenance cost should be low though.
- The bazel rule
tsec_testdoes not check transitive dependencies, so each dependency needs to have its owntsec_test. This is hard to fix, unless we can have some upstream patches for the vanillats_librarybazel rule.
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the |
1 similar comment
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the |
uraj
changed the title
uraj
changed the title
uraj
changed the title
|
@devversion I filled google/tsec#23 to track Windows compatibility. |
|
@josephperrott there is an indication that this PR needs g3 presubmit and it looks like only |
|
@AndrewKushnir I think they can be excluded. |
|
@uraj thanks for the comment. Could you please update the exclude list in https://github.com/angular/angular/blob/master/.github/angular-robot.yml#L42 to reflect that (and also the file in g3 that is mentioned at https://github.com/angular/angular/blob/master/.github/angular-robot.yml#L35)? That should eliminate the need to have a presubmit for this PR. |
Those files are for tsec_test only and therefore irrelevant to google3.
|
@AndrewKushnir Updated. |
|
Thanks for the update @uraj. I've updated g3 status for this PR and removed the "cleanup" label. |
|
Merge-assistance: it's ok to proceed with the current set of reviews, since its just testing changes around everything and not changing the code in those areas. |
Introduce two new bazel rules: tsec_test and tsec_config, for describing the tsec checks and the tsconfig file needed for such checks, respectively. Currently, tsec_test only checks the srcs of a ts_library or ng_module. It does not check direct or transitive dependencies. Also, tsconfig files need to be manually maintained to make sure tsec can read all necessary input (including global symbols). PR Close #43108
This is to replace the implicitly created ts_library_forwared rules and keep changes related to tsec/bazel integration solely in tools/tsec.bzl. PR Close #43108
Upgrade tsec version form 0.1.8 to 0.1.9. The new version has a minor bug fix. PR Close #43108
Those files are for tsec_test only and therefore irrelevant to google3. PR Close #43108
tsec is a static analyzer that discovers Trusted Types violations. Deploy tsec to make sure there will be no TT regression in several critical packages, including core, platform-browser, platform-server and their dependencies. Existing violations have been reviewed and exempted in packages/tsec-exemption.json. Future changes to the exemption list requires security review. PR Close angular#43108
Introduce two new bazel rules: tsec_test and tsec_config, for describing the tsec checks and the tsconfig file needed for such checks, respectively. Currently, tsec_test only checks the srcs of a ts_library or ng_module. It does not check direct or transitive dependencies. Also, tsconfig files need to be manually maintained to make sure tsec can read all necessary input (including global symbols). PR Close angular#43108
) This is to replace the implicitly created ts_library_forwared rules and keep changes related to tsec/bazel integration solely in tools/tsec.bzl. PR Close angular#43108
Upgrade tsec version form 0.1.8 to 0.1.9. The new version has a minor bug fix. PR Close angular#43108
) Those files are for tsec_test only and therefore irrelevant to google3. PR Close angular#43108
tsec is a static analyzer that discovers Trusted Types violations. Deploy tsec to make sure there will be no TT regression in several critical packages, including core, platform-browser, platform-server and their dependencies. Existing violations have been reviewed and exempted in packages/tsec-exemption.json. Future changes to the exemption list requires security review. PR Close angular#43108
Introduce two new bazel rules: tsec_test and tsec_config, for describing the tsec checks and the tsconfig file needed for such checks, respectively. Currently, tsec_test only checks the srcs of a ts_library or ng_module. It does not check direct or transitive dependencies. Also, tsconfig files need to be manually maintained to make sure tsec can read all necessary input (including global symbols). PR Close angular#43108
) This is to replace the implicitly created ts_library_forwared rules and keep changes related to tsec/bazel integration solely in tools/tsec.bzl. PR Close angular#43108
Upgrade tsec version form 0.1.8 to 0.1.9. The new version has a minor bug fix. PR Close angular#43108
) Those files are for tsec_test only and therefore irrelevant to google3. PR Close angular#43108
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
tsec is a static analyzer that discovers Trusted Types violations.
Deploy tsec to make sure there will be no TT regression in the core
package. Existing violations have been reviewed and exempted in
packages/tsec-exemption.json.
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Issue Number: N/A
What is the new behavior?
Does this PR introduce a breaking change?
Other information
The text was updated successfully, but these errors were encountered: