milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Log audit stats as verbose, not as information

Browse source
This commit is contained in:
Sander Declerck 2025-12-08 11:37:37 +01:00
parent 9901cb8502
commit a7946377b4
No known key found for this signature in database
14 changed files with 273 additions and 214 deletions
Download patch file Download diff file Expand all files Collapse all files

3
packages/safe-chain/src/main.js
View file

@ -64,8 +64,7 @@ export async function main(args) {
const auditStats = getAuditStats(); const auditStats = getAuditStats();
if (auditStats.totalPackages > 0) { if (auditStats.totalPackages > 0) {
ui.emptyLine(); ui.writeVerbose(
ui.writeInformation(
`${chalk.green("✔")} Safe-chain: Scanned ${ `${chalk.green("✔")} Safe-chain: Scanned ${
auditStats.totalPackages auditStats.totalPackages
} packages, no malware found.` } packages, no malware found.`

4
test/e2e/bun.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: bun coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("bash"); const shell = await container.openShell("bash");
const result = await shell.runCommand("bun i axios"); const result = await shell.runCommand(
"bun i axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

4
test/e2e/npm-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: npm coverage using PATH", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("npm i axios"); const result = await shell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

4
test/e2e/npm.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: npm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("npm i axios"); const result = await shell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

12
test/e2e/pip-ci.e2e.spec.js
View file

@ -12,7 +12,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
beforeEach(async () => { beforeEach(async () => {
container = new DockerTestContainer(); container = new DockerTestContainer();
await container.start(); await container.start();
// Clear pip cache before each test to ensure fresh downloads through proxy // Clear pip cache before each test to ensure fresh downloads through proxy
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
await shell.runCommand("pip3 cache purge"); await shell.runCommand("pip3 cache purge");
@ -100,7 +100,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
// Use --break-system-packages to avoid Debian/Ubuntu external management restrictions // Use --break-system-packages to avoid Debian/Ubuntu external management restrictions
const result = await projectShell.runCommand( const result = await projectShell.runCommand(
"pip3 install --break-system-packages certifi" "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
); );
const hasExpectedOutput = result.output.includes("no malware found."); const hasExpectedOutput = result.output.includes("no malware found.");
@ -126,7 +126,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand( const result = await projectShell.runCommand(
"python -m pip install --break-system-packages certifi" "python -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -149,7 +149,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand( const result = await projectShell.runCommand(
"python3 -m pip install --break-system-packages certifi" "python3 -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -172,7 +172,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand( const result = await projectShell.runCommand(
"pip install --break-system-packages certifi" "pip install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -195,7 +195,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand( const result = await projectShell.runCommand(
"pip3 install --break-system-packages certifi" "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(

268
test/e2e/pip.e2e.spec.js
View file

@ -16,7 +16,7 @@ describe("E2E: pip coverage", () => {
const installationShell = await container.openShell("zsh"); const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python"); await installationShell.runCommand("safe-chain setup --include-python");
// Clear pip cache before each test to ensure fresh downloads through proxy // Clear pip cache before each test to ensure fresh downloads through proxy
await installationShell.runCommand("pip3 cache purge"); await installationShell.runCommand("pip3 cache purge");
}); });
@ -32,7 +32,7 @@ describe("E2E: pip coverage", () => {
it(`successfully installs known safe packages with pip3`, async () => { it(`successfully installs known safe packages with pip3`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages requests" "pip3 install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -43,7 +43,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 download`, async () => { it(`pip3 download`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 download requests"); const result = await shell.runCommand(
"pip3 download requests --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),
@ -53,7 +55,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 .whl`, async () => { it(`pip3 .whl`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 wheel requests"); const result = await shell.runCommand(
"pip3 wheel requests --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),
@ -64,7 +68,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install --dry-run is respected by scanner`, async () => { it(`pip3 install --dry-run is respected by scanner`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --dry-run --break-system-packages requests" "pip3 install --dry-run --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -76,7 +80,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install with extras such as requests[socks]`, async () => { it(`pip3 install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
'pip3 install --break-system-packages "requests[socks]==2.32.3"' 'pip3 install --break-system-packages "requests[socks]==2.32.3" --safe-chain-logging=verbose'
); );
assert.ok( assert.ok(
@ -88,7 +92,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install with range version specifier`, async () => { it(`pip3 install with range version specifier`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
'pip3 install --break-system-packages "Jinja2>=3.1,<3.2"' 'pip3 install --break-system-packages "Jinja2>=3.1,<3.2" --safe-chain-logging=verbose'
); );
assert.ok( assert.ok(
@ -100,7 +104,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip install routes through safe-chain`, async () => { it(`python3 -m pip install routes through safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests" "python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -111,7 +115,9 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip download routes through safe-chain`, async () => { it(`python3 -m pip download routes through safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -m pip download requests"); const result = await shell.runCommand(
"python3 -m pip download requests --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),
@ -148,7 +154,7 @@ describe("E2E: pip coverage", () => {
it(`python -m pip routes to aikido-pip (uses pip command)`, async () => { it(`python -m pip routes to aikido-pip (uses pip command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python -m pip install --break-system-packages requests" "python -m pip install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -166,7 +172,7 @@ describe("E2E: pip coverage", () => {
it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python -m pip3 install --break-system-packages requests" "python -m pip3 install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -184,7 +190,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests" "python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -202,7 +208,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages requests" "python3 -m pip3 install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -222,7 +228,7 @@ describe("E2E: pip coverage", () => {
// Install a simple package from GitHub - this should use TCP tunnel, not MITM // Install a simple package from GitHub - this should use TCP tunnel, not MITM
// Using a popular, small package for testing // Using a popular, small package for testing
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3" "pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -248,7 +254,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 successfully validates certificates for HTTPS downloads`, async () => { it(`pip3 successfully validates certificates for HTTPS downloads`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages certifi" "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -276,7 +282,7 @@ describe("E2E: pip coverage", () => {
// Test installing from a direct HTTPS URL (not a registry) // Test installing from a direct HTTPS URL (not a registry)
// This validates that non-registry HTTPS traffic works with our env-provided CA bundle // This validates that non-registry HTTPS traffic works with our env-provided CA bundle
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl" "pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -299,7 +305,7 @@ describe("E2E: pip coverage", () => {
// This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots) // This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots)
// If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED // If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi" "pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -336,22 +342,20 @@ describe("E2E: pip coverage", () => {
it(`pip3 config set should work and persist configuration`, async () => { it(`pip3 config set should work and persist configuration`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Set a config value // Set a config value
const setResult = await shell.runCommand( const setResult = await shell.runCommand(
"pip3 config set global.timeout 60" "pip3 config set global.timeout 60"
); );
assert.ok( assert.ok(
setResult.output.includes("Writing to"), setResult.output.includes("Writing to"),
`pip3 config set should write config. Output was:\n${setResult.output}` `pip3 config set should write config. Output was:\n${setResult.output}`
); );
// Verify it was persisted by reading it back // Verify it was persisted by reading it back
const getResult = await shell.runCommand( const getResult = await shell.runCommand("pip3 config get global.timeout");
"pip3 config get global.timeout"
);
assert.ok( assert.ok(
getResult.output.includes("60"), getResult.output.includes("60"),
`Config value should be 60. Output was:\n${getResult.output}` `Config value should be 60. Output was:\n${getResult.output}`
@ -360,13 +364,13 @@ describe("E2E: pip coverage", () => {
it(`pip3 config list should show user configuration`, async () => { it(`pip3 config list should show user configuration`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Set a value first // Set a value first
await shell.runCommand("pip3 config set global.timeout 90"); await shell.runCommand("pip3 config set global.timeout 90");
// List config // List config
const listResult = await shell.runCommand("pip3 config list"); const listResult = await shell.runCommand("pip3 config list");
assert.ok( assert.ok(
listResult.output.includes("timeout") && listResult.output.includes("90"), listResult.output.includes("timeout") && listResult.output.includes("90"),
`Config list should show timeout=90. Output was:\n${listResult.output}` `Config list should show timeout=90. Output was:\n${listResult.output}`
@ -375,16 +379,18 @@ describe("E2E: pip coverage", () => {
it(`pip3 config unset should remove configuration`, async () => { it(`pip3 config unset should remove configuration`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Set a value // Set a value
await shell.runCommand("pip3 config set global.timeout 120"); await shell.runCommand("pip3 config set global.timeout 120");
// Verify it exists // Verify it exists
const getResult = await shell.runCommand("pip3 config get global.timeout"); const getResult = await shell.runCommand("pip3 config get global.timeout");
assert.ok(getResult.output.includes("120")); assert.ok(getResult.output.includes("120"));
// Unset it // Unset it
const unsetResult = await shell.runCommand("pip3 config unset global.timeout"); const unsetResult = await shell.runCommand(
"pip3 config unset global.timeout"
);
assert.ok( assert.ok(
unsetResult.output.includes("Writing to"), unsetResult.output.includes("Writing to"),
`pip3 config unset should write config. Output was:\n${unsetResult.output}` `pip3 config unset should write config. Output was:\n${unsetResult.output}`
@ -393,9 +399,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 cache dir should return cache directory path`, async () => { it(`pip3 cache dir should return cache directory path`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 cache dir"); const result = await shell.runCommand("pip3 cache dir");
// Should output a directory path // Should output a directory path
assert.ok( assert.ok(
result.output.includes("/") && result.output.includes("cache"), result.output.includes("/") && result.output.includes("cache"),
@ -405,12 +411,12 @@ describe("E2E: pip coverage", () => {
it(`pip3 cache info should show cache information`, async () => { it(`pip3 cache info should show cache information`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Install something first to populate cache // Install something first to populate cache
await shell.runCommand("pip3 install --break-system-packages certifi"); await shell.runCommand("pip3 install --break-system-packages certifi");
const result = await shell.runCommand("pip3 cache info"); const result = await shell.runCommand("pip3 cache info");
// Output should contain cache-related information // Output should contain cache-related information
assert.ok( assert.ok(
result.output.match(/cache|wheel|http/i), result.output.match(/cache|wheel|http/i),
@ -420,30 +426,31 @@ describe("E2E: pip coverage", () => {
it(`pip3 cache list should list cached packages`, async () => { it(`pip3 cache list should list cached packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Download a package to ensure something is in cache // Download a package to ensure something is in cache
await shell.runCommand("pip3 download certifi"); await shell.runCommand("pip3 download certifi");
const result = await shell.runCommand("pip3 cache list certifi"); const result = await shell.runCommand("pip3 cache list certifi");
// Should show either cached wheels or "No locally built wheels" // Should show either cached wheels or "No locally built wheels"
assert.ok( assert.ok(
result.output.includes("certifi") || result.output.includes("No locally built"), result.output.includes("certifi") ||
result.output.includes("No locally built"),
`Should output cache list information. Output was:\n${result.output}` `Should output cache list information. Output was:\n${result.output}`
); );
}); });
it(`pip3 debug should output debug information`, async () => { it(`pip3 debug should output debug information`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 debug"); const result = await shell.runCommand("pip3 debug");
// Should contain debug information about pip environment // Should contain debug information about pip environment
assert.ok( assert.ok(
result.output.match(/pip version|sys\.version|sys\.executable/i), result.output.match(/pip version|sys\.version|sys\.executable/i),
`Should output debug information. Output was:\n${result.output}` `Should output debug information. Output was:\n${result.output}`
); );
// Should NOT show safe-chain's temporary config file in the debug output // Should NOT show safe-chain's temporary config file in the debug output
assert.ok( assert.ok(
!result.output.includes("safe-chain-pip-"), !result.output.includes("safe-chain-pip-"),
@ -453,34 +460,36 @@ describe("E2E: pip coverage", () => {
it(`pip3 completion should generate shell completion script`, async () => { it(`pip3 completion should generate shell completion script`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 completion --zsh"); const result = await shell.runCommand("pip3 completion --zsh");
// Should output shell completion code // Should output shell completion code
assert.ok( assert.ok(
result.output.includes("compdef") || result.output.includes("_pip") || result.output.includes("pip completion"), result.output.includes("compdef") ||
result.output.includes("_pip") ||
result.output.includes("pip completion"),
`Should output completion code. Output was:\n${result.output}` `Should output completion code. Output was:\n${result.output}`
); );
}); });
it(`pip3 install still works after config operations`, async () => { it(`pip3 install still works after config operations`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Perform config operations // Perform config operations
await shell.runCommand("pip3 config set global.timeout 60"); await shell.runCommand("pip3 config set global.timeout 60");
await shell.runCommand("pip3 cache dir"); await shell.runCommand("pip3 cache dir");
// Now install should still work with malware protection // Now install should still work with malware protection
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages certifi" "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"), result.output.includes("Requirement already satisfied"),
`Install should succeed after config operations. Output was:\n${result.output}` `Install should succeed after config operations. Output was:\n${result.output}`
); );
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),
`Should still scan for malware. Output was:\n${result.output}` `Should still scan for malware. Output was:\n${result.output}`
@ -489,14 +498,16 @@ describe("E2E: pip coverage", () => {
it(`pip3 download works after configuring pip settings`, async () => { it(`pip3 download works after configuring pip settings`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Configure pip with timeout and extra index URL // Configure pip with timeout and extra index URL
const configTimeout = await shell.runCommand("pip3 config set global.timeout 60"); const configTimeout = await shell.runCommand(
"pip3 config set global.timeout 60"
);
assert.ok( assert.ok(
configTimeout.output.includes("Writing to"), configTimeout.output.includes("Writing to"),
`Config set should succeed. Output was:\n${configTimeout.output}` `Config set should succeed. Output was:\n${configTimeout.output}`
); );
const configIndex = await shell.runCommand( const configIndex = await shell.runCommand(
"pip3 config set global.extra-index-url https://pypi.org/simple" "pip3 config set global.extra-index-url https://pypi.org/simple"
); );
@ -504,7 +515,7 @@ describe("E2E: pip coverage", () => {
configIndex.output.includes("Writing to"), configIndex.output.includes("Writing to"),
`Config set should succeed. Output was:\n${configIndex.output}` `Config set should succeed. Output was:\n${configIndex.output}`
); );
// Verify config persisted // Verify config persisted
const listConfig = await shell.runCommand("pip3 config list"); const listConfig = await shell.runCommand("pip3 config list");
assert.ok( assert.ok(
@ -512,23 +523,25 @@ describe("E2E: pip coverage", () => {
`Config should show timeout=60. Output was:\n${listConfig.output}` `Config should show timeout=60. Output was:\n${listConfig.output}`
); );
assert.ok( assert.ok(
listConfig.output.includes("extra-index-url") && listConfig.output.includes("pypi.org"), listConfig.output.includes("extra-index-url") &&
listConfig.output.includes("pypi.org"),
`Config should show extra-index-url. Output was:\n${listConfig.output}` `Config should show extra-index-url. Output was:\n${listConfig.output}`
); );
// Now download packages with the configured settings // Now download packages with the configured settings
const downloadResult = await shell.runCommand( const downloadResult = await shell.runCommand(
"pip3 download -d /tmp/packages requests certifi" "pip3 download -d /tmp/packages requests certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
downloadResult.output.includes("no malware found."), downloadResult.output.includes("no malware found."),
`Should scan for malware. Output was:\n${downloadResult.output}` `Should scan for malware. Output was:\n${downloadResult.output}`
); );
// Verify downloads succeeded // Verify downloads succeeded
assert.ok( assert.ok(
downloadResult.output.includes("Saved") || downloadResult.output.includes("requests"), downloadResult.output.includes("Saved") ||
downloadResult.output.includes("requests"),
`Download should succeed with configured settings. Output was:\n${downloadResult.output}` `Download should succeed with configured settings. Output was:\n${downloadResult.output}`
); );
assert.ok( assert.ok(
@ -538,17 +551,17 @@ describe("E2E: pip coverage", () => {
}); });
// Tests for python/python3 bypass (non-pip invocations should go directly without safe-chain) // Tests for python/python3 bypass (non-pip invocations should go directly without safe-chain)
it(`python3 --version should bypass safe-chain and work normally`, async () => { it(`python3 --version should bypass safe-chain and work normally`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 --version"); const result = await shell.runCommand("python3 --version");
// Should output Python version // Should output Python version
assert.ok( assert.ok(
result.output.match(/Python 3\.\d+\.\d+/), result.output.match(/Python 3\.\d+\.\d+/),
`Should output Python version. Output was:\n${result.output}` `Should output Python version. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain proxy // Should NOT go through safe-chain proxy
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -559,13 +572,13 @@ describe("E2E: pip coverage", () => {
it(`python --version should bypass safe-chain and work normally`, async () => { it(`python --version should bypass safe-chain and work normally`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python --version"); const result = await shell.runCommand("python --version");
// Should output Python version // Should output Python version
assert.ok( assert.ok(
result.output.match(/Python \d+\.\d+\.\d+/), result.output.match(/Python \d+\.\d+\.\d+/),
`Should output Python version. Output was:\n${result.output}` `Should output Python version. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -575,14 +588,16 @@ describe("E2E: pip coverage", () => {
it(`python3 -c "print('hello')" should bypass safe-chain and execute code`, async () => { it(`python3 -c "print('hello')" should bypass safe-chain and execute code`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -c \"print('hello world')\""); const result = await shell.runCommand(
"python3 -c \"print('hello world')\""
);
// Should execute Python code // Should execute Python code
assert.ok( assert.ok(
result.output.includes("hello world"), result.output.includes("hello world"),
`Should execute Python code. Output was:\n${result.output}` `Should execute Python code. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -592,14 +607,16 @@ describe("E2E: pip coverage", () => {
it(`python -c should bypass safe-chain and execute code`, async () => { it(`python -c should bypass safe-chain and execute code`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python -c \"import sys; print(sys.version)\""); const result = await shell.runCommand(
'python -c "import sys; print(sys.version)"'
);
// Should execute Python code and print version // Should execute Python code and print version
assert.ok( assert.ok(
result.output.match(/\d+\.\d+\.\d+/), result.output.match(/\d+\.\d+\.\d+/),
`Should execute Python code. Output was:\n${result.output}` `Should execute Python code. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -609,18 +626,20 @@ describe("E2E: pip coverage", () => {
it(`python3 script.py should bypass safe-chain and execute script`, async () => { it(`python3 script.py should bypass safe-chain and execute script`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple Python script // Create a simple Python script
await shell.runCommand("echo \"print('script executed')\" > /tmp/test_script.py"); await shell.runCommand(
"echo \"print('script executed')\" > /tmp/test_script.py"
);
const result = await shell.runCommand("python3 /tmp/test_script.py"); const result = await shell.runCommand("python3 /tmp/test_script.py");
// Should execute the script // Should execute the script
assert.ok( assert.ok(
result.output.includes("script executed"), result.output.includes("script executed"),
`Should execute Python script. Output was:\n${result.output}` `Should execute Python script. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -630,18 +649,20 @@ describe("E2E: pip coverage", () => {
it(`python script.py should bypass safe-chain and execute script`, async () => { it(`python script.py should bypass safe-chain and execute script`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple Python script // Create a simple Python script
await shell.runCommand("echo \"print('python2/3 compatible')\" > /tmp/test_script2.py"); await shell.runCommand(
"echo \"print('python2/3 compatible')\" > /tmp/test_script2.py"
);
const result = await shell.runCommand("python /tmp/test_script2.py"); const result = await shell.runCommand("python /tmp/test_script2.py");
// Should execute the script // Should execute the script
assert.ok( assert.ok(
result.output.includes("python2/3 compatible"), result.output.includes("python2/3 compatible"),
`Should execute Python script. Output was:\n${result.output}` `Should execute Python script. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -651,16 +672,18 @@ describe("E2E: pip coverage", () => {
it(`python3 -m json.tool should bypass safe-chain (module other than pip)`, async () => { it(`python3 -m json.tool should bypass safe-chain (module other than pip)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// json.tool is a built-in Python module for formatting JSON // json.tool is a built-in Python module for formatting JSON
const result = await shell.runCommand("echo '{\"test\": 123}' | python3 -m json.tool"); const result = await shell.runCommand(
"echo '{\"test\": 123}' | python3 -m json.tool"
);
// Should format JSON // Should format JSON
assert.ok( assert.ok(
result.output.includes('"test"') && result.output.includes('123'), result.output.includes('"test"') && result.output.includes("123"),
`Should format JSON. Output was:\n${result.output}` `Should format JSON. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -670,36 +693,40 @@ describe("E2E: pip coverage", () => {
it(`python3 -m http.server should bypass safe-chain (module other than pip)`, async () => { it(`python3 -m http.server should bypass safe-chain (module other than pip)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Start http.server in background and kill it immediately // Start http.server in background and kill it immediately
// We just want to verify it starts without safe-chain interference // We just want to verify it starts without safe-chain interference
const result = await shell.runCommand("timeout 1 python3 -m http.server 8999 || true"); const result = await shell.runCommand(
"timeout 1 python3 -m http.server 8999 || true"
);
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
`python3 -m http.server should not go through safe-chain. Output was:\n${result.output}` `python3 -m http.server should not go through safe-chain. Output was:\n${result.output}`
); );
// Should either start the server or timeout (both are success for bypass test) // Should either start the server or timeout (both are success for bypass test)
assert.ok( assert.ok(
result.output.includes("Serving HTTP") || result.output === "" || result.exitCode !== undefined, result.output.includes("Serving HTTP") ||
result.output === "" ||
result.exitCode !== undefined,
`Should attempt to start server. Output was:\n${result.output}` `Should attempt to start server. Output was:\n${result.output}`
); );
}); });
it(`python3 interactive mode should bypass safe-chain`, async () => { it(`python3 interactive mode should bypass safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Run python3 with a command piped to stdin to simulate interactive mode // Run python3 with a command piped to stdin to simulate interactive mode
const result = await shell.runCommand("echo 'print(2+2)' | python3"); const result = await shell.runCommand("echo 'print(2+2)' | python3");
// Should execute the command // Should execute the command
assert.ok( assert.ok(
result.output.includes("4"), result.output.includes("4"),
`Should execute Python interactively. Output was:\n${result.output}` `Should execute Python interactively. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -709,10 +736,10 @@ describe("E2E: pip coverage", () => {
it(`python3 with no arguments should bypass safe-chain`, async () => { it(`python3 with no arguments should bypass safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Python with no args goes to interactive REPL, pipe exit command // Python with no args goes to interactive REPL, pipe exit command
const result = await shell.runCommand("echo 'exit()' | python3"); const result = await shell.runCommand("echo 'exit()' | python3");
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -722,17 +749,19 @@ describe("E2E: pip coverage", () => {
it(`python3 -m venv should bypass safe-chain (venv module)`, async () => { it(`python3 -m venv should bypass safe-chain (venv module)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -m venv /tmp/test_venv"); const result = await shell.runCommand("python3 -m venv /tmp/test_venv");
// Should create venv without safe-chain // Should create venv without safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
`python3 -m venv should not go through safe-chain. Output was:\n${result.output}` `python3 -m venv should not go through safe-chain. Output was:\n${result.output}`
); );
// Verify venv was created // Verify venv was created
const checkVenv = await shell.runCommand("test -f /tmp/test_venv/bin/python3 && echo 'exists'"); const checkVenv = await shell.runCommand(
"test -f /tmp/test_venv/bin/python3 && echo 'exists'"
);
assert.ok( assert.ok(
checkVenv.output.includes("exists"), checkVenv.output.includes("exists"),
`venv should be created. Output was:\n${checkVenv.output}` `venv should be created. Output was:\n${checkVenv.output}`
@ -741,10 +770,12 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pytest should bypass safe-chain (pytest module)`, async () => { it(`python3 -m pytest should bypass safe-chain (pytest module)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// pytest may not be installed, but the bypass should work regardless // pytest may not be installed, but the bypass should work regardless
const result = await shell.runCommand("python3 -m pytest --version 2>&1 || true"); const result = await shell.runCommand(
"python3 -m pytest --version 2>&1 || true"
);
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -754,15 +785,15 @@ describe("E2E: pip coverage", () => {
it(`python3 -m site should bypass safe-chain (site module)`, async () => { it(`python3 -m site should bypass safe-chain (site module)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -m site"); const result = await shell.runCommand("python3 -m site");
// Should output site information // Should output site information
assert.ok( assert.ok(
result.output.includes("sys.path") || result.output.includes("USER_BASE"), result.output.includes("sys.path") || result.output.includes("USER_BASE"),
`Should output site information. Output was:\n${result.output}` `Should output site information. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -771,16 +802,17 @@ describe("E2E: pip coverage", () => {
}); });
// Verify that -m pip* still goes through safe-chain (sanity check) // Verify that -m pip* still goes through safe-chain (sanity check)
it(`python3 -m pip DOES go through safe-chain (sanity check)`, async () => { it(`python3 -m pip DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python3 -m pip install --break-system-packages certifi" "python3 -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
); );
// SHOULD go through safe-chain // SHOULD go through safe-chain
assert.ok( assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"), result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python3 -m pip SHOULD go through safe-chain. Output was:\n${result.output}` `python3 -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
); );
}); });
@ -788,12 +820,13 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip3 DOES go through safe-chain (sanity check)`, async () => { it(`python3 -m pip3 DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages certifi" "python3 -m pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
); );
// SHOULD go through safe-chain // SHOULD go through safe-chain
assert.ok( assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"), result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python3 -m pip3 SHOULD go through safe-chain. Output was:\n${result.output}` `python3 -m pip3 SHOULD go through safe-chain. Output was:\n${result.output}`
); );
}); });
@ -801,12 +834,13 @@ describe("E2E: pip coverage", () => {
it(`python -m pip DOES go through safe-chain (sanity check)`, async () => { it(`python -m pip DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python -m pip install --break-system-packages certifi" "python -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
); );
// SHOULD go through safe-chain // SHOULD go through safe-chain
assert.ok( assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"), result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python -m pip SHOULD go through safe-chain. Output was:\n${result.output}` `python -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
); );
}); });

4
test/e2e/pnpm-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: pnpm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pnpm add axios"); const result = await shell.runCommand(
"pnpm add axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

4
test/e2e/pnpm.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: pnpm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pnpm add axios"); const result = await shell.runCommand(
"pnpm add axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

6
test/e2e/safe-chain-cli-python.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Invoke safe-chain directly with pip3 command // Invoke safe-chain directly with pip3 command
const result = await shell.runCommand( const result = await shell.runCommand(
"safe-chain pip3 install --break-system-packages requests" "safe-chain pip3 install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -48,7 +48,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
it("safe-chain python3 -m pip install routes through proxy", async () => { it("safe-chain python3 -m pip install routes through proxy", async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"safe-chain python3 -m pip install --break-system-packages requests" "safe-chain python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -59,7 +59,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
it("safe-chain python3 script.py bypasses proxy", async () => { it("safe-chain python3 script.py bypasses proxy", async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple script // Create a simple script
await shell.runCommand("echo \"print('direct execution')\" > /tmp/test.py"); await shell.runCommand("echo \"print('direct execution')\" > /tmp/test.py");

4
test/e2e/setup-ci.e2e.spec.js
View file

@ -39,7 +39,9 @@ describe("E2E: safe-chain setup-ci command", () => {
); );
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand("npm i axios"); const result = await projectShell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
const hasExpectedOutput = result.output.includes("Safe-chain: Scanned"); const hasExpectedOutput = result.output.includes("Safe-chain: Scanned");
assert.ok( assert.ok(

4
test/e2e/setup.teardown.e2e.spec.js
View file

@ -29,7 +29,9 @@ describe("E2E: safe-chain setup command", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
await projectShell.runCommand("cd /testapp"); await projectShell.runCommand("cd /testapp");
const result = await projectShell.runCommand("npm i axios"); const result = await projectShell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
const hasExpectedOutput = result.output.includes("Safe-chain: Scanned"); const hasExpectedOutput = result.output.includes("Safe-chain: Scanned");
assert.ok( assert.ok(

162
test/e2e/uv.e2e.spec.js
View file

@ -16,7 +16,7 @@ describe("E2E: uv coverage", () => {
const installationShell = await container.openShell("zsh"); const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python"); await installationShell.runCommand("safe-chain setup --include-python");
// Clear uv cache // Clear uv cache
await installationShell.runCommand("uv cache clean"); await installationShell.runCommand("uv cache clean");
}); });
@ -32,7 +32,7 @@ describe("E2E: uv coverage", () => {
it(`successfully installs known safe packages with uv pip install`, async () => { it(`successfully installs known safe packages with uv pip install`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests" "uv pip install --system --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -44,7 +44,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with specific version`, async () => { it(`uv pip install with specific version`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests==2.32.3" "uv pip install --system --break-system-packages requests==2.32.3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -56,7 +56,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with version specifiers (>=)`, async () => { it(`uv pip install with version specifiers (>=)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
'uv pip install --system --break-system-packages "Jinja2>=3.1"' 'uv pip install --system --break-system-packages "Jinja2>=3.1" --safe-chain-logging=verbose'
); );
assert.ok( assert.ok(
@ -68,7 +68,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with extras such as requests[socks]`, async () => { it(`uv pip install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
'uv pip install --system --break-system-packages "requests[socks]==2.32.3"' 'uv pip install --system --break-system-packages "requests[socks]==2.32.3" --safe-chain-logging=verbose'
); );
assert.ok( assert.ok(
@ -80,7 +80,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install multiple packages`, async () => { it(`uv pip install multiple packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests certifi urllib3" "uv pip install --system --break-system-packages requests certifi urllib3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -91,13 +91,13 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from requirements file`, async () => { it(`uv pip install from requirements file`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a requirements.txt file // Create a requirements.txt file
await shell.runCommand("echo 'requests==2.32.3' > requirements.txt"); await shell.runCommand("echo 'requests==2.32.3' > requirements.txt");
await shell.runCommand("echo 'certifi>=2024.0.0' >> requirements.txt"); await shell.runCommand("echo 'certifi>=2024.0.0' >> requirements.txt");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages -r requirements.txt" "uv pip install --system --break-system-packages -r requirements.txt --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -108,12 +108,12 @@ describe("E2E: uv coverage", () => {
it(`uv pip sync with requirements file`, async () => { it(`uv pip sync with requirements file`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a requirements.txt file // Create a requirements.txt file
await shell.runCommand("echo 'requests==2.32.3' > requirements-sync.txt"); await shell.runCommand("echo 'requests==2.32.3' > requirements-sync.txt");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip sync --system --break-system-packages requirements-sync.txt" "uv pip sync --system --break-system-packages requirements-sync.txt --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -124,7 +124,7 @@ describe("E2E: uv coverage", () => {
it(`safe-chain blocks installation of malicious Python packages via uv`, async () => { it(`safe-chain blocks installation of malicious Python packages via uv`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages safe-chain-pi-test" "uv pip install --system --break-system-packages safe-chain-pi-test"
); );
@ -152,7 +152,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from GitHub URL using the CA bundle`, async () => { it(`uv pip install from GitHub URL using the CA bundle`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages git+https://github.com/psf/requests.git@v2.32.3" "uv pip install --system --break-system-packages git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -170,9 +170,9 @@ describe("E2E: uv coverage", () => {
it(`uv pip successfully validates certificates for HTTPS downloads`, async () => { it(`uv pip successfully validates certificates for HTTPS downloads`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages certifi" "uv pip install --system --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -199,7 +199,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from direct HTTPS wheel URL`, async () => { it(`uv pip install from direct HTTPS wheel URL`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl" "uv pip install --system --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -216,13 +216,15 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --upgrade flag`, async () => { it(`uv pip install with --upgrade flag`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// First install a package // First install a package
await shell.runCommand("uv pip install --system --break-system-packages requests==2.31.0"); await shell.runCommand(
"uv pip install --system --break-system-packages requests==2.31.0"
);
// Then upgrade it // Then upgrade it
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages --upgrade requests" "uv pip install --system --break-system-packages --upgrade requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -234,7 +236,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --no-deps flag`, async () => { it(`uv pip install with --no-deps flag`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages --no-deps requests" "uv pip install --system --break-system-packages --no-deps requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -245,14 +247,18 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --editable flag from local directory`, async () => { it(`uv pip install with --editable flag from local directory`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple package structure // Create a simple package structure
await shell.runCommand("mkdir -p /tmp/test-pkg"); await shell.runCommand("mkdir -p /tmp/test-pkg");
await shell.runCommand("echo 'from setuptools import setup' > /tmp/test-pkg/setup.py"); await shell.runCommand(
await shell.runCommand("echo \"setup(name='test-pkg', version='0.1.0')\" >> /tmp/test-pkg/setup.py"); "echo 'from setuptools import setup' > /tmp/test-pkg/setup.py"
);
await shell.runCommand(
"echo \"setup(name='test-pkg', version='0.1.0')\" >> /tmp/test-pkg/setup.py"
);
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages -e /tmp/test-pkg" "uv pip install --system --break-system-packages -e /tmp/test-pkg --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -263,13 +269,11 @@ describe("E2E: uv coverage", () => {
it(`uv pip compile creates locked requirements`, async () => { it(`uv pip compile creates locked requirements`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create an input requirements file // Create an input requirements file
await shell.runCommand("echo 'requests' > requirements.in"); await shell.runCommand("echo 'requests' > requirements.in");
const result = await shell.runCommand( const result = await shell.runCommand("uv pip compile requirements.in");
"uv pip compile requirements.in"
);
// uv pip compile doesn't install packages, just resolves dependencies // uv pip compile doesn't install packages, just resolves dependencies
// It should complete successfully and output resolved requirements // It should complete successfully and output resolved requirements
@ -282,7 +286,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --index-url for alternate registry`, async () => { it(`uv pip install with --index-url for alternate registry`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages --index-url https://test.pypi.org/simple certifi" "uv pip install --system --break-system-packages --index-url https://test.pypi.org/simple certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -303,7 +307,7 @@ describe("E2E: uv coverage", () => {
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests --safe-chain-logging=verbose" "uv pip install --system --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
@ -313,7 +317,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with version range constraint`, async () => { it(`uv pip install with version range constraint`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
'uv pip install --system --break-system-packages "requests>=2.31.0,<2.33.0"' 'uv pip install --system --break-system-packages "requests>=2.31.0,<2.33.0" --safe-chain-logging=verbose'
); );
assert.ok( assert.ok(
@ -324,10 +328,12 @@ describe("E2E: uv coverage", () => {
it(`uv pip list shows installed packages`, async () => { it(`uv pip list shows installed packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Install a package first // Install a package first
await shell.runCommand("uv pip install --system --break-system-packages requests"); await shell.runCommand(
"uv pip install --system --break-system-packages requests"
);
// Then list packages - this shouldn't trigger safe-chain scanning // Then list packages - this shouldn't trigger safe-chain scanning
const result = await shell.runCommand("uv pip list --system"); const result = await shell.runCommand("uv pip list --system");
@ -340,10 +346,10 @@ describe("E2E: uv coverage", () => {
it(`uv add installs package and updates project`, async () => { it(`uv add installs package and updates project`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project and add package in same command // Initialize a new uv project and add package in same command
const result = await shell.runCommand( const result = await shell.runCommand(
"uv init test-project && cd test-project && uv add requests" "uv init test-project && cd test-project && uv add requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -354,12 +360,12 @@ describe("E2E: uv coverage", () => {
it(`uv add with specific version`, async () => { it(`uv add with specific version`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-project-version"); await shell.runCommand("uv init test-project-version");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-project-version && uv add requests==2.32.3" "cd test-project-version && uv add requests==2.32.3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -370,12 +376,12 @@ describe("E2E: uv coverage", () => {
it(`uv add --dev for development dependencies`, async () => { it(`uv add --dev for development dependencies`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-project-dev"); await shell.runCommand("uv init test-project-dev");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-project-dev && uv add --dev pytest" "cd test-project-dev && uv add --dev pytest --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -386,12 +392,12 @@ describe("E2E: uv coverage", () => {
it(`uv add multiple packages at once`, async () => { it(`uv add multiple packages at once`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-project-multi"); await shell.runCommand("uv init test-project-multi");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-project-multi && uv add requests certifi urllib3" "cd test-project-multi && uv add requests certifi urllib3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -402,10 +408,10 @@ describe("E2E: uv coverage", () => {
it(`safe-chain blocks malicious packages via uv add`, async () => { it(`safe-chain blocks malicious packages via uv add`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-project-malware"); await shell.runCommand("uv init test-project-malware");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-project-malware && uv add safe-chain-pi-test" "cd test-project-malware && uv add safe-chain-pi-test"
); );
@ -427,20 +433,19 @@ describe("E2E: uv coverage", () => {
it(`uv tool install installs a global tool`, async () => { it(`uv tool install installs a global tool`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv tool install ruff" "uv tool install ruff --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
result.output.includes("no malware found.") || result.output.includes("Installed"), result.output.includes("no malware found.") ||
result.output.includes("Installed"),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
it(`safe-chain blocks malicious packages via uv tool install`, async () => { it(`safe-chain blocks malicious packages via uv tool install`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand("uv tool install safe-chain-pi-test");
"uv tool install safe-chain-pi-test"
);
assert.ok( assert.ok(
result.output.includes("blocked 1 malicious package downloads:"), result.output.includes("blocked 1 malicious package downloads:"),
@ -454,12 +459,14 @@ describe("E2E: uv coverage", () => {
it(`uv run --with installs ephemeral dependency`, async () => { it(`uv run --with installs ephemeral dependency`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple Python script // Create a simple Python script
await shell.runCommand("echo 'import requests; print(requests.__version__)' > test_script.py"); await shell.runCommand(
"echo 'import requests; print(requests.__version__)' > test_script.py"
);
const result = await shell.runCommand( const result = await shell.runCommand(
"uv run --with requests test_script.py" "uv run --with requests test_script.py --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -470,10 +477,10 @@ describe("E2E: uv coverage", () => {
it(`safe-chain blocks malicious packages via uv run --with`, async () => { it(`safe-chain blocks malicious packages via uv run --with`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple Python script // Create a simple Python script
await shell.runCommand("echo 'print(\"test\")' > test_script2.py"); await shell.runCommand("echo 'print(\"test\")' > test_script2.py");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv run --with safe-chain-pi-test test_script2.py" "uv run --with safe-chain-pi-test test_script2.py"
); );
@ -486,10 +493,10 @@ describe("E2E: uv coverage", () => {
it(`uv sync syncs project dependencies`, async () => { it(`uv sync syncs project dependencies`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project, add a dependency, remove venv, and sync in one command chain // Initialize a new uv project, add a dependency, remove venv, and sync in one command chain
const result = await shell.runCommand( const result = await shell.runCommand(
"uv init test-sync-project && cd test-sync-project && uv add requests && rm -rf .venv && uv sync" "uv init test-sync-project && cd test-sync-project && uv add requests --safe-chain-logging=verbose && rm -rf .venv && uv sync --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -500,12 +507,12 @@ describe("E2E: uv coverage", () => {
it(`uv add from git URL`, async () => { it(`uv add from git URL`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-git-add"); await shell.runCommand("uv init test-git-add");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-git-add && uv add git+https://github.com/psf/requests.git@v2.32.3" "cd test-git-add && uv add git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -516,12 +523,12 @@ describe("E2E: uv coverage", () => {
it(`uv add with --optional group`, async () => { it(`uv add with --optional group`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-optional"); await shell.runCommand("uv init test-optional");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-optional && uv add --optional dev pytest" "cd test-optional && uv add --optional dev pytest --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -532,13 +539,15 @@ describe("E2E: uv coverage", () => {
it(`uv run --with-requirements installs from requirements file`, async () => { it(`uv run --with-requirements installs from requirements file`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create requirements file and script // Create requirements file and script
await shell.runCommand("echo 'requests' > run_requirements.txt"); await shell.runCommand("echo 'requests' > run_requirements.txt");
await shell.runCommand("echo 'import requests; print(requests.__version__)' > run_script.py"); await shell.runCommand(
"echo 'import requests; print(requests.__version__)' > run_script.py"
);
const result = await shell.runCommand( const result = await shell.runCommand(
"uv run --with-requirements run_requirements.txt run_script.py" "uv run --with-requirements run_requirements.txt run_script.py --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -549,10 +558,10 @@ describe("E2E: uv coverage", () => {
it(`uv sync --all-extras syncs all optional dependencies`, async () => { it(`uv sync --all-extras syncs all optional dependencies`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize project with optional dependency and sync in one command chain // Initialize project with optional dependency and sync in one command chain
const result = await shell.runCommand( const result = await shell.runCommand(
"uv init test-extras && cd test-extras && uv add --optional dev pytest && uv sync --all-extras" "uv init test-extras && cd test-extras && uv add --optional dev pytest --safe-chain-logging=verbose && uv sync --all-extras"
); );
assert.ok( assert.ok(
@ -561,4 +570,3 @@ describe("E2E: uv coverage", () => {
); );
}); });
}); });

4
test/e2e/yarn-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: yarn coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("yarn add axios"); const result = await shell.runCommand(
"yarn add axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

4
test/e2e/yarn.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: yarn coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("yarn add axios"); const result = await shell.runCommand(
"yarn add axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),