feat(core): add asyncapi-operation-security-defined lint rule#2759
feat(core): add asyncapi-operation-security-defined lint rule#2759harshit078 wants to merge 49 commits into
Conversation
🦋 Changeset detectedLatest commit: df986cf The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
harshit078
changed the title
harshit078
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
vadyvas
left a comment
vadyvas
left a comment
There was a problem hiding this comment.
I would suggest a slightly different approach:
- keep the AsyncAPI logic separate and do not reuse shared logic from the OAS rule
- use the same rule name,
security-defined, for AsyncAPI as well, and register the AsyncAPI implementation in the AsyncAPI ruleset - do not update the v1 docs in this PR
I think this would make the change smaller, clearer, and safer.
Thank you for the contribution, overall the PR looks good
vadyvas
left a comment
vadyvas
left a comment
There was a problem hiding this comment.
left a few comments, could you take a look?
| 'info-contact': InfoContact as Async2Rule, | ||
| 'info-license-strict': InfoLicenseStrict as Async2Rule, | ||
| 'operation-operationId': OperationOperationId as Async2Rule, | ||
| 'security-defined': SecurityDefined, |
There was a problem hiding this comment.
Please add support for AsyncAPI 3 as well. Right now the rule only applies to AsyncAPI2
There was a problem hiding this comment.
The code uses the rule name security-defined, but the docs still say asyncapi-operation-security-defined
Can you update related changes?
| @@ -0,0 +1,83 @@ | |||
| # asyncapi-operation-security-defined | |||
There was a problem hiding this comment.
Please don’t add this rule to the v1 docs
| if (!list) return; | ||
| for (let i = 0; i < list.length; i++) { | ||
| const item = list[i]; | ||
| if (!isRef(item)) continue; |
There was a problem hiding this comment.
Could you explain why are you skipping not refs? And the purpose of this statement item.$ref.split('/').pop()?
There was a problem hiding this comment.
-
my intent behind the skipping not refs in the logic is that since every security item can be either be a
$refor an inline object. Since inline objects are complete in itself hence there's nothing to check or cross check againstcomponents.securitySchemeshence only $ref items can be tracked as references. -
The purpose of tthis statement is that it basically just grabs the last pointer segment purely as a display name in the "There is no name security scheme defined." message which matches with the async2 wording.
I hope my explanation did a justice to what I was trying to say. If not, I'm happy to provide further explanation. Thanks !
Co-authored-by: Jacek Łękawa <164185257+JLekawa@users.noreply.github.com>
Co-authored-by: Jacek Łękawa <164185257+JLekawa@users.noreply.github.com>
Co-authored-by: Jacek Łękawa <164185257+JLekawa@users.noreply.github.com>
|
Hi @AlbinaBlazhko17 , I have addressed all comments and resolved comments left by cursor. Though I have no clue on how to resolve the failing test hence I did not fix it. Can you review the PR again ? Thanks ! |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 555f60b. Configure here.
4 participants
What/Why/How?
asyncapi-operation-security-definedrule for AsyncAPI 2.x which reports when a security scheme referenced from an operation or serversecurityarray is not defined in ``components.securitySchemes.Reference
#2667
Testing
Screenshots (optional)
Check yourself
Security
Note
Medium Risk
New default-severity lint behavior on AsyncAPI presets may surface many findings on specs missing operation security or with bad scheme refs; logic is security-adjacent but read-only validation with broad test coverage.
Overview
Adds the built-in
security-definedlint rule for AsyncAPI 2.x and 3.0, aligned with the existing OpenAPI rule name and behavior.AsyncAPI 2.x validates named schemes in operation/server
securityagainstcomponents.securitySchemes, and flags operations with no security unless an applicable server (respecting channelservers) or operation traits supply it.AsyncAPI 3.0 resolves
$refentries insecuritylists, requires refs under#/components/securitySchemes, and applies the same “operation must have security” checks via channel-bound servers.Shared helper
operationHasSecuritycovers directsecurityand traits. The rule is registered in async2/async3 rule sets, wired into preset configs (minimalwarn,recommended/allerror), documented, and covered by unit tests; config/e2e snapshots reflect new assertion subject types.Reviewed by Cursor Bugbot for commit df986cf. Bugbot is set up for automated code reviews on this repo. Configure here.