Summary
Raised via: PR #323, requested by @leynos
New audit and rust-audit Makefile targets were introduced without dedicated, isolated tests. CI executes make audit but that does not constitute substantive unit-level test coverage for the implementation. The shell logic embedded in the rust-audit recipe — lockfile detection, audited-manifest counting, temp-file bookkeeping, and exit-code behaviour — is currently unverified by any automated test suite independent of a real Cargo workspace.
Explanation
The rust-audit target in the Makefile (lines 109–127) embeds non-trivial shell logic:
- Traversal pruning of
target/, node_modules/, and .venv/.
- Per-manifest detection of an adjacent
Cargo.lock.
- Audited-manifest counting via a temp file.
- Failure when zero lockfile-backed manifests are found.
- Cleanup via
trap … EXIT.
Running the target in CI against the real workspace verifies the happy path but does not cover:
- A workspace where no
Cargo.toml files exist.
- A workspace where all
Cargo.toml files lack an adjacent Cargo.lock (should exit 1).
- A workspace with a mix of manifests with and without lockfiles (only the former should be audited).
- Pruning behaviour (manifests under
target/ must be skipped).
- Correct temp-file cleanup on failure.
Resolution
Extract the audit traversal and counting logic into a Python helper script and add a pytest test suite that exercises the following scenarios against a real or mock filesystem:
- No
Cargo.toml files found → exit 1 with an appropriate message.
- All manifests lack an adjacent
Cargo.lock → exit 1 with an appropriate message.
- At least one manifest has an adjacent
Cargo.lock → the audit command is invoked and the script exits 0 on success.
- Manifests under
target/, node_modules/, and .venv/ are skipped.
- Temp file is removed after both successful and failed runs.
The Makefile target should delegate to the Python script so the logic is testable in isolation without requiring cargo audit to be installed (use a mock/stub for the audit invocation in tests).
References
Summary
Raised via: PR #323, requested by @leynos
New
auditandrust-auditMakefile targets were introduced without dedicated, isolated tests. CI executesmake auditbut that does not constitute substantive unit-level test coverage for the implementation. The shell logic embedded in therust-auditrecipe — lockfile detection, audited-manifest counting, temp-file bookkeeping, and exit-code behaviour — is currently unverified by any automated test suite independent of a real Cargo workspace.Explanation
The
rust-audittarget in theMakefile(lines 109–127) embeds non-trivial shell logic:target/,node_modules/, and.venv/.Cargo.lock.trap … EXIT.Running the target in CI against the real workspace verifies the happy path but does not cover:
Cargo.tomlfiles exist.Cargo.tomlfiles lack an adjacentCargo.lock(should exit 1).target/must be skipped).Resolution
Extract the audit traversal and counting logic into a Python helper script and add a
pytesttest suite that exercises the following scenarios against a real or mock filesystem:Cargo.tomlfiles found → exit 1 with an appropriate message.Cargo.lock→ exit 1 with an appropriate message.Cargo.lock→ the audit command is invoked and the script exits 0 on success.target/,node_modules/, and.venv/are skipped.The
Makefiletarget should delegate to the Python script so the logic is testable in isolation without requiringcargo auditto be installed (use a mock/stub for the audit invocation in tests).References
rust-audittarget)