HTTP spec conformance during CI #17119
Triggered via pull request
September 26, 2024 08:05
Status
Failure
Total duration
9m 47s
Artifacts
–
ci.yml
on: pull_request
Matrix: Build and Test
Matrix: Jmh CachedDateHeaderBenchmark
Matrix: Jmh ClientBenchmark
Matrix: Jmh EndpointBenchmark
Matrix: Jmh HttpCollectEval
Matrix: Jmh HttpCombineEval
Matrix: Jmh HttpNestedFlatMapEval
Matrix: Jmh HttpRouteTextPerf
Matrix: Jmh ProbeContentTypeBenchmark
Matrix: Jmh SchemeDecodeBenchmark
Matrix: Jmh ServerInboundHandlerBenchmark
Matrix: Jmh UtilBenchmark
Matrix: Mima Check
Matrix: Performance Benchmarks (SimpleEffectBenchmarkServer)
Matrix: Performance Benchmarks (PlainTextBenchmarkServer)
Matrix: Unsafe Scoverage
Matrix: Release Drafter
Matrix: Publish Artifacts
Annotations
24 errors and 8 warnings
Release Drafter (ubuntu-latest, 2.13.10, temurin@8)
Resource not accessible by integration
{
name: 'HttpError',
id: '11048133171',
status: 403,
response: {
url: 'https://api.github.com/repos/zio/zio-http/issues/3169/labels',
status: 403,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
connection: 'close',
'content-encoding': 'gzip',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Thu, 26 Sep 2024 08:06:08 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'github.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
'transfer-encoding': 'chunked',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-accepted-github-permissions': 'issues=write; pull_requests=write',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-api-version-selected': '2022-11-28',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': '2C85:3F0C9D:1888F49:2D83CE6:66F515F0',
'x-ratelimit-limit': '5000',
'x-ratelimit-remaining': '4971',
'x-ratelimit-reset': '1727341204',
'x-ratelimit-resource': 'core',
'x-ratelimit-used': '29',
'x-xss-protection': '0'
},
data: {
message: 'Resource not accessible by integration',
documentation_url: 'https://docs.github.com/rest/issues/labels#add-labels-to-an-issue',
status: '403'
}
},
request: {
method: 'POST',
url: 'https://api.github.com/repos/zio/zio-http/issues/3169/labels',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'probot/12.2.5 octokit-core.js/3.5.1 Node.js/20.13.1 (linux; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"labels":["maintenance","enhancement"]}',
request: {}
},
event: {
id: '11048133171',
name: 'pull_request',
payload: {
action: 'edited',
changes: {
body: {
from: '/claim #3083\r\n' +
'fixes #3083\r\n' +
'\r\n' +
'**Conclusions**\r\n' +
'\r\n' +
`This PR integrates new HTTP conformance tests derived from the research paper _"Who's Breaking the Rules? Studying Conformance to the HTTP Specifications and its Security Impact"_ by Jannis Rautenstrauch and Ben Stock. These tests now acts as a guardrail to ZIO -HTTP implementations adhere to the specifications and help identify potential security issues.\r\n` +
'\r\n' +
'1. The tests taken reference from [http-conformance](https://github.com/cispa/http-conformance) are categorised into 3 levels, **Requirement, Recommendations and ABNF**. The initial process is to add the conformance suite and I have added the Requirement and Recommendation level conformance tests which are critical to be tested to safeguard.\r\n' +
'\r\n' +
'2. I have ran http-conformance tool with simple zio-http server setup and observed analysis of tool with different categories Dangerous broken, Dangerous not broken, Not dangerous broken and Not Dangerous not broken. I have shifted towards first test with Dangerous ones and added them broken/not-broken then added not-dangerous ones.\r\n' +
'\r\n' +
'\r\n' +
'**Status Codes:**\r\n' +
'\r\n' +
'This specs verifies behaviour of the different Status Codes in Violations\r\n' +
'\r\n' +
'**`204 No Content`** which verifies no body is sent.\r\n' +
'**`205 Reset Content`** checks no body is sent.\r\n' +
'**`206 Partial Content`** ch
|
Release Drafter (ubuntu-latest, 2.13.10, temurin@8)
Resource not accessible by integration
{
name: 'HttpError',
id: '11048133171',
status: 403,
response: {
url: 'https://api.github.com/repos/zio/zio-http/releases',
status: 403,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
connection: 'close',
'content-encoding': 'gzip',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Thu, 26 Sep 2024 08:06:10 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'github.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
'transfer-encoding': 'chunked',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-accepted-github-permissions': 'contents=write; contents=write,workflows=write',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-api-version-selected': '2022-11-28',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': '2C87:1B7989:180F253:2C7C967:66F515F2',
'x-ratelimit-limit': '5000',
'x-ratelimit-remaining': '4970',
'x-ratelimit-reset': '1727341204',
'x-ratelimit-resource': 'core',
'x-ratelimit-used': '30',
'x-xss-protection': '0'
},
data: {
message: 'Resource not accessible by integration',
documentation_url: 'https://docs.github.com/rest/releases/releases#create-a-release',
status: '403'
}
},
request: {
method: 'POST',
url: 'https://api.github.com/repos/zio/zio-http/releases',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'probot/12.2.5 octokit-core.js/3.5.1 Node.js/20.13.1 (linux; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"target_commitish":"refs/pull/3169/merge","name":"v3.0.2 🌈","tag_name":"v3.0.2","body":"## Changes\\n\\n- Changes the default Endpoint.outStream[X] encoding to produce a JSON array @gregor-rayman (#3122)\\n- Fix ScalaJS Compilation by Removing JVM-specific java.util.Objects References in PathCodecPlatformSpecific @asr2003 (#3155)\\n- Fix #3101 Code gen schema import missing @nafg (#3153)\\n- Fix #3103 Only last response is generated into Endpoint code @nafg (#3151)\\n- Optimizations for request execution happy path @kyri-petrou (#3143)\\n- fix OpenAPI code gen not quoting arbitrary header names @geeeezmo (#3136)\\n","draft":true,"prerelease":false,"make_latest":"true"}',
request: { retryCount: 1 }
},
event: {
id: '11048133171',
name: 'pull_request',
payload: {
action: 'edited',
changes: {
body: {
from: '/claim #3083\r\n' +
'fixes #3083\r\n' +
'\r\n' +
'**Conclusions**\r\n' +
'\r\n' +
`This PR integrates new HTTP conformance tests derived from the research paper _"Who's Breaking the Rules? Studying Conformance to the HTTP Specifications and its Security Impact"_ by Jannis Rautenstrauch and Ben Stock. These tests now acts as a guardrail to ZIO -HTTP implementations adhere to the specifications and help identify potential security issues.\r\n` +
'\r\n' +
'1. The tests taken reference from [http-conformance](https://github.com/cispa/http-conformance) are categorised into 3 levels, **Requirement, Recommendations and ABNF**. The initial process is to add the conformance suite and I have added the Requirement and Recommendation level conformance tests which are critical to be tested to safeguard.\r\n' +
'\r\n' +
'2. I have ran http-conformance tool with simple zio-http server setup and observed analysis of to
|
Release Drafter (ubuntu-latest, 2.13.10, temurin@8)
HttpError: Resource not accessible by integration
at /home/runner/work/_actions/release-drafter/release-drafter/v5/dist/index.js:8462:21
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Job.doExecute (/home/runner/work/_actions/release-drafter/release-drafter/v5/dist/index.js:30793:18)
HttpError: Resource not accessible by integration
at /home/runner/work/_actions/release-drafter/release-drafter/v5/dist/index.js:8462:21
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Job.doExecute (/home/runner/work/_actions/release-drafter/release-drafter/v5/dist/index.js:30793:18)
{
name: 'AggregateError',
event: {
id: '11048133171',
name: 'pull_request',
payload: {
action: 'edited',
changes: {
body: {
from: '/claim #3083\r\n' +
'fixes #3083\r\n' +
'\r\n' +
'**Conclusions**\r\n' +
'\r\n' +
`This PR integrates new HTTP conformance tests derived from the research paper _"Who's Breaking the Rules? Studying Conformance to the HTTP Specifications and its Security Impact"_ by Jannis Rautenstrauch and Ben Stock. These tests now acts as a guardrail to ZIO -HTTP implementations adhere to the specifications and help identify potential security issues.\r\n` +
'\r\n' +
'1. The tests taken reference from [http-conformance](https://github.com/cispa/http-conformance) are categorised into 3 levels, **Requirement, Recommendations and ABNF**. The initial process is to add the conformance suite and I have added the Requirement and Recommendation level conformance tests which are critical to be tested to safeguard.\r\n' +
'\r\n' +
'2. I have ran http-conformance tool with simple zio-http server setup and observed analysis of tool with different categories Dangerous broken, Dangerous not broken, Not dangerous broken and Not Dangerous not broken. I have shifted towards first test with Dangerous ones and added them broken/not-broken then added not-dangerous ones.\r\n' +
'\r\n' +
'\r\n' +
'**Status Codes:**\r\n' +
'\r\n' +
'This specs verifies behaviour of the different Status Codes in Violations\r\n' +
'\r\n' +
'**`204 No Content`** which verifies no body is sent.\r\n' +
'**`205 Reset Content`** checks no body is sent.\r\n' +
'**`206 Partial Content`** checks the presence of Content-Range.\r\n' +
'**`206 Multipart Content`** checks Content-Range is excluded in multipart responses.\r\n' +
'**`206 Headers`** checks headers like ETag and Cache-Control are present.\r\n' +
'**`401 Unauthorized`** checks the presence of WWW-Authenticate header.\r\n' +
'**`405 Method Not Allowed`** checks the Allow header is present.\r\n' +
'**`407 Proxy Authentication Required`** verifies the Proxy-Authenticate header is present.\r\n' +
'**`304 Not Modified`** checks no body is returned for 304 Not Modified and verifies consistency with 200 OK and more....\r\n' +
'\r\n' +
'**Redirection (Location Header):**\r\n' +
'\r\n' +
'This tests added validates the presence of Location header in 300 Multiple Choices, 301 Moved Permanently, 302 Found, 303 See Other, 307 Temporary Redirect and 308 Permanent Redirect responses.\r\n' +
'\r\n' +
'**Headers and Metadata:**\r\n' +
'\r\n' +
'**`Range Header (206)`** checks Content-Range is present in 206 responses.\r\n' +
'**`Content-Range (416)`** validates Content-Range in 416 Range Not Satisfiable.\r\n' +
'**`Content-Length in CONNECT`** checks no Content-Length for 2XX CONNECT.\r\n' +
'**`Transfer-Encoding in CONNECT`** checks no Transfer-Encoding for 2XX CONNECT.\r\n' +
'**`CSP Header`** validates that only one Content-Security-Policy header is
|
Build and Test (ubuntu-latest, 2.13.14, temurin@21)
Process completed with exit code 1.
|
Build and Test (ubuntu-latest, 3.3.3, graal_graalvm@17)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 3.3.3, temurin@17)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 3.3.3, temurin@21)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 3.3.3, graal_graalvm@21)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 3.3.3, graal_graalvm@21)
The operation was canceled.
|
Build and Test (ubuntu-latest, 2.12.19, graal_graalvm@21)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 2.12.19, graal_graalvm@21)
The operation was canceled.
|
Build and Test (ubuntu-latest, 2.12.19, graal_graalvm@17)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 2.12.19, graal_graalvm@17)
The operation was canceled.
|
Build and Test (ubuntu-latest, 2.12.19, temurin@21)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 2.12.19, temurin@21)
The operation was canceled.
|
Build and Test (ubuntu-latest, 2.13.14, graal_graalvm@17)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 2.13.14, graal_graalvm@17)
The operation was canceled.
|
Build and Test (ubuntu-latest, 2.12.19, temurin@17)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 2.12.19, temurin@17)
The operation was canceled.
|
Build and Test (ubuntu-latest, 2.13.14, graal_graalvm@21)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 2.13.14, graal_graalvm@21)
The operation was canceled.
|
Build and Test (ubuntu-latest, 2.13.14, temurin@17)
The job was canceled because "ubuntu-latest_2_13_14_t_2" failed.
|
Build and Test (ubuntu-latest, 2.13.14, temurin@17)
The operation was canceled.
|
Unsafe Scoverage (ubuntu-latest, 2.13.14, temurin@8)
Process completed with exit code 1.
|
Release Drafter (ubuntu-latest, 2.13.10, temurin@8)
The following actions use a deprecated Node.js version and will be forced to run on node20: release-drafter/release-drafter@v5. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
|
Build and Test (ubuntu-latest, 3.3.3, graal_graalvm@21)
Please remove "components: 'native-image'" from your workflow file. It is automatically included since GraalVM for JDK 17: https://github.com/oracle/graal/pull/5995
|
Build and Test (ubuntu-latest, 2.12.19, graal_graalvm@21)
Please remove "components: 'native-image'" from your workflow file. It is automatically included since GraalVM for JDK 17: https://github.com/oracle/graal/pull/5995
|
Build and Test (ubuntu-latest, 2.13.14, graal_graalvm@21)
Please remove "components: 'native-image'" from your workflow file. It is automatically included since GraalVM for JDK 17: https://github.com/oracle/graal/pull/5995
|
Performance Benchmarks (PlainTextBenchmarkServer) (ubuntu-latest, 2.13.14, temurin@8)
The following actions uses node12 which is deprecated and will be forced to run on node16: actions/checkout@v2. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/
|
Performance Benchmarks (PlainTextBenchmarkServer) (ubuntu-latest, 2.13.14, temurin@8)
The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v2. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
|
Performance Benchmarks (SimpleEffectBenchmarkServer) (ubuntu-latest, 2.13.14, temurin@8)
The following actions uses node12 which is deprecated and will be forced to run on node16: actions/checkout@v2. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/
|
Performance Benchmarks (SimpleEffectBenchmarkServer) (ubuntu-latest, 2.13.14, temurin@8)
The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v2. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
|