fix: introduce security related linter and fix warnings

[magicmatatjahu]

Description

• Add eslint-plugin-security package and configure it in project,
• Bump eslint package to 7.X.X,
• Introduce getMapKey util function for retrieve data by key from object - use it in models,
• Fix warnings returned by eslint-plugin-security.

Related issue(s)
Resolves #103

[derberg]

Awesome stuff mate, just a few questions to understand some decisions

[derberg]

why disable, we we cannot just use Map here. Which part linter doesn't like?

[magicmatatjahu]

Linter doesn't like the key variable. If you use Object.keys() then you have 100% sure, than variable is string and we don't do things like _json.dependencies[key](), so we avoid eval malicious code, so I decided to disable plugin in those lines. I could use utils helper createMapOfType, but as you can see, in one case we create Schema Type, in another we write raw value.

[derberg]

I don't like to disable rules unless it is a test or there is really nothing else we can do.
values are accessed by a key and with Map it is not the case so it is better, so I don't really get your explanation about _json.dependencies[key]()

[derberg]

js.channels can be converted into Map -> https://github.com/asyncapi/parser-js/pull/105/files#diff-c3d5db07c30dd8c16e1da041b6f90850R115

of course depends what part is a problem for the linter

[magicmatatjahu]

The problem is with retrieving value by channelName and opName variable. As you see, this variable will be in 100% strings.

[magicmatatjahu]

And as I remember forEach method from ES6 Map cannot handle async functions, and in this function we must handle async conversion of Messages.

[derberg]

you are right about forEach but then you can just use for of

thing is that we should not assume that what we have now (100% string) will always be like that if the future, so better just to fix than ignore

[derberg]

same as with others, we could make this._json a Map

[magicmatatjahu]

But then users will have to get data via the get () method and not via the array index, and for me this is a breaking change. If we decided to use Map here, then we should also adjust whole methods, which return plain JS Object, to Map. Or probably I don't understand your suggestion :D

[derberg]

you change it to a map only for forEach but in 193 still return pure json

[derberg]

I have some naming issues here, now this function is basically not only for getting a typed map, so name is no longer getMapKeyOfType and hiding it with getMapKey seems strange too me 🤔
why not try renaming getMapKeyOfType to something more generic? with good jsdoc?

[magicmatatjahu]

I will try make it more generic :)

[magicmatatjahu]

Also in 162 line, without eslint-disable, we should cast key to String like result[String(key)] = new Type(obj[String(key)]);

[derberg]

yeap, do the casting

did you make changes here? I don't think so

[derberg]

@magicmatatjahu added a few comments

[derberg]

I don't like to disable rules unless it is a test or there is really nothing else we can do.
values are accessed by a key and with Map it is not the case so it is better, so I don't really get your explanation about _json.dependencies[key]()

[derberg]

you are right about forEach but then you can just use for of

thing is that we should not assume that what we have now (100% string) will always be like that if the future, so better just to fix than ignore

[derberg]

yeap, do the casting

did you make changes here? I don't think so

[derberg]

you change it to a map only for forEach but in 193 still return pure json

[derberg]

WELL DONE 👏

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities (and 0 Security Hotspots to review)
0 Code Smells

No Coverage information
0.0% Duplication

[asyncapi-bot]

🎉 This PR is included in version 0.25.1 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀