SAST CI job failing because it is scanning our `.js` translation files which are JSON syntax
SAST CI job failing because it is scanning our .js
translation files which are JSON syntax.
We started including the translations directly into this repo in https://gitlab.com/gitlab-org/gitter/webapp/-/merge_requests/1846
Relevant code: modules/translations/homepage/ar.js
Here is the error in CI:
[nodejs-scan] Starting analyzer...
Found project in /tmp/app
30 rules loaded
{ SyntaxError: /tmp/app/modules/translations/homepage/ar.js: Unexpected token, expected ";" (2:16)
1 | {
> 2 | "Translated By": "Fares AlBelady",
| ^
3 | "Gitter — Where developers come to talk.": "Gitter — المكان الذي يجتمع فيه المطورون.",
4 | "Integrations": "التكامل",
5 | "Pricing": "الأسعار",
at Object.raise (/home/node/node_modules/@babel/parser/lib/index.js:7012:17)
at Object.unexpected (/home/node/node_modules/@babel/parser/lib/index.js:8405:16)
at Object.semicolon (/home/node/node_modules/@babel/parser/lib/index.js:8387:40)
at Object.parseExpressionStatement (/home/node/node_modules/@babel/parser/lib/index.js:11225:10)
at Object.parseExpressionStatement (/home/node/node_modules/@babel/parser/lib/index.js:2106:18)
at Object.parseStatementContent (/home/node/node_modules/@babel/parser/lib/index.js:10824:19)
at Object.parseStatement (/home/node/node_modules/@babel/parser/lib/index.js:10690:17)
at Object.parseStatement (/home/node/node_modules/@babel/parser/lib/index.js:2079:26)
at Object.parseBlockOrModuleBlockBody (/home/node/node_modules/@babel/parser/lib/index.js:11266:25)
at Object.parseBlockBody (/home/node/node_modules/@babel/parser/lib/index.js:11253:10)
pos: 18,
loc: Position { line: 2, column: 16 },
code: 'BABEL_PARSE_ERROR' }
exit status 1
2020/05/05 17:41:30 Container exited with non zero status code
Is JSON valid JavaScript?
Our current .js
translation files don't throw any ESLint error and when I paste the object into the devtools console, it just returns the JavaScript object (there is magic around the devtools console though).
When I try to run node modules/translations/homepage/ar.js
, I do see an error:
$ node modules\translations\homepage\ar.js
C:\Users\MLM\Documents\GitLab\webapp\modules\translations\homepage\ar.js:2
"Translated By": "Fares AlBelady",
^
SyntaxError: Unexpected token :
at new Script (vm.js:79:7)
at createScript (vm.js:251:10)
at Object.runInThisContext (vm.js:303:10)
at Module._compile (internal/modules/cjs/loader.js:657:28)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:700:10)
at Module.load (internal/modules/cjs/loader.js:599:32)
at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
at Function.Module._load (internal/modules/cjs/loader.js:530:3)
at Function.Module.runMain (internal/modules/cjs/loader.js:742:12)
at startup (internal/bootstrap/node.js:283:19)
MDN says JSON is a valid JavaScript expression. But maybe a JavaScript expression can't be on it's own:
Any JSON text is a valid JavaScript expression...
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON
This Medium article goes along with the error we are seeing and says JSON isn't valid JavaScript:
There are also circumstances where JSON is not valid JavaScript. In fact, since JavaScript does not support bare objects, the simple statement {"k":"v"} will emit an error in JavaScript (go ahead and try it in your browser console) whereas it can be parsed as valid JSON
https://medium.com/@ExplosionPills/json-is-not-javascript-5de833fbe49c#e537
This is a pretty definitive answer explaining why it's not valid though:
It's because curly braces have two uses - either introducing a block, or as the start of an object literal (the latter being an expression).
The console can't tell which, so it assumes a statement block, and only later finds that the contents of the block can't be parsed as statements.
Solutions
.json
Update our translations to be We can update the extension for all of our translation files to .json
. We can still require('./xxx.json')
so it shouldn't be a problem.