Skip to content

Add mutation testing analysis and configuration#56

Merged
sweis merged 1 commit intomainfrom
claude/cargo-mutants-analysis-P0yN6
Mar 12, 2026
Merged

Add mutation testing analysis and configuration#56
sweis merged 1 commit intomainfrom
claude/cargo-mutants-analysis-P0yN6

Conversation

@sweis
Copy link
Copy Markdown
Owner

@sweis sweis commented Mar 12, 2026

Summary

This PR adds comprehensive mutation testing analysis and configuration to improve test coverage visibility and guide future testing efforts.

Changes

  • Added MUTANTS.md: A detailed mutation testing report generated by cargo-mutants that documents:

    • Overall test coverage metrics (367 missed mutants, 389 caught, 60% score for xcert-lib)
    • Critical gaps in the verification pipeline where entire check functions can be deleted without test failure
    • High-priority untested public API surface (curve(), dns_names(), ip_addresses())
    • Medium-severity gaps in formatting, parsing, and boundary condition testing
    • Specific recommendations prioritized by impact (per-check negative tests, Name Constraint unit tests, WebPKI policy tests, etc.)

  • Added .cargo/mutants.toml: Configuration to exclude known non-testable code from future mutation runs:

    • CLI color helpers (styling-only, not logic)
    • base64_wrap function (mutations cause infinite loops)
    • System trust-store discovery (host-filesystem dependent)

  • Updated .gitignore: Added /mutants.out* to ignore mutation testing output artifacts

Notable Findings

The analysis reveals that while individual parsing and utility functions are well-tested, the verification pipeline has significant gaps:

  • 11 check functions can be replaced with no-ops without test failure
  • 9 boolean helpers can be hard-coded to wrong values without detection
  • The CLI binary is effectively untested end-to-end (110 survivors)
  • Several security-critical boundaries (time validity, basic constraints, name constraints) lack isolated negative test cases

The report provides actionable guidance for improving test coverage, with the highest priority being per-check negative tests for the verification pipeline.

https://preview.claude.ai/code/session_01QYgbDNhxKkJi6qg2cQqWaN

@claude
Add cargo-mutants analysis results and configuration
b1abf43 
Ran cargo-mutants against the full workspace (788 mutants tested,
367 missed, 389 caught, 30 unviable, 2 timeouts).

MUTANTS.md documents the findings. The headline result is that
eleven individual chain-verification check functions (time validity,
basic constraints, critical extensions, duplicate extensions, name
constraint placement, name constraint enforcement, keyCertSign,
RFC 5280 strict rules, CRL strict rules, and the entire WebPKI
policy layer) can be replaced with no-ops without any test failing.
The existing negative tests fail for multiple reasons at once, so
disabling any single check goes unnoticed.

Other gaps: ip_matches_constraint / email_matches_constraint can be
hard-coded true; the dns_names() / ip_addresses() / curve()
convenience methods are entirely untested; DN special-character
escaping and the DateTime month table have no coverage.

Also adds:
- .cargo/mutants.toml excluding CLI color helpers, the base64
  line-wrap loop (mutations create infinite loops), and host-
  filesystem-dependent trust-store discovery.
- /mutants.out* to .gitignore.
@sweis sweis merged commit 9a75ee7 into main Mar 12, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sweis @claude