Merging to release-5.10.0: Refactor error messages in OAS security validation for consistency (#7440)

[buger]

User description

Refactor error messages in OAS security validation for consistency (#7440)

User description

Updated error messages in the OAS security validation logic to ensure
consistent capitalization. The changes include modifying the error
message for missing components and security schemes, as well as the
error message for missing required security schemes in the components.
This enhances clarity and maintains a uniform style across the error
outputs.

---

PR Type

Bug fix, Tests

---

Description

• Capitalize OAS security error messages

• Align tests with updated messages

---

Diagram Walkthrough

flowchart LR
  src["oas.go: security validation errors"] -- "capitalize messages" --> behavior["Runtime error outputs"]
  tests["oas_test.go: expected messages"] -- "update to match" --> behavior

Loading

File Walkthrough

	Relevant files
Bug fix	oas.go Capitalize security validation error messages                        apidef/oas/oas.go Capitalized error for missing components/security schemes. Capitalized error for missing required security scheme. +2/-2
Tests	oas_test.go Sync tests with capitalized error messages                              apidef/oas/oas_test.go Update expected error strings to capitalized versions. Keep message format consistent with implementation. +2/-2

---

---

PR Type

Bug fix, Tests

---

Description

• Capitalize OAS security error messages

• Update tests to match capitalization

---

Diagram Walkthrough

flowchart LR
  src["oas.go: security validation errors"]
  tests["oas_test.go: expected messages"]
  runtime["Runtime error outputs"]

  src -- "capitalize messages" --> runtime
  tests -- "update expectations" --> runtime

Loading

File Walkthrough

	Relevant files
Bug fix	oas.go Capitalize security validation error strings                          apidef/oas/oas.go Capitalize missing components/security schemes error. Capitalize missing required security scheme error. +2/-2
Tests	oas_test.go Sync tests with capitalized error messages                              apidef/oas/oas_test.go Update expected error strings to capitalized. Keep format aligned with implementation. +2/-2

---

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Consolidate split error string Avoid splitting a single formatted string literal across lines with concatenation as it risks unintended spaces/newlines and is harder to maintain. Use a single format string with explicit space and keep the URL intact. This ensures consistent error messages and avoids formatting glitches. apidef/oas/oas.go [507-509] -errorMsg := fmt.Sprintf("Missing required Security Scheme '%s' in Components.SecuritySchemes. "+ - "For more information please visit https://swagger.io/specification/#security-requirement-object", - key) +errorMsg := fmt.Sprintf("Missing required Security Scheme '%s' in Components.SecuritySchemes. For more information please visit https://swagger.io/specification/#security-requirement-object", key) Suggestion importance[1-10]: 5 __ Why: The suggestion improves readability and avoids potential formatting issues by consolidating the split format string, matching the code context accurately. It's a minor improvement with low risk and modest impact.	Low

[github-actions]

API Changes

no api changes detected

[probelabs]

🔍 Code Analysis Results

This pull request introduces minor but important consistency changes to error messages within the OpenAPI Specification (OAS) security validation logic. The primary goal is to standardize the capitalization of error messages for better clarity and uniformity in system outputs.

Files Changed Analysis

• apidef/oas/oas.go: (+2, -2) The core logic change is here, where two error message strings in the validateSecurity function have been capitalized.
• apidef/oas/oas_test.go: (+2, -2) The corresponding unit tests have been updated to expect the new capitalized error messages, ensuring the test suite remains aligned with the code changes.

The changes are minimal and highly localized, affecting only error string formatting.

Architecture & Impact Assessment

• Accomplishment: This PR standardizes error message formatting for OAS security validation, improving the consistency of user-facing errors and logs.
• Key Technical Changes: Two errors.New() calls within the validateSecurity function in apidef/oas/oas.go now use capitalized strings.
• Affected System Components: The change affects the OAS API definition validation component. Any system or user interacting with this validation logic will now see the capitalized error messages upon failure. This primarily impacts developers and API administrators during API definition import or validation.

The following diagram illustrates the relationship between the code and test changes:

flowchart LR
  subgraph "Code"
    oas["oas.go: validateSecurity()"]
  end
  subgraph "Tests"
    oas_test["oas_test.go: TestOAS_ValidateSecurity()"]
  end
  subgraph "Output"
    behavior["Runtime Error Messages"]
  end

  oas -- "Capitalizes error messages" --> behavior
  oas_test -- "Updates expected messages" --> behavior

Loading

Scope Discovery & Context Expansion

The changes are confined to the apidef/oas package. The validateSecurity function is an internal method of the OAS struct, called by the public Validate() method within the same file. The Validate() method is a comprehensive validator for the entire OAS definition.

This means any part of the system that validates an OAS API definition will now exhibit this new error message format for security validation failures. This could include API import processes, CLI tools, or management APIs that accept OAS definitions. The change, while small, will be visible wherever these specific validation errors surface.

Metadata

• Review Effort: 1 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2025-10-13T14:22:29.261Z | Triggered by: opened | Commit: 5f14ad2

[probelabs]

🔍 Code Analysis Results

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Performance Check Passed

No performance issues found – changes LGTM.

✅ Quality Check Passed

No quality issues found – changes LGTM.

Style Issues (2)

Severity	Location	Issue
🟢 Info	apidef/oas/oas.go:502	💡 Suggestion Consider reverting to a lowercase starting letter for the error message to align with common Go style guidelines: ```go return errors.New("no components or security schemes present in OAS") ```
🟢 Info	apidef/oas/oas.go:507	💡 Suggestion Consider reverting to a lowercase starting letter for the error message to align with common Go style guidelines: ```go errorMsg := fmt.Sprintf("missing required Security Scheme '%s' in Components.SecuritySchemes. "+ ```

Dependency Issues (1)

Severity	Location	Issue
🟡 Warning	apidef/oas/oas.go:502	Changing the capitalization of an error string can be a breaking change for consumers that programmatically parse error messages. While this change improves consistency, it should be verified that no downstream systems rely on the exact previous (lowercase) error message for their logic. 💡 Suggestion To create a more stable contract for error handling, consider using sentinel errors (e.g., `var ErrNoSecuritySchemes = errors.New(...)`) that can be checked with `errors.Is()` instead of relying on string comparison. For this change, ensure downstream consumers like `tyk-operator` or UI components are not affected.

✅ Connectivity Check Passed

No connectivity issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2025-10-13T14:22:30.270Z | Triggered by: opened | Commit: 5f14ad2

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud