From fa121c31f37d42cca77f537b28ff7e2f23df38ec Mon Sep 17 00:00:00 2001 From: aarlaud Date: Thu, 14 Jul 2022 08:29:17 -0400 Subject: [PATCH] feat: support --failOn options for snyk-delta & CLI * fix: package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NCONF-2395478 * fix: package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ASYNC-2441827 * feat: update snyk delta and relevant tests * chore: drop snyk org + mark not maintained * fix: upgrade axios from 0.26.1 to 0.27.2 Snyk has created this PR to upgrade axios from 0.26.1 to 0.27.2. See this package in npm: https://www.npmjs.com/package/axios See this project in Snyk: https://app.snyk.io/org/appsec-playground/project/118ea22d-619e-4f08-ad5f-29e006593678?utm_source=github&utm_medium=referral&page=upgrade-pr * feat: add failon flags following failon support in snyk-delta (#68) * feat: add failon flags following failon support in snyk-delta * fix: require failon compatible snyk-delta version Co-authored-by: snyk-bot Co-authored-by: Ilan Torbaty <81161693+IlanTSnyk@users.noreply.github.com> Co-authored-by: IlanTSnyk Co-authored-by: ghe Co-authored-by: Lili Kastilio --- .circleci/config.yml | 10 -- .gitignore | 1 + README.md | 68 ++++++----- package.json | 6 +- src/lib/index.ts | 15 +-- test/lib/index.test.ts | 268 +++++++++++++++++++++++++++++++++++++++++ 6 files changed, 318 insertions(+), 50 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 360f1d5..1756ab5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,6 +1,4 @@ version: 2.1 -orbs: - snyk: snyk/snyk@1.1.2 jobs: build-test-monitor: docker: @@ -10,10 +8,6 @@ jobs: - run: npm install semantic-release @semantic-release/exec pkg --save-dev --legacy-peer-deps - run: npm install - run: npm test - - snyk/scan: - fail-on-issues: true - monitor-on-build: true - token-variable: SNYK_TOKEN - run: npx semantic-release build-test: docker: @@ -22,10 +16,6 @@ jobs: - checkout - run: npm install - run: npm test - - snyk/scan: - fail-on-issues: true - monitor-on-build: false - token-variable: SNYK_TOKEN - run: npx tsc build-test-from-fork: docker: diff --git a/.gitignore b/.gitignore index fe7f1eb..4eab620 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ dist *.log .eslintcache snyk-prevent-gh-commit-status-* +.dccache diff --git a/README.md b/README.md index f039056..1312171 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ [![Known Vulnerabilities](https://snyk.io/test/github/snyk-tech-services/snyk-prevent-gh-commit-status/badge.svg)](https://snyk.io/test/github/snyk-tech-services/snyk-prevent-gh-commit-status) [![CircleCI](https://circleci.com/gh/snyk-tech-services/snyk-prevent-gh-commit-status.svg?style=svg)](https://circleci.com/gh/snyk-tech-services/snyk-prevent-gh-commit-status) +[![Not Maintained](https://img.shields.io/badge/Maintenance%20Level-Not%20Maintained-yellow.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d) + +**This repository is not in active development and critical bug fixes only will be considered.** ## snyk-prevent-gh-commit-status Little module to POST commit status of a PR the result of [snyk-delta](https://github.com/snyk-tech-services/snyk-delta) executed in the CI. @@ -23,23 +26,24 @@ Enhancements are coming up to improve visibility and clarity on the issues findi ``` snyk-prevent-gh-commit-status-linux - /path/to/snykTestResults.json - - - + /path/to/snykTestResults.json + + + + snyk test --json-file-output=snykTestResults.json || true -> ./snyk-prevent-gh-commit-status-linux - ./snykTestResults.json - - - +> ./snyk-prevent-gh-commit-status-linux + ./snykTestResults.json + + + @@ -49,11 +53,11 @@ snyk-prevent-gh-commit-status-linux ### Snyk CLI in bash using npx ``` > snyk test --json-file-output=snykTestResults.json || true -> npx snyk-prevent-gh-commit-status - ./snykTestResults.json - - - +> npx snyk-prevent-gh-commit-status + ./snykTestResults.json + + + @@ -84,11 +88,11 @@ export GH_API='https://ghe-hostname/apiendpoint' #### Additional option to enable snykDelta Debug ``` export SNYK_DEBUG=true -./snyk-prevent-gh-commit-status-linux - ./snykTestResults.json - - - +./snyk-prevent-gh-commit-status-linux + ./snykTestResults.json + + + @@ -100,14 +104,18 @@ export SNYK_DEBUG=true In case of an unmonitored project, it is possible to force the snyk-delta result so snyk-prevent-gh-commit-status will not fail. If some vulnerabilities are found comment listing the vulnerabilities will still be the post on the PR. +#### Fail on +If set, the commit status fails only if there are issues fixable by upgrade or patch or both. +See [Snyk CLI documentation](https://docs.snyk.io/snyk-cli/test-for-vulnerabilities/advanced-failing-of-builds-in-snyk-cli) and [Snyk-delta README usage section](https://github.com/snyk-tech-services/snyk-delta#usage). + #### Debug use DEBUG=snyk* to enable snyk-prevent-gh-commit-status ``` -DEBUG=snyk* ./snyk-prevent-gh-commit-status-linux - ./snykTestResults.json - - - +DEBUG=snyk* ./snyk-prevent-gh-commit-status-linux + ./snykTestResults.json + + + @@ -119,14 +127,14 @@ or to enable both snykDelta and snyk-prevent-gh-commit-status debug ``` export SNYK_DEBUG=true -DEBUG=snyk* ./snyk-prevent-gh-commit-status-linux - ./snykTestResults.json - - - +DEBUG=snyk* ./snyk-prevent-gh-commit-status-linux + ./snykTestResults.json + + + -``` \ No newline at end of file +``` diff --git a/package.json b/package.json index 287ca10..12cd276 100644 --- a/package.json +++ b/package.json @@ -36,11 +36,11 @@ "homepage": "https://github.com/snyk-tech-services/snyk-prevent-gh-commit-status#readme", "dependencies": { "@snyk/configstore": "^3.2.0-rc1", - "axios": "^0.26.0", + "axios": "^0.27.2", "debug": "^4.1.1", "lodash": "^4.17.21", - "snyk-config": "^3.0.0", - "snyk-delta": "^1.5.6", + "snyk-delta": "^1.7.2", + "snyk-config": "^4.0.0", "source-map-support": "^0.5.16", "tslib": "^1.10.0" }, diff --git a/src/lib/index.ts b/src/lib/index.ts index 5715f02..1be013b 100644 --- a/src/lib/index.ts +++ b/src/lib/index.ts @@ -26,23 +26,23 @@ const main = async () => { let keepHistory = false; let setPassIfNoBaselineFlag = false; let detailsLink = ''; + let failOn = undefined const options = process.argv.slice(8) options.forEach(option => { - if (option === 'keepHistory') - { + if (option === 'keepHistory') { keepHistory = true - } else if (option === 'setPassIfNoBaselineFlag') - { + } else if (option === 'setPassIfNoBaselineFlag') { setPassIfNoBaselineFlag = true - } else - { + } else if(option === 'upgradable' || option === 'patchable' || option === 'all') { + failOn = option + } else { detailsLink = option || '' } }) - debug(`running snyk-prevent-gh-commit-status with org: ${ghOrg} repo: ${ghRepo} commit: ${ghSha} PRNumber: ${ghPRNumber} keepHistory: ${keepHistory} setPassIfNoBaselineFlag: ${setPassIfNoBaselineFlag} detailsLink: ${detailsLink}`) + debug(`running snyk-prevent-gh-commit-status with org: ${ghOrg} repo: ${ghRepo} commit: ${ghSha} PRNumber: ${ghPRNumber} keepHistory: ${keepHistory} setPassIfNoBaselineFlag: ${setPassIfNoBaselineFlag} detailsLink: ${detailsLink} failOn: ${failOn}`) const snykDeltaDebug = process.env.SNYK_DEBUG ? true : false; // process.argv.slice(2)[6] == 'debug' ? true : false; const jsonResultsFromSnykTest = fs @@ -69,6 +69,7 @@ const main = async () => { currentResults, snykDeltaDebug, setPassIfNoBaselineFlag, + failOn, )) as SnykDeltaOutput; const parsedCurrentResults = JSON.parse(currentResults); diff --git a/test/lib/index.test.ts b/test/lib/index.test.ts index 46d3b2f..5c62799 100644 --- a/test/lib/index.test.ts +++ b/test/lib/index.test.ts @@ -52,6 +52,10 @@ beforeAll(() => { return fs.readFileSync( fixturesFolderPath + 'goof-depgraph-from-api.json', ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272788/dep-graph': + return fs.readFileSync( + fixturesFolderPath + 'goof-depgraph-from-api.json', + ); case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272790/dep-graph': return fs.readFileSync( fixturesFolderPath + 'goof-depgraph-from-api.json', @@ -1056,4 +1060,268 @@ New Issues Introduced! }, ]); }); + + test('[snyk-delta module] Is it working with passing with failOn upgradable', async () => { + let response; + + process.argv = [ + '', + '', + path.resolve(__dirname, '..') + + '/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json', + '123', + '123', + '123', + '123', + '123', + 'upgradable', + ]; + response = await main(); + expect(response).toEqual([ + { + status: { + context: 'Snyk Prevent (playground - package-lock.json)', + description: 'New issue(s) found', + state: 'failure', + // eslint-disable-next-line + target_url: 'https://app.snyk.io/org/playground/projects', + }, + /* eslint-disable no-useless-escape */ + prComment: { + body: `### ******* Vulnerabilities report for commit number 123 ******* +New Issues Introduced! +## Security +1 issue found +* 1/1: Prototype Pollution [Medium Severity] +\t+ Via: goof@0.0.3 => snyk@1.228.3 => configstore@3.1.2 => dot-prop@4.2.0 +\t+ Fixed in: dot-prop, 5.1.1 +\t+ Fixable by upgrade: snyk@1.290.1 +## License +1 issue found + 1/1: + Artistic-2.0 license + [Medium Severity] +\t+ Via: goof@1.0.1 => npm@7.12.0 +`, + }, + /* eslint-enable no-useless-escape */ + }, + ]); + + process.argv = [ + '', + '', + path.resolve(__dirname, '..') + '/fixtures/snyktest-gomod.json', + '123', + '123', + '123', + '123', + ]; + response = await main(); + expect(response).toEqual([ + { + status: { + context: 'Snyk Prevent (playground - go.mod)', + description: 'No new issue found', + state: 'success', + // eslint-disable-next-line + target_url: + 'https://app.snyk.io/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272786', + }, + prComment: {}, + }, + ]); + + const requestHeaders: Record = { + 'Content-Type': 'application/json', + Authorization: `token 123`, + }; + + const ghClient = axios.create({ + baseURL: 'https://api.github.com', + responseType: 'json', + headers: { ...requestHeaders }, + }); + + const commentUrl = `/repos/123/123/issues/123/comments`; + + const ghResponse = await ghClient.get(commentUrl); + + expect(ghResponse.data).toEqual([ + { + id: 1, + body: + '### ******* Vulnerabilities report for commit number 123 *******', + url: 'https://api.github.com/repos/123/123/issues/123/comments/1', + }, + ]); + }); + test('[snyk-delta module] Is it working with failing with failOn patchable', async () => { + let response; + + process.argv = [ + '', + '', + path.resolve(__dirname, '..') + + '/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json', + '123', + '123', + '123', + '123', + '123', + 'patchable', + ]; + response = await main(); + expect(response).toEqual([ + { + status: { + context: 'Snyk Prevent (playground - package-lock.json)', + description: 'No new issue found', + state: 'success', + // eslint-disable-next-line + target_url: 'https://app.snyk.io/org/playground/projects', + }, + /* eslint-disable no-useless-escape */ + prComment: {}, + /* eslint-enable no-useless-escape */ + }, + ]); + + process.argv = [ + '', + '', + path.resolve(__dirname, '..') + '/fixtures/snyktest-gomod.json', + '123', + '123', + '123', + '123', + ]; + response = await main(); + expect(response).toEqual([ + { + status: { + context: 'Snyk Prevent (playground - go.mod)', + description: 'No new issue found', + state: 'success', + // eslint-disable-next-line + target_url: + 'https://app.snyk.io/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272786', + }, + prComment: {}, + }, + ]); + + const requestHeaders: Record = { + 'Content-Type': 'application/json', + Authorization: `token 123`, + }; + + const ghClient = axios.create({ + baseURL: 'https://api.github.com', + responseType: 'json', + headers: { ...requestHeaders }, + }); + + const commentUrl = `/repos/123/123/issues/123/comments`; + + const ghResponse = await ghClient.get(commentUrl); + + expect(ghResponse.data).toEqual([]); + }); + + test('[snyk-delta module] Is it working with passing with failOn all', async () => { + let response; + + process.argv = [ + '', + '', + path.resolve(__dirname, '..') + + '/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json', + '123', + '123', + '123', + '123', + '123', + 'all', + ]; + response = await main(); + expect(response).toEqual([ + { + status: { + context: 'Snyk Prevent (playground - package-lock.json)', + description: 'New issue(s) found', + state: 'failure', + // eslint-disable-next-line + target_url: 'https://app.snyk.io/org/playground/projects', + }, + /* eslint-disable no-useless-escape */ + prComment: { + body: `### ******* Vulnerabilities report for commit number 123 ******* +New Issues Introduced! +## Security +1 issue found +* 1/1: Prototype Pollution [Medium Severity] +\t+ Via: goof@0.0.3 => snyk@1.228.3 => configstore@3.1.2 => dot-prop@4.2.0 +\t+ Fixed in: dot-prop, 5.1.1 +\t+ Fixable by upgrade: snyk@1.290.1 +## License +1 issue found + 1/1: + Artistic-2.0 license + [Medium Severity] +\t+ Via: goof@1.0.1 => npm@7.12.0 +`, + }, + /* eslint-enable no-useless-escape */ + }, + ]); + + process.argv = [ + '', + '', + path.resolve(__dirname, '..') + '/fixtures/snyktest-gomod.json', + '123', + '123', + '123', + '123', + ]; + response = await main(); + expect(response).toEqual([ + { + status: { + context: 'Snyk Prevent (playground - go.mod)', + description: 'No new issue found', + state: 'success', + // eslint-disable-next-line + target_url: + 'https://app.snyk.io/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272786', + }, + prComment: {}, + }, + ]); + + const requestHeaders: Record = { + 'Content-Type': 'application/json', + Authorization: `token 123`, + }; + + const ghClient = axios.create({ + baseURL: 'https://api.github.com', + responseType: 'json', + headers: { ...requestHeaders }, + }); + + const commentUrl = `/repos/123/123/issues/123/comments`; + + const ghResponse = await ghClient.get(commentUrl); + + expect(ghResponse.data).toEqual([ + { + id: 1, + body: + '### ******* Vulnerabilities report for commit number 123 *******', + url: 'https://api.github.com/repos/123/123/issues/123/comments/1', + }, + ]); + }); });