fix: handle patch policies with no body

For some reason some of the patch policies have an empty body. We should coerce this to an empty object so that we can state the original path that the patch was applied via.
snyk · Dec 1, 2017 · f911a8f · f911a8f
1 parent fc62159
commit f911a8f
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/lib/filter/patch.js b/lib/filter/patch.js
@@ -77,7 +77,7 @@ function filterPatched(patched, vulns, cwd, skipVerifyPatch, filteredPatches) {
       vuln.filtered = {
         patches: appliedRules.map(function (rule) {
           var path = Object.keys(rule)[0];
-          var ruleData = cloneDeep(rule[path]);
+          var ruleData = cloneDeep(rule[path]) || {};
           ruleData.path = path.split(' > ');
           return ruleData;
         }),

diff --git a/test/fixtures/patch/.snyk b/test/fixtures/patch/.snyk
@@ -5,4 +5,6 @@ patch:
   'npm:uglify-js:20151024':
     - 'jade > transformers > uglify-js':
         patched: '2016-03-03T18:06:06.091Z'
+  'npm:semver:20150403':
+    - '*':
 version: v1
diff --git a/test/unit/filter-patch.test.js b/test/unit/filter-patch.test.js
@@ -39,10 +39,11 @@ test('patched vulns do not turn up in tests', function (t) {
       filtered
     );
 
-    // should strip 2
 
-    t.equal(start - 2, vulns.vulnerabilities.length, 'post filter');
-    t.equal(2, filtered.length, filtered.length + ' vulns filtered');
+    // should strip 3
+
+    t.equal(start - 3, vulns.vulnerabilities.length, 'post filter');
+    t.equal(3, filtered.length, '3 vulns filtered');
 
     var expected = {
       'npm:uglify-js:20150824': [
@@ -57,6 +58,9 @@ test('patched vulns do not turn up in tests', function (t) {
           path: ['jade', 'transformers', 'uglify-js'],
         },
       ],
+      'npm:semver:20150403': [
+        { path: ['*'] }
+      ]
     };
     var actual = filtered.reduce(
       function (actual, vuln) {