fix: wrong advice message when no high risk found

cerberauth · May 21, 2024 · 84bddac · 84bddac
1 parent 6a2c02a
commit 84bddac
Show file tree

Hide file tree

Showing 4 changed files with 131 additions and 7 deletions.
diff --git a/cmd/scan/report.go b/cmd/scan/report.go
@@ -36,8 +36,9 @@ func (a SortByPathAndSeverity) Less(i, j int) bool {
 }
 
 func NewScanVulnerabilityReports(report *report.ScanReport) []*ScanVulnerabilityReport {
-	vulns := make([]*ScanVulnerabilityReport, 0, len(report.GetVulnerabilityReports()))
-	for _, vr := range report.GetVulnerabilityReports() {
+	reports := report.GetFailedVulnerabilityReports()
+	vulns := make([]*ScanVulnerabilityReport, 0, len(reports))
+	for _, vr := range reports {
 		vulns = append(vulns, &ScanVulnerabilityReport{
 			OperationMethod: report.Operation.Method,
 			OperationPath:   report.Operation.Path,
@@ -132,10 +133,6 @@ func DisplayReportTable(reporter *report.Reporter) {
 
 	vulnerabilityReports := NewFullScanVulnerabilityReports(reporter.GetReports())
 	for _, vulnReport := range vulnerabilityReports {
-		if vulnReport.Vuln.HasBeenSkipped() || vulnReport.Vuln.HasPassed() {
-			continue
-		}
-
 		row := []string{
 			fmt.Sprintf("%s %s", vulnReport.OperationMethod, vulnReport.OperationPath),
 			vulnReport.Vuln.SeverityLevelString(),

diff --git a/cmd/scan/report_test.go b/cmd/scan/report_test.go
@@ -16,12 +16,20 @@ func TestNewScanVulnerabilityReports(t *testing.T) {
 			{
 				Issue: report.Issue{
 					Name: "Vuln1",
+					CVSS: report.CVSS{
+						Score: 5.0,
+					},
 				},
+				Status: report.VulnerabilityReportStatusFail,
 			},
 			{
 				Issue: report.Issue{
 					Name: "Vuln2",
+					CVSS: report.CVSS{
+						Score: 5.0,
+					},
 				},
+				Status: report.VulnerabilityReportStatusFail,
 			},
 		},
 
@@ -46,12 +54,20 @@ func TestNewFullScanVulnerabilityReports(t *testing.T) {
 			{
 				Issue: report.Issue{
 					Name: "Vuln1",
+					CVSS: report.CVSS{
+						Score: 5.0,
+					},
 				},
+				Status: report.VulnerabilityReportStatusFail,
 			},
 			{
 				Issue: report.Issue{
 					Name: "Vuln2",
+					CVSS: report.CVSS{
+						Score: 5.0,
+					},
 				},
+				Status: report.VulnerabilityReportStatusFail,
 			},
 		},
 
@@ -62,12 +78,20 @@ func TestNewFullScanVulnerabilityReports(t *testing.T) {
 			{
 				Issue: report.Issue{
 					Name: "Vuln3",
+					CVSS: report.CVSS{
+						Score: 5.0,
+					},
 				},
+				Status: report.VulnerabilityReportStatusFail,
 			},
 			{
 				Issue: report.Issue{
 					Name: "Vuln4",
+					CVSS: report.CVSS{
+						Score: 5.0,
+					},
 				},
+				Status: report.VulnerabilityReportStatusFail,
 			},
 		},
 

diff --git a/report/reporter.go b/report/reporter.go
@@ -56,8 +56,17 @@ func (rr *Reporter) GetVulnerabilityReports() []*VulnerabilityReport {
 	return vrs
 }
 
+func (rr *Reporter) GetFailedVulnerabilityReports() []*VulnerabilityReport {
+	var vrs []*VulnerabilityReport
+	for _, r := range rr.GetReports() {
+		vrs = append(vrs, r.GetFailedVulnerabilityReports()...)
+	}
+
+	return vrs
+}
+
 func (rr *Reporter) HasHighRiskOrHigherSeverityVulnerability() bool {
-	for _, r := range rr.GetVulnerabilityReports() {
+	for _, r := range rr.GetFailedVulnerabilityReports() {
 		if r.IsHighRiskSeverity() || r.IsCriticalRiskSeverity() {
 			return true
 		}

diff --git a/report/reporter_test.go b/report/reporter_test.go
@@ -0,0 +1,94 @@
+package report_test
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/cerberauth/vulnapi/internal/request"
+	"github.com/cerberauth/vulnapi/report"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestReporter_NoHasHighRiskOrHigherSeverityVulnerability_WhenNoReport(t *testing.T) {
+	reporter := report.NewReporter()
+	assert.False(t, reporter.HasHighRiskOrHigherSeverityVulnerability())
+}
+
+func TestReporter_NoHasVulnerability_WhenNoFailedReport(t *testing.T) {
+	reporter := report.NewReporter()
+	operation, _ := request.NewOperation(request.DefaultClient, http.MethodPost, "http://localhost:8080/", nil, nil, nil)
+	sr := report.NewScanReport("id", "test", operation)
+	issue := report.Issue{
+		Name: "test",
+	}
+	vulnerabilityReport := report.NewVulnerabilityReport(issue).Pass()
+	sr.AddVulnerabilityReport(vulnerabilityReport)
+	reporter.AddReport(sr)
+
+	assert.False(t, reporter.HasVulnerability())
+}
+
+func TestReporter_HasVulnerability_WhenFailedReport(t *testing.T) {
+	reporter := report.NewReporter()
+	operation, _ := request.NewOperation(request.DefaultClient, http.MethodPost, "http://localhost:8080/", nil, nil, nil)
+	sr := report.NewScanReport("id", "test", operation)
+	issue := report.Issue{
+		Name: "test",
+	}
+	vulnerabilityReport := report.NewVulnerabilityReport(issue).Fail()
+	sr.AddVulnerabilityReport(vulnerabilityReport)
+	reporter.AddReport(sr)
+
+	assert.True(t, reporter.HasVulnerability())
+}
+
+func TestReporters_HasHighRiskOrHigherSeverityVulnerability_WhenLowRiskReport(t *testing.T) {
+	reporter := report.NewReporter()
+	operation, _ := request.NewOperation(request.DefaultClient, http.MethodPost, "http://localhost:8080/", nil, nil, nil)
+	sr := report.NewScanReport("id", "test", operation)
+	issue := report.Issue{
+		Name: "test",
+		CVSS: report.CVSS{
+			Score: 0.1,
+		},
+	}
+	vulnerabilityReport := report.NewVulnerabilityReport(issue).Fail()
+	sr.AddVulnerabilityReport(vulnerabilityReport)
+	reporter.AddReport(sr)
+
+	assert.False(t, reporter.HasHighRiskOrHigherSeverityVulnerability())
+}
+
+func TestReporters_HasHighRiskOrHigherSeverityVulnerability_WhenHighRiskReport(t *testing.T) {
+	reporter := report.NewReporter()
+	operation, _ := request.NewOperation(request.DefaultClient, http.MethodPost, "http://localhost:8080/", nil, nil, nil)
+	sr := report.NewScanReport("id", "test", operation)
+	issue := report.Issue{
+		Name: "test",
+		CVSS: report.CVSS{
+			Score: 8,
+		},
+	}
+	vulnerabilityReport := report.NewVulnerabilityReport(issue).Fail()
+	sr.AddVulnerabilityReport(vulnerabilityReport)
+	reporter.AddReport(sr)
+
+	assert.True(t, reporter.HasHighRiskOrHigherSeverityVulnerability())
+}
+
+func TestReporters_HasHighRiskOrHigherSeverityVulnerability_WhenCriticalRiskReport(t *testing.T) {
+	reporter := report.NewReporter()
+	operation, _ := request.NewOperation(request.DefaultClient, http.MethodPost, "http://localhost:8080/", nil, nil, nil)
+	sr := report.NewScanReport("id", "test", operation)
+	issue := report.Issue{
+		Name: "test",
+		CVSS: report.CVSS{
+			Score: 9.8,
+		},
+	}
+	vulnerabilityReport := report.NewVulnerabilityReport(issue).Fail()
+	sr.AddVulnerabilityReport(vulnerabilityReport)
+	reporter.AddReport(sr)
+
+	assert.True(t, reporter.HasHighRiskOrHigherSeverityVulnerability())
+}