Skip to content

Commit

Permalink
test: introduce closed box validation of functionality
Browse files Browse the repository at this point in the history
  • Loading branch information
@thisislawatts
thisislawatts committed Apr 12, 2024
1 parent 00b5b23 commit 1d170d1
Show file tree
Hide file tree
Showing 5 changed files with 315 additions and 0 deletions.
14 changes: 14 additions & 0 deletions test/acceptance/workspaces/npm-package-single-vuln/package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions test/acceptance/workspaces/npm-package-single-vuln/package.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "no-fix-app",
"version": "1.0.0",
"description": "application with annotated vulns",
"dependencies": {
"cxct": "0.0.1-security"
},
"devDependencies": {}
}

123 changes: 123 additions & 0 deletions test/acceptance/workspaces/npm-package-single-vuln/test-graph-results-with-annotation.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
{
"result": {
"affectedPkgs": {
"cxct@0.0.1-security": {
"pkg": { "name": "cxct", "version": "0.0.1-security" },
"issues": {
"SNYK-JS-CXCT-535487": {
"issueId": "SNYK-JS-CXCT-535487",
"fixInfo": { "isPatchable": false, "upgradePaths": [] },
"appliedPolicyRules": {
"annotation": {
"value": "This is a test user note",
"reason": "This vulnerability is a papercut and can be ignored"
}
}
}
}
}
},
"issuesData": {
"SNYK-JS-CXCT-535487": {
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"alternativeIds": [],
"creationTime": "2019-11-24T13:10:43.888332Z",
"credit": ["npm 󠅮󠅰󠅭security"],
"cvssScore": 9.8,
"description": "## Overview\n\n[cxct](https://www.npmjs.com/package/cxct) is a malicious package.\n\n\nThe package finds and exfiltrates cryptocurrency wallets.\n\n## Remediation\n\nAvoid using `cxct` altogether.\n\n\n## References\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1344)\n",
"disclosureTime": "2019-11-22T00:24:41Z",
"exploit": "Not Defined",
"fixedIn": [],
"functions": [],
"functions_new": [],
"id": "SNYK-JS-CXCT-535487",
"identifiers": { "CVE": [], "CWE": ["CWE-506"], "NSP": [1344] },
"language": "js",
"modificationTime": "2019-11-24T16:16:16.630345Z",
"moduleName": "cxct",
"packageManager": "npm",
"packageName": "cxct",
"patches": [],
"publicationTime": "2019-11-24T13:11:04Z",
"references": [
{
"title": "NPM Security Advisory",
"url": "https://www.npmjs.com/advisories/1344"
}
],
"semver": { "vulnerable": ["*"] },
"severity": "high",
"title": "Malicious 󠅮󠅰󠅭Package",
"isPinnable": false,
"appliedPolicyRules": {
"annotation": {
"value": "This is a test user note",
"reason": "This vulnerability is a papercut and can be ignored"
}
}
}
},
"remediation": {
"unresolved": [
{
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"alternativeIds": [],
"creationTime": "2019-11-24T13:10:43.888332Z",
"credit": ["npm 󠅮󠅰󠅭security"],
"cvssScore": 9.8,
"description": "## Overview\n\n[cxct](https://www.npmjs.com/package/cxct) is a malicious package.\n\n\nThe package finds and exfiltrates cryptocurrency wallets.\n\n## Remediation\n\nAvoid using `cxct` altogether.\n\n\n## References\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1344)\n",
"disclosureTime": "2019-11-22T00:24:41Z",
"exploit": "Not Defined",
"fixedIn": [],
"functions": [],
"functions_new": [],
"id": "SNYK-JS-CXCT-535487",
"identifiers": { "CVE": [], "CWE": ["CWE-506"], "NSP": [1344] },
"language": "js",
"modificationTime": "2019-11-24T16:16:16.630345Z",
"moduleName": "cxct",
"packageManager": "npm",
"packageName": "cxct",
"patches": [],
"publicationTime": "2019-11-24T13:11:04Z",
"references": [
{
"title": "NPM Security Advisory",
"url": "https://www.npmjs.com/advisories/1344"
}
],
"semver": { "vulnerable": ["*"] },
"severity": "high",
"title": "Malicious 󠅮󠅰󠅭Package",
"isPinnable": false,
"from": ["no-fix-app@1.0.0", "cxct@0.0.1-security"],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "cxct",
"version": "0.0.1-security",
"appliedPolicyRules": {
"annotation": {
"value": "This is a test user note",
"reason": "This vulnerability is a papercut and can be ignored"
}
}
}
],
"upgrade": {},
"patch": {},
"ignore": {},
"pin": {}
}
},
"meta": {
"isPrivate": true,
"isLicensesEnabled": false,
"licensesPolicy": { "severities": {}, "orgLicenseRules": {} },
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.1\nignore: {}\npatch: {}\n",
"ignoreSettings": null,
"org": "gitphill"
},
"filesystemPolicy": false
}

105 changes: 105 additions & 0 deletions test/acceptance/workspaces/npm-package-single-vuln/test-graph-results.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
{
"result": {
"affectedPkgs": {
"cxct@0.0.1-security": {
"pkg": { "name": "cxct", "version": "0.0.1-security" },
"issues": {
"SNYK-JS-CXCT-535487": {
"issueId": "SNYK-JS-CXCT-535487",
"fixInfo": { "isPatchable": false, "upgradePaths": [] }
}
}
}
},
"issuesData": {
"SNYK-JS-CXCT-535487": {
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"alternativeIds": [],
"creationTime": "2019-11-24T13:10:43.888332Z",
"credit": ["npm 󠅮󠅰󠅭security"],
"cvssScore": 9.8,
"description": "## Overview\n\n[cxct](https://www.npmjs.com/package/cxct) is a malicious package.\n\n\nThe package finds and exfiltrates cryptocurrency wallets.\n\n## Remediation\n\nAvoid using `cxct` altogether.\n\n\n## References\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1344)\n",
"disclosureTime": "2019-11-22T00:24:41Z",
"exploit": "Not Defined",
"fixedIn": [],
"functions": [],
"functions_new": [],
"id": "SNYK-JS-CXCT-535487",
"identifiers": { "CVE": [], "CWE": ["CWE-506"], "NSP": [1344] },
"language": "js",
"modificationTime": "2019-11-24T16:16:16.630345Z",
"moduleName": "cxct",
"packageManager": "npm",
"packageName": "cxct",
"patches": [],
"publicationTime": "2019-11-24T13:11:04Z",
"references": [
{
"title": "NPM Security Advisory",
"url": "https://www.npmjs.com/advisories/1344"
}
],
"semver": { "vulnerable": ["*"] },
"severity": "high",
"title": "Malicious 󠅮󠅰󠅭Package",
"isPinnable": false
}
},
"remediation": {
"unresolved": [
{
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"alternativeIds": [],
"creationTime": "2019-11-24T13:10:43.888332Z",
"credit": ["npm 󠅮󠅰󠅭security"],
"cvssScore": 9.8,
"description": "## Overview\n\n[cxct](https://www.npmjs.com/package/cxct) is a malicious package.\n\n\nThe package finds and exfiltrates cryptocurrency wallets.\n\n## Remediation\n\nAvoid using `cxct` altogether.\n\n\n## References\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1344)\n",
"disclosureTime": "2019-11-22T00:24:41Z",
"exploit": "Not Defined",
"fixedIn": [],
"functions": [],
"functions_new": [],
"id": "SNYK-JS-CXCT-535487",
"identifiers": { "CVE": [], "CWE": ["CWE-506"], "NSP": [1344] },
"language": "js",
"modificationTime": "2019-11-24T16:16:16.630345Z",
"moduleName": "cxct",
"packageManager": "npm",
"packageName": "cxct",
"patches": [],
"publicationTime": "2019-11-24T13:11:04Z",
"references": [
{
"title": "NPM Security Advisory",
"url": "https://www.npmjs.com/advisories/1344"
}
],
"semver": { "vulnerable": ["*"] },
"severity": "high",
"title": "Malicious 󠅮󠅰󠅭Package",
"isPinnable": false,
"from": ["no-fix-app@1.0.0", "cxct@0.0.1-security"],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "cxct",
"version": "0.0.1-security"
}
],
"upgrade": {},
"patch": {},
"ignore": {},
"pin": {}
}
},
"meta": {
"isPrivate": true,
"isLicensesEnabled": false,
"licensesPolicy": { "severities": {}, "orgLicenseRules": {} },
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.1\nignore: {}\npatch: {}\n",
"ignoreSettings": null,
"org": "gitphill"
},
"filesystemPolicy": false
}

63 changes: 63 additions & 0 deletions test/jest/acceptance/snyk-test/human-formatted-output.spec.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
import { fakeServer } from '../../../acceptance/fake-server';
import { createProjectFromWorkspace } from '../../util/createProject';
import { getServerPort } from '../../util/getServerPort';
import { runSnykCLI } from '../../util/runSnykCLI';
import * as Parser from 'jsonparse';
const stripAnsi = require('strip-ansi');

jest.setTimeout(1000 * 60);

describe('test formatting for human consumption', () => {
let server: ReturnType<typeof fakeServer>;
let env: Record<string, string>;

beforeAll((done) => {
const apiPath = '/api/v1';
const apiPort = getServerPort(process);
env = {
...process.env,
SNYK_API: 'http://localhost:' + apiPort + apiPath,
SNYK_TOKEN: '123456789',
SNYK_DISABLE_ANALYTICS: '1',
};

server = fakeServer(apiPath, env.SNYK_TOKEN);
server.listen(apiPort, () => done());
});

afterEach(() => {
server.restore();
});

afterAll((done) => {
server.close(() => done());
});

it('includes a summary of vulnerabilites and paths', async () => {
const project = await createProjectFromWorkspace('npm-package-single-vuln');
server.setCustomResponse(await project.readJSON('test-graph-results.json'));

const { code, stdout } = await runSnykCLI(`test`, {
cwd: project.path(),
env,
});

expect(code).toEqual(1);
expect(stripAnsi(stdout)).toContain('Tested 1 dependencies for known issues, found 1 issue, 1 vulnerable path.');
expect(server.getRequests().length).toBeGreaterThanOrEqual(1);
});

it('includes a user note and reason', async () => {
const project = await createProjectFromWorkspace('npm-package-single-vuln');
server.setCustomResponse(await project.readJSON('test-graph-results-with-annotation.json'));

const { code, stdout } = await runSnykCLI(`test`, {
cwd: project.path(),
env,
});

expect(code).toEqual(1);
expect(stripAnsi(stdout)).toContain('User note: This is a test user note');
expect(server.getRequests().length).toBeGreaterThanOrEqual(1);
});
});

0 comments on commit 1d170d1

Please sign in to comment.