feat: depGraph snyk-test for npm and yarn #459

orsagie · 2019-04-29T08:33:09Z

Ready for review
Follows CONTRIBUTING rules
Reviewed by Snyk internal team

What does this PR do?

Refactors the snyk-test/npm path.
sends a depGraph to vuln test-dep-graph endpoint and converts the result back to a depTree

src/lib/snyk-test/index.js

src/lib/snyk-test/npm-plugin/index.ts

kyegupov · 2019-05-07T11:01:37Z

src/lib/snyk-test/npm-plugin/npm-lock-parser.ts

+
+  if (!manifestFileFullPath && lockFileFullPath) {
+    throw new Error('Detected a lockfile at location: '
+      + lockFileFullPath + '\n However the package.json is missing!');


misleading message: it appears to be not missing, but rather unspecified

Now that I look at it, there is no way for it to not be specified. And we already check that it exists earlier, so will altogether remove this check.

src/lib/snyk-test/npm-plugin/npm-lock-parser.ts

kyegupov · 2019-05-07T11:11:46Z

src/lib/snyk-test/npm-plugin/npm-lock-parser.ts

+import * as fs from 'fs';
+import * as lockFileParser from 'snyk-nodejs-lockfile-parser';
+
+export async function parse(root, targetFile, options) {


can you specify the parameter and return types please? it's very useful for exported functions

src/lib/snyk-test/npm/index.ts

kyegupov · 2019-05-07T11:21:19Z

src/lib/snyk-test/npm/index.ts

+
+function countUniqueVulns(vulns: AnnotatedIssue[]): number {
+  const seen = {};
+  const count = vulns.reduce((acc, curr) => {


I'd much rather use for..of and Object.keys(seen).length instead of reduce and acc

This code is mostly copied from what it was, and is going away in next PR.

kyegupov · 2019-05-07T11:28:35Z

src/lib/snyk-test/npm/index.ts

+
+  return {
+    method: 'POST',
+    // options.vulnEndpoint is only used for file system tests


Maybe this comment belongs above, where options.vulnEndpoint is actually used?
Also, I think, vulnEndpoint itself could use more explanation. When is it set, what does it mean, can the code between those two calls be shared?

kyegupov · 2019-05-07T11:32:15Z

src/lib/snyk-test/npm/index.ts

+  return assembleRemotePayload(root, options);
+}
+
+function assembleRemotePayload(root: string, options): Payload {


assembleRemotePayload is not immediately understandable. Maybe rename it to payloadForTestingRepositoryPackages? and the other one payloadForTestingLocalPackages?

will do it for the next PR

miiila

Based on the review and testing of this version, everything seems to be OK. Please consider all @kyegupov's comments, I haven't repeated them.

miiila · 2019-05-08T09:58:01Z

src/lib/snyk-test/npm/index.ts

    analytics.add('vulns-pre-policy', res.vulnerabilities.length);

-    res.filesystemPolicy = filesystemPolicy;
+    res.filesystemPolicy = !!payloadPolicy;


Is filesystemPolicy even used somewhere? :-)

kyegupov · 2019-05-08T15:05:33Z

Superseded by #494

orsagie added the ⚠️ DO NOT MERGE ⚠️ label Apr 29, 2019

orsagie force-pushed the refactor/snyk-test-npm branch 10 times, most recently from 85e7787 to a1129d6 Compare May 5, 2019 13:43

orsagie changed the title ~~refactor: typescript snyk-test for npm and yarn~~ feat: depGraph snyk-test for npm and yarn May 5, 2019

orsagie removed the ⚠️ DO NOT MERGE ⚠️ label May 6, 2019

orsagie force-pushed the refactor/snyk-test-npm branch from a1129d6 to fbad1a6 Compare May 6, 2019 06:58

orsagie added 3 commits May 6, 2019 15:16

refactor: typescript snyk-test for npm and yarn

cc29c5f

refactor: separate out npm-plugin

4decfc2

feat: use depGraph lib for npm and yarn snyk-test path

a798a2e

orsagie force-pushed the refactor/snyk-test-npm branch from fbad1a6 to a798a2e Compare May 6, 2019 12:17