Merge pull request #9 from stacklok/add_testing

Add testing
stacklok · Apr 25, 2024 · bbb0889 · bbb0889
2 parents 7e00b2e + aa842c7
commit bbb0889
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 10 deletions.
diff --git a/pkg/parser/gomod.go b/pkg/parser/gomod.go
@@ -16,7 +16,6 @@
 package parser
 
 import (
-	"net/url"
 	"strings"
 
 	"github.com/stacklok/trusty-action/pkg/types"
@@ -59,8 +58,7 @@ func ParseGoMod(content string) ([]types.Dependency, error) {
 					depName = parts[1]
 					depVersion = parts[2]
 				}
-				encodedDepName := url.PathEscape(depName)
-				deps = append(deps, types.Dependency{Name: encodedDepName, Version: depVersion})
+				deps = append(deps, types.Dependency{Name: depName, Version: depVersion})
 			}
 		}
 	}

diff --git a/pkg/parser/parser_test.go b/pkg/parser/parser_test.go
@@ -36,7 +36,7 @@ func TestParse(t *testing.T) {
 			filename: "go.mod",
 			content:  "module example.com\n\ngo 1.16\n\nrequire (\n\tgithub.com/google/go-github/v60 v60.0.0\n)",
 			expected: []types.Dependency{
-				{Name: "github.com%2Fgoogle%2Fgo-github%2Fv60", Version: "v60.0.0"},
+				{Name: "github.com/google/go-github/v60", Version: "v60.0.0"},
 			},
 			ecosystem: "go",
 			err:       nil,

diff --git a/pkg/trustyapi/trusty_structs.go b/pkg/trustyapi/trusty_structs.go
@@ -95,7 +95,6 @@ type Package struct {
 		Score       float64 `json:"score"`
 		Description struct {
 			Activity      float64 `json:"activity"`
-			Malicious     bool    `json:"malicious"`
 			Provenance    float64 `json:"provenance"`
 			Typosquatting float64 `json:"typosquatting"`
 			ActivityUser  float64 `json:"activity_user"`

diff --git a/pkg/trustyapi/trustyapi.go b/pkg/trustyapi/trustyapi.go
@@ -68,7 +68,7 @@ func BuildReport(ctx context.Context,
 	// it to the existing reportBuilder, between the header and footer.
 	for _, dep := range dependencies {
 		log.Printf("Analyzing dependency: %s\n", dep)
-		report, shouldFail := processDependency(dep, ecosystem, scoreThreshold)
+		report, shouldFail := ProcessDependency(dep, ecosystem, scoreThreshold)
 		// Check if the report is not just whitespace
 		if strings.TrimSpace(report) != "" {
 			reportBuilder.WriteString(report)
@@ -113,7 +113,7 @@ func BuildReport(ctx context.Context,
 // Otherwise, it formats the report using Markdown and includes information about the dependency's Trusty score,
 // whether it is malicious, deprecated or archived, and recommended alternative packages if available.
 // The function returns the formatted report as a string.
-func processDependency(dep string, ecosystem string, scoreThreshold float64) (string, bool) {
+func ProcessDependency(dep string, ecosystem string, scoreThreshold float64) (string, bool) {
 	var reportBuilder strings.Builder
 	shouldFail := false
 
@@ -148,7 +148,7 @@ func processDependency(dep string, ecosystem string, scoreThreshold float64) (st
 	// Format the report using Markdown
 	reportBuilder.WriteString(fmt.Sprintf("### :package: Dependency: [`%s`](https://www.trustypkg.dev/%s/%s)\n", dep, ecosystem, dep))
 	// Highlight if the package is malicious, deprecated or archived
-	if result.Summary.Description.Malicious {
+	if result.PackageData.Origin == "malicious" {
 		reportBuilder.WriteString("### **⚠️ Malicious** (This package is marked as Malicious. Proceed with extreme caution!)\n\n")
 	}
 	if result.PackageData.IsDeprecated {
@@ -167,7 +167,7 @@ func processDependency(dep string, ecosystem string, scoreThreshold float64) (st
 		reportBuilder.WriteString("| Package | Score | Trusty Link |\n")
 		reportBuilder.WriteString("| ------- | ----- | ---------- |\n")
 		for _, alt := range result.Alternatives.Packages {
-			altURL := fmt.Sprintf("https://www.trustypkg.dev/%s/%s", ecosystem, alt.PackageName)
+			altURL := fmt.Sprintf("https://www.trustypkg.dev/%s/%s", ecosystem, url.QueryEscape(alt.PackageName))
 			reportBuilder.WriteString(fmt.Sprintf("| `%s` | `%.2f` | [`%s`](%s) |\n", alt.PackageName, float64(alt.Score), alt.PackageName, altURL))
 		}
 	} else {
@@ -178,7 +178,7 @@ func processDependency(dep string, ecosystem string, scoreThreshold float64) (st
 
 	// Check if the Trusty score is below the scoreThreshold, if IsDeprecated, isMalicious, Archived, if so shouldFail is set to true
 	if result.PackageData.IsDeprecated ||
-		result.Summary.Description.Malicious ||
+		result.PackageData.Origin == "malicious" ||
 		result.PackageData.Archived ||
 		result.Summary.Score < scoreThreshold {
 		shouldFail = true

diff --git a/pkg/trustyapi/trustyapi_test.go b/pkg/trustyapi/trustyapi_test.go
@@ -0,0 +1,63 @@
+package trustyapi
+
+import (
+	"log"
+	"strings"
+	"testing"
+)
+
+func TestProcessGoDependencies(t *testing.T) {
+	ecosystem := "go"
+	scoreThreshold := 5.0
+
+	dependencies := []string{"github.com/alecthomas/units", "github.com/prometheus/client_golang", "github.com/prometheus/common", "github.com/Tinkoff/libvirt-exporter",
+		"github.com/beorn7/perks", "golang.org/x/sys", "gopkg.in/alecthomas/kingpin.v2", "github.com/matttproud/golang_protobuf_extensions", "github.com/prometheus/client_model",
+		"libvirt.org/go/libvirt", "github.com/alecthomas/template", "github.com/golang/protobuf", "github.com/prometheus/procfs"}
+	expectedFail := []bool{false, false, false, true, true, true, true, true, false, true, true, false, false, true}
+
+	for i, dep := range dependencies {
+		log.Printf("Analyzing dependency: %s\n", dep)
+		report, shouldFail := ProcessDependency(dep, ecosystem, scoreThreshold)
+		if shouldFail != expectedFail[i] {
+			t.Errorf("Dependency %s failed check unexpectedly, expected %v, got %v", dep, expectedFail[i], shouldFail)
+		}
+		if dep == "github.com/Tinkoff/libvirt-exporter" {
+			if !strings.Contains(report, "Archived") {
+				t.Errorf("Expected report to contain 'Archived' for %s", dep)
+			}
+		}
+	}
+}
+
+func TestProcessDeprecatedDependencies(t *testing.T) {
+	ecosystem := "npm"
+	scoreThreshold := 10.0
+
+	dependencies := []string{"@types/google-cloud__storage", "cutjs", "scriptoni", "stryker-mocha-framework", "grunt-html-smoosher", "moesif-express", "swagger-methods",
+		"@syncfusion/ej2-heatmap", "@cnbritain/wc-buttons", "gulp-google-cdn"}
+
+	for _, dep := range dependencies {
+		log.Printf("Analyzing dependency: %s\n", dep)
+		report, _ := ProcessDependency(dep, ecosystem, scoreThreshold)
+		if !strings.Contains(report, "Deprecated") {
+			t.Errorf("Expected report to contain 'Deprecated' for %s", dep)
+		}
+	}
+
+}
+
+func TestProcessMaliciousDependencies(t *testing.T) {
+	ecosystem := "pypi"
+	scoreThreshold := 10.0
+
+	dependencies := []string{"lyft-service", "types-for-adobe", "booto3", "google-requests", "reqargs"}
+
+	for _, dep := range dependencies {
+		log.Printf("Analyzing dependency: %s\n", dep)
+		report, _ := ProcessDependency(dep, ecosystem, scoreThreshold)
+		if !strings.Contains(report, "Malicious") {
+			t.Errorf("Expected report to contain 'Malicious' for %s", dep)
+		}
+	}
+
+}