Merge pull request #49 from snyk-tech-services/fix/handle-issues-pkg-…

…not-in-graphs fix: handle vulns not in depgraph calculating vuln paths
snyk-labs · May 5, 2022 · 52c6b48 · 52c6b48
2 parents 89356ad + e7f3d0c
commit 52c6b48
Show file tree

Hide file tree

Showing 5 changed files with 11,902 additions and 14 deletions.
diff --git a/src/lib/client/abstraction/org/aggregatedissues.ts b/src/lib/client/abstraction/org/aggregatedissues.ts
@@ -66,13 +66,24 @@ const getVulnPathsForPkgVersionFromGraph = (
     name: pkgName,
     version: version,
   };
-  const pkgVulnPaths = depGraph.pkgPathsToRoot(pkg) as Array<
-    Array<{ name: string; version?: string }>
-  >;
-  return pkgVulnPaths.map((vulnPath) =>
-    vulnPath
-      .map((vulnPathPkg) => `${vulnPathPkg.name}@${vulnPathPkg.version}`)
-      .reverse()
-      .slice(1),
-  );
+
+  // Handle binaries vulns that aren't always in the depgraph (like base image stuff). Adding them as top level path.
+  if (
+    !depGraph
+      .getPkgs()
+      .map((depPkgInfo) => `${depPkgInfo.name}@${depPkgInfo.version}`)
+      .includes(`${pkgName}@${version}`)
+  ) {
+    return [[`${pkgName}@${version}`]];
+  } else {
+    const pkgVulnPaths = depGraph.pkgPathsToRoot(pkg) as Array<
+      Array<{ name: string; version?: string }>
+    >;
+    return pkgVulnPaths.map((vulnPath) =>
+      vulnPath
+        .map((vulnPathPkg) => `${vulnPathPkg.name}@${vulnPathPkg.version}`)
+        .reverse()
+        .slice(1),
+    );
+  }
 };
diff --git a/test/abstraction/org/aggregatedissues.test.ts b/test/abstraction/org/aggregatedissues.test.ts
@@ -17,17 +17,41 @@ const aggregatedIssuesWithVulnFixtures = fs.readFileSync(
   path.resolve(__dirname, '../..') +
     '/fixtures/abstraction/org/aggregatedIssuesWithVulnPaths-goof.json',
 );
+const depGraphFixturesWithoutBinaryVuln = fs.readFileSync(
+  path.resolve(__dirname, '../..') +
+    '/fixtures/abstraction/org/depgraphWithoutBinaryVulns-goof.json',
+);
+const aggregatedIssuesFixturesWithBinaryVuln = fs.readFileSync(
+  path.resolve(__dirname, '../..') +
+    '/fixtures/abstraction/org/aggregatedIssuesWithBinaryVulns-goof.json',
+);
+const aggregatedIssuesWithBinaryWithVulnFixtures = fs.readFileSync(
+  path.resolve(__dirname, '../..') +
+    '/fixtures/abstraction/org/aggregatedIssuesWithBinaryVulnsWithVulnPaths-goof.json',
+);
 
 beforeAll(() => {
   return nock('https://snyk.io')
     .persist()
     .post(/.*/)
-    .reply(200, () => {
-      return aggregatedIssuesFixtures;
+    .reply(200, (uri) => {
+      switch (uri) {
+        case '/api/v1/org/123/project/123/aggregated-issues':
+          return aggregatedIssuesFixtures;
+        case '/api/v1/org/123/project/456/aggregated-issues':
+          return aggregatedIssuesFixturesWithBinaryVuln;
+        default:
+      }
     })
     .get(/.*/)
-    .reply(200, () => {
-      return depGraphFixtures;
+    .reply(200, (uri) => {
+      switch (uri) {
+        case '/api/v1/org/123/project/123/dep-graph':
+          return depGraphFixtures;
+        case '/api/v1/org/123/project/456/dep-graph':
+          return depGraphFixturesWithoutBinaryVuln;
+        default:
+      }
     });
 });
 
@@ -39,12 +63,26 @@ describe('Testing org abstraction ', () => {
       .project({ projectId: '123' })
       .aggregatedissues.getAggregatedIssuesWithVulnPaths(body);
 
-    console.log(result);
     expect(
       _.isEqual(
         result,
         JSON.parse(aggregatedIssuesWithVulnFixtures.toString()),
       ),
     ).toBeTruthy();
   });
+
+  it('Testing getAggregatedIssuesWithVulnsPaths with binary vulns not in graph', async () => {
+    const body = { filters: {} };
+
+    const result = await new Org({ orgId: '123' })
+      .project({ projectId: '456' })
+      .aggregatedissues.getAggregatedIssuesWithVulnPaths(body);
+
+    expect(
+      _.isEqual(
+        result,
+        JSON.parse(aggregatedIssuesWithBinaryWithVulnFixtures.toString()),
+      ),
+    ).toBeTruthy();
+  });
 });