Merge pull request #50 from snyk-tech-services/develop

release changes
snyk-labs · May 5, 2022 · ca95973 · ca95973
2 parents 5f2f787 + 52c6b48
commit ca95973
Show file tree

Hide file tree

Showing 9 changed files with 11,908 additions and 18 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,6 +1,6 @@
 version: 2.1
 orbs:
-    snyk: snyk/snyk@0.0.8
+    snyk: snyk/snyk@1.1.2
 jobs:
     build-test-monitor:
         docker:

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# Snyk Tech Services will be required for a review on every PR
+* @snyk-tech-services/snyk-tech-services
diff --git a/.snyk b/.snyk
@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.14.1
+version: v1.19.0
 ignore: {}
 # patches apply the minimum changes required to fix a vulnerability
 patch:

diff --git a/package.json b/package.json
@@ -50,12 +50,12 @@
     "@snyk/dep-graph": "^1.23.0",
     "@types/lodash": "^4.14.155",
     "@types/node": "^14.0.12",
-    "axios": "0.21.4",
+    "axios": "0.26.0",
     "debug": "^4.1.1",
     "jsonq": "^1.2.0",
     "lodash": "^4.17.21",
     "snyk": "^1.360.0",
-    "snyk-config": "^4.0.0",
+    "snyk-config": "^5.0.0",
     "snyk-request-manager": "^1.4.1",
     "source-map-support": "^0.5.16",
     "tslib": "^1.10.0",

diff --git a/src/lib/client/abstraction/org/aggregatedissues.ts b/src/lib/client/abstraction/org/aggregatedissues.ts
@@ -66,13 +66,24 @@ const getVulnPathsForPkgVersionFromGraph = (
     name: pkgName,
     version: version,
   };
-  const pkgVulnPaths = depGraph.pkgPathsToRoot(pkg) as Array<
-    Array<{ name: string; version?: string }>
-  >;
-  return pkgVulnPaths.map((vulnPath) =>
-    vulnPath
-      .map((vulnPathPkg) => `${vulnPathPkg.name}@${vulnPathPkg.version}`)
-      .reverse()
-      .slice(1),
-  );
+
+  // Handle binaries vulns that aren't always in the depgraph (like base image stuff). Adding them as top level path.
+  if (
+    !depGraph
+      .getPkgs()
+      .map((depPkgInfo) => `${depPkgInfo.name}@${depPkgInfo.version}`)
+      .includes(`${pkgName}@${version}`)
+  ) {
+    return [[`${pkgName}@${version}`]];
+  } else {
+    const pkgVulnPaths = depGraph.pkgPathsToRoot(pkg) as Array<
+      Array<{ name: string; version?: string }>
+    >;
+    return pkgVulnPaths.map((vulnPath) =>
+      vulnPath
+        .map((vulnPathPkg) => `${vulnPathPkg.name}@${vulnPathPkg.version}`)
+        .reverse()
+        .slice(1),
+    );
+  }
 };
diff --git a/test/abstraction/org/aggregatedissues.test.ts b/test/abstraction/org/aggregatedissues.test.ts
@@ -17,17 +17,41 @@ const aggregatedIssuesWithVulnFixtures = fs.readFileSync(
   path.resolve(__dirname, '../..') +
     '/fixtures/abstraction/org/aggregatedIssuesWithVulnPaths-goof.json',
 );
+const depGraphFixturesWithoutBinaryVuln = fs.readFileSync(
+  path.resolve(__dirname, '../..') +
+    '/fixtures/abstraction/org/depgraphWithoutBinaryVulns-goof.json',
+);
+const aggregatedIssuesFixturesWithBinaryVuln = fs.readFileSync(
+  path.resolve(__dirname, '../..') +
+    '/fixtures/abstraction/org/aggregatedIssuesWithBinaryVulns-goof.json',
+);
+const aggregatedIssuesWithBinaryWithVulnFixtures = fs.readFileSync(
+  path.resolve(__dirname, '../..') +
+    '/fixtures/abstraction/org/aggregatedIssuesWithBinaryVulnsWithVulnPaths-goof.json',
+);
 
 beforeAll(() => {
   return nock('https://snyk.io')
     .persist()
     .post(/.*/)
-    .reply(200, () => {
-      return aggregatedIssuesFixtures;
+    .reply(200, (uri) => {
+      switch (uri) {
+        case '/api/v1/org/123/project/123/aggregated-issues':
+          return aggregatedIssuesFixtures;
+        case '/api/v1/org/123/project/456/aggregated-issues':
+          return aggregatedIssuesFixturesWithBinaryVuln;
+        default:
+      }
     })
     .get(/.*/)
-    .reply(200, () => {
-      return depGraphFixtures;
+    .reply(200, (uri) => {
+      switch (uri) {
+        case '/api/v1/org/123/project/123/dep-graph':
+          return depGraphFixtures;
+        case '/api/v1/org/123/project/456/dep-graph':
+          return depGraphFixturesWithoutBinaryVuln;
+        default:
+      }
     });
 });
 
@@ -39,12 +63,26 @@ describe('Testing org abstraction ', () => {
       .project({ projectId: '123' })
       .aggregatedissues.getAggregatedIssuesWithVulnPaths(body);
 
-    console.log(result);
     expect(
       _.isEqual(
         result,
         JSON.parse(aggregatedIssuesWithVulnFixtures.toString()),
       ),
     ).toBeTruthy();
   });
+
+  it('Testing getAggregatedIssuesWithVulnsPaths with binary vulns not in graph', async () => {
+    const body = { filters: {} };
+
+    const result = await new Org({ orgId: '123' })
+      .project({ projectId: '456' })
+      .aggregatedissues.getAggregatedIssuesWithVulnPaths(body);
+
+    expect(
+      _.isEqual(
+        result,
+        JSON.parse(aggregatedIssuesWithBinaryWithVulnFixtures.toString()),
+      ),
+    ).toBeTruthy();
+  });
 });