jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-14 11:03:09 +02:00
Code Issues Releases Activity
ed4467282f
sap-jenkins-library/pkg/whitesource/reporting_test.go

319 lines
13 KiB
Go
Raw Normal View History

feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
package whitesource
import (
SBOM creation for Mend (#3934) * Fix docs and format * Assessment format added * Added sample file * Added parsing * Added packageurl implementation * Slight refinement * Refactored assessment options * Adapted sample file * First attempt of ws sbom gen * Reworked SBOM generation * Fix test code * Add assessment handling * Update dependencies * Added golden test * Small fix Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-08-09 13:56:01 +02:00
"bytes"
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
"fmt"
SBOM creation for Mend (#3934) * Fix docs and format * Assessment format added * Added sample file * Added parsing * Added packageurl implementation * Slight refinement * Refactored assessment options * Adapted sample file * First attempt of ws sbom gen * Reworked SBOM generation * Fix test code * Add assessment handling * Update dependencies * Added golden test * Small fix Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-08-09 13:56:01 +02:00
"io/ioutil"
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
"path/filepath"
"testing"
SBOM creation for Mend (#3934) * Fix docs and format * Assessment format added * Added sample file * Added parsing * Added packageurl implementation * Slight refinement * Refactored assessment options * Adapted sample file * First attempt of ws sbom gen * Reworked SBOM generation * Fix test code * Add assessment handling * Update dependencies * Added golden test * Small fix Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-08-09 13:56:01 +02:00
cdx "github.com/CycloneDX/cyclonedx-go"
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
"github.com/SAP/jenkins-library/pkg/format"
"github.com/SAP/jenkins-library/pkg/mock"
"github.com/SAP/jenkins-library/pkg/piperutils"
"github.com/SAP/jenkins-library/pkg/reporting"
SBOM creation for Mend (#3934) * Fix docs and format * Assessment format added * Added sample file * Added parsing * Added packageurl implementation * Slight refinement * Refactored assessment options * Adapted sample file * First attempt of ws sbom gen * Reworked SBOM generation * Fix test code * Add assessment handling * Update dependencies * Added golden test * Small fix Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-08-09 13:56:01 +02:00
"github.com/SAP/jenkins-library/pkg/versioning"
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
"github.com/stretchr/testify/assert"
)
func TestCreateCustomVulnerabilityReport(t *testing.T) {
t.Parallel()
t.Run("success case", func(t *testing.T) {
config := &ScanOptions{}
scan := &Scan{
AggregateProjectName: config.ProjectName,
ProductVersion: config.ProductVersion,
}
scan.AppendScannedProject("testProject")
alerts := []Alert{
{Library: Library{Filename: "vul1"}, Vulnerability: Vulnerability{CVSS3Score: 7.0, Score: 6}},
{Library: Library{Filename: "vul2"}, Vulnerability: Vulnerability{CVSS3Score: 8.0, TopFix: Fix{Message: "this is the top fix"}}},
{Library: Library{Filename: "vul3"}, Vulnerability: Vulnerability{Score: 6}},
}
scanReport := CreateCustomVulnerabilityReport(config.ProductName, scan, &alerts, 7.0)
feat(detectExecuteScan): SARIF export and GH issue creation (#3637) * Added SARIF and GH issue creation
2022-03-17 16:32:48 +02:00
assert.Equal(t, "WhiteSource Security Vulnerability Report", scanReport.Title())
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
assert.Equal(t, 3, len(scanReport.DetailTable.Rows))
// assert that library info is filled and sorting has been executed
assert.Equal(t, "vul2", scanReport.DetailTable.Rows[0].Columns[5].Content)
assert.Equal(t, "vul1", scanReport.DetailTable.Rows[1].Columns[5].Content)
assert.Equal(t, "vul3", scanReport.DetailTable.Rows[2].Columns[5].Content)
// assert that CVSS version identification has been done
assert.Equal(t, "v3", scanReport.DetailTable.Rows[0].Columns[3].Content)
assert.Equal(t, "v3", scanReport.DetailTable.Rows[1].Columns[3].Content)
assert.Equal(t, "v2", scanReport.DetailTable.Rows[2].Columns[3].Content)
// assert proper rating and styling of high prio issues
assert.Equal(t, "8", scanReport.DetailTable.Rows[0].Columns[2].Content)
assert.Equal(t, "7", scanReport.DetailTable.Rows[1].Columns[2].Content)
assert.Equal(t, "6", scanReport.DetailTable.Rows[2].Columns[2].Content)
assert.Equal(t, "red-cell", scanReport.DetailTable.Rows[0].Columns[2].Style.String())
assert.Equal(t, "red-cell", scanReport.DetailTable.Rows[1].Columns[2].Style.String())
assert.Equal(t, "yellow-cell", scanReport.DetailTable.Rows[2].Columns[2].Style.String())
assert.Contains(t, scanReport.DetailTable.Rows[0].Columns[10].Content, "this is the top fix")
})
}
SBOM creation for Mend (#3934) * Fix docs and format * Assessment format added * Added sample file * Added parsing * Added packageurl implementation * Slight refinement * Refactored assessment options * Adapted sample file * First attempt of ws sbom gen * Reworked SBOM generation * Fix test code * Add assessment handling * Update dependencies * Added golden test * Small fix Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-08-09 13:56:01 +02:00
func TestCreateCycloneSBOM(t *testing.T) {
t.Parallel()
t.Run("success case", func(t *testing.T) {
config := &ScanOptions{}
scan := &Scan{
AgentName: "Mend Unified Agent",
AgentVersion: "3.3.3",
AggregateProjectName: config.ProjectName,
BuildTool: "maven",
ProductVersion: config.ProductVersion,
Coordinates: versioning.Coordinates{GroupID: "com.sap", ArtifactID: "myproduct", Version: "1.3.4"},
}
scan.AppendScannedProject("testProject")
alerts := []Alert{
{Library: Library{KeyID: 42, Name: "log4j", GroupID: "apache-logging", ArtifactID: "log4j", Filename: "vul1"}, Vulnerability: Vulnerability{CVSS3Score: 7.0, Score: 6}},
{Library: Library{KeyID: 43, Name: "commons-lang", GroupID: "apache-commons", ArtifactID: "commons-lang", Filename: "vul2"}, Vulnerability: Vulnerability{CVSS3Score: 8.0, TopFix: Fix{Message: "this is the top fix"}}},
{Library: Library{KeyID: 42, Name: "log4j", GroupID: "apache-logging", ArtifactID: "log4j", Filename: "vul3"}, Vulnerability: Vulnerability{Score: 6}},
}
libraries := []Library{
{KeyID: 42, Name: "log4j", GroupID: "apache-logging", ArtifactID: "log4j", Filename: "vul1", Dependencies: []Library{{KeyID: 43, Name: "commons-lang", GroupID: "apache-commons", ArtifactID: "commons-lang", Filename: "vul2"}}},
{KeyID: 42, Name: "log4j", GroupID: "apache-logging", ArtifactID: "log4j", Filename: "vul3"},
}
contents, err := CreateCycloneSBOM(scan, &libraries, &alerts)
assert.NoError(t, err, "unexpected error")
buffer := bytes.NewBuffer(contents)
decoder := cdx.NewBOMDecoder(buffer, cdx.BOMFileFormatXML)
bom := cdx.NewBOM()
decoder.Decode(bom)
assert.NotNil(t, bom, "BOM was nil")
assert.NotEmpty(t, bom.SpecVersion)
components := *bom.Components
assert.Equal(t, 2, len(components))
assert.Equal(t, true, components[0].Name == "log4j" || components[0].Name == "commons-lang")
assert.Equal(t, true, components[1].Name == "log4j" || components[1].Name == "commons-lang")
assert.Equal(t, true, components[0].Name != components[1].Name)
})
t.Run("success - golden", func(t *testing.T) {
config := &ScanOptions{ProjectName: "myproduct - 1.3.4", ProductVersion: "1"}
scan := &Scan{
AgentName: "Mend Unified Agent",
AgentVersion: "3.3.3",
AggregateProjectName: config.ProjectName,
BuildTool: "maven",
ProductVersion: config.ProductVersion,
Coordinates: versioning.Coordinates{GroupID: "com.sap", ArtifactID: "myproduct", Version: "1.3.4"},
}
scan.AppendScannedProject("testProject")
alerts := []Alert{
{Library: Library{KeyID: 42, Name: "log4j", GroupID: "apache-logging", ArtifactID: "log4j", Version: "1.14", LibType: "MAVEN_ARTIFACT", Filename: "vul1"}, Vulnerability: Vulnerability{Name: "CVE-2022-001", CVSS3Score: 7.0, Score: 6, Severity: "medium", PublishDate: "01.01.2022"}},
{Library: Library{KeyID: 43, Name: "commons-lang", GroupID: "apache-commons", ArtifactID: "commons-lang", Version: "2.4.30", LibType: "MAVEN_ARTIFACT", Filename: "vul2"}, Vulnerability: Vulnerability{Name: "CVE-2022-002", CVSS3Score: 8.0, Severity: "high", PublishDate: "02.01.2022", TopFix: Fix{Message: "this is the top fix"}}},
{Library: Library{KeyID: 42, Name: "log4j", GroupID: "apache-logging", ArtifactID: "log4j", Version: "3.25", LibType: "MAVEN_ARTIFACT", Filename: "vul3"}, Vulnerability: Vulnerability{Name: "CVE-2022-003", Score: 6, Severity: "medium", PublishDate: "03.01.2022"}},
}
libraries := []Library{
{KeyID: 42, Name: "log4j", GroupID: "apache-logging", ArtifactID: "log4j", Version: "1.14", LibType: "MAVEN_ARTIFACT", Filename: "vul1", Dependencies: []Library{{KeyID: 43, Name: "commons-lang", GroupID: "apache-commons", ArtifactID: "commons-lang", Version: "2.4.30", LibType: "MAVEN_ARTIFACT", Filename: "vul2"}}},
{KeyID: 44, Name: "log4j", GroupID: "apache-logging", ArtifactID: "log4j", Version: "3.25", LibType: "MAVEN_ARTIFACT", Filename: "vul3", Dependencies: []Library{{KeyID: 45, Name: "commons-lang", GroupID: "apache-commons", ArtifactID: "commons-lang", Version: "3.15", LibType: "MAVEN_ARTIFACT", Filename: "vul2"}}},
}
contents, err := CreateCycloneSBOM(scan, &libraries, &alerts)
assert.NoError(t, err, "unexpected error")
goldenFilePath := filepath.Join("testdata", "sbom.golden")
expected, err := ioutil.ReadFile(goldenFilePath)
assert.NoError(t, err)
assert.Equal(t, string(expected), string(contents))
})
}
func TestWriteCycloneSBOM(t *testing.T) {
t.Parallel()
var utilsMock piperutils.FileUtils
utilsMock = &mock.FilesMock{}
t.Run("success case", func(t *testing.T) {
paths, err := WriteCycloneSBOM([]byte{1, 2, 3, 4}, utilsMock)
assert.NoError(t, err, "unexpexted error")
assert.Equal(t, 1, len(paths))
assert.Equal(t, "whitesource/piper_whitesource_sbom.xml", paths[0].Target)
exists, err := utilsMock.FileExists(paths[0].Target)
assert.NoError(t, err)
assert.True(t, exists)
})
}
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
func TestCreateSarifResultFile(t *testing.T) {
scan := &Scan{ProductVersion: "1"}
scan.AppendScannedProject("project1")
scan.AgentName = "Some test agent"
scan.AgentVersion = "1.2.6"
alerts := []Alert{
{Library: Library{Filename: "vul1", ArtifactID: "org.some.lib"}, Vulnerability: Vulnerability{CVSS3Score: 7.0, Score: 6}},
{Library: Library{Filename: "vul2", ArtifactID: "org.some.lib"}, Vulnerability: Vulnerability{CVSS3Score: 8.0, TopFix: Fix{Message: "this is the top fix"}}},
{Library: Library{Filename: "vul3", ArtifactID: "org.some.lib2"}, Vulnerability: Vulnerability{Score: 6}},
}
sarif := CreateSarifResultFile(scan, &alerts)
SARIF format and GHIssue format improvements (#3646) * Improve reporting * Fix location * Align casing * Fix severity mapping * Fix format * Improve title * Title format * Fix severity * Align title * Fix schema reference * Fix schema reference * Fix fmt * Fix fmt2 * Fix tests * fix(sarif): proper handling of omitempty in SnippetSarif * fix(fortifyExecuteScan): sarif format version * Addressing comments * Fix SARIF * fix(sarif): omitempty handling * fix(fortifyExecuteScan): pointer indirection * Added TODOs for audit data Co-authored-by: Xavier Goffin <x.goffin@sap.com> Co-authored-by: xgoffin <86716549+xgoffin@users.noreply.github.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-03-22 15:47:19 +02:00
assert.Equal(t, "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json", sarif.Schema)
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
assert.Equal(t, "2.1.0", sarif.Version)
assert.Equal(t, 1, len(sarif.Runs))
assert.Equal(t, "Some test agent", sarif.Runs[0].Tool.Driver.Name)
assert.Equal(t, "1.2.6", sarif.Runs[0].Tool.Driver.Version)
assert.Equal(t, 3, len(sarif.Runs[0].Tool.Driver.Rules))
assert.Equal(t, 3, len(sarif.Runs[0].Results))
// TODO add more extensive verification once we agree on the format details
}
func TestWriteCustomVulnerabilityReports(t *testing.T) {
t.Run("success", func(t *testing.T) {
productName := "mock-product"
scan := &Scan{ProductVersion: "1"}
scan.AppendScannedProject("project1")
scan.AppendScannedProject("project2")
scanReport := reporting.ScanReport{}
var utilsMock piperutils.FileUtils
utilsMock = &mock.FilesMock{}
reportPaths, err := WriteCustomVulnerabilityReports(productName, scan, scanReport, utilsMock)
assert.NoError(t, err)
assert.Equal(t, 1, len(reportPaths))
exists, err := utilsMock.FileExists(reportPaths[0].Target)
assert.NoError(t, err)
assert.True(t, exists)
exists, err = utilsMock.FileExists(filepath.Join(reporting.StepReportDirectory, "whitesourceExecuteScan_oss_27322f16a39c10c852ba6639538140a03e08e93f.json"))
assert.NoError(t, err)
assert.True(t, exists)
})
t.Run("failed to write HTML report", func(t *testing.T) {
productName := "mock-product"
scan := &Scan{ProductVersion: "1"}
scanReport := reporting.ScanReport{}
utilsMock := &mock.FilesMock{}
utilsMock.FileWriteErrors = map[string]error{
filepath.Join(ReportsDirectory, "piper_whitesource_vulnerability_report.html"): fmt.Errorf("write error"),
}
_, err := WriteCustomVulnerabilityReports(productName, scan, scanReport, utilsMock)
assert.Contains(t, fmt.Sprint(err), "failed to write html report")
})
t.Run("failed to write json report", func(t *testing.T) {
productName := "mock-product"
scan := &Scan{ProductVersion: "1"}
scan.AppendScannedProject("project1")
scanReport := reporting.ScanReport{}
utilsMock := &mock.FilesMock{}
utilsMock.FileWriteErrors = map[string]error{
filepath.Join(reporting.StepReportDirectory, "whitesourceExecuteScan_oss_e860d3a7cc8ca3261f065773404ba43e9a0b9d5b.json"): fmt.Errorf("write error"),
}
_, err := WriteCustomVulnerabilityReports(productName, scan, scanReport, utilsMock)
assert.Contains(t, fmt.Sprint(err), "failed to write json report")
})
}
func TestWriteSarifFile(t *testing.T) {
t.Run("success", func(t *testing.T) {
sarif := format.SARIF{}
var utilsMock piperutils.FileUtils
utilsMock = &mock.FilesMock{}
reportPaths, err := WriteSarifFile(&sarif, utilsMock)
assert.NoError(t, err)
assert.Equal(t, 1, len(reportPaths))
exists, err := utilsMock.FileExists(reportPaths[0].Target)
assert.NoError(t, err)
assert.True(t, exists)
exists, err = utilsMock.FileExists(filepath.Join(ReportsDirectory, "piper_whitesource_vulnerability.sarif"))
assert.NoError(t, err)
assert.True(t, exists)
})
t.Run("failed to write HTML report", func(t *testing.T) {
sarif := format.SARIF{}
utilsMock := &mock.FilesMock{}
utilsMock.FileWriteErrors = map[string]error{
filepath.Join(ReportsDirectory, "piper_whitesource_vulnerability.sarif"): fmt.Errorf("write error"),
}
_, err := WriteSarifFile(&sarif, utilsMock)
assert.Contains(t, fmt.Sprint(err), "failed to write SARIF file")
})
}
func TestCountSecurityVulnerabilities(t *testing.T) {
t.Parallel()
alerts := []Alert{
{Vulnerability: Vulnerability{CVSS3Score: 7.1}},
{Vulnerability: Vulnerability{CVSS3Score: 7}},
{Vulnerability: Vulnerability{CVSS3Score: 6}},
}
severe, nonSevere := CountSecurityVulnerabilities(&alerts, 7.0)
assert.Equal(t, 2, severe)
assert.Equal(t, 1, nonSevere)
}
func TestIsSevereVulnerability(t *testing.T) {
tt := []struct {
alert Alert
limit float64
expected bool
}{
{alert: Alert{Vulnerability: Vulnerability{CVSS3Score: 0}}, limit: 0, expected: true},
{alert: Alert{Vulnerability: Vulnerability{CVSS3Score: 6.9, Score: 6}}, limit: 7.0, expected: false},
{alert: Alert{Vulnerability: Vulnerability{CVSS3Score: 7.0, Score: 6}}, limit: 7.0, expected: true},
{alert: Alert{Vulnerability: Vulnerability{CVSS3Score: 7.1, Score: 6}}, limit: 7.0, expected: true},
{alert: Alert{Vulnerability: Vulnerability{CVSS3Score: 6, Score: 6.9}}, limit: 7.0, expected: false},
{alert: Alert{Vulnerability: Vulnerability{CVSS3Score: 6, Score: 7.0}}, limit: 7.0, expected: false},
{alert: Alert{Vulnerability: Vulnerability{CVSS3Score: 6, Score: 7.1}}, limit: 7.0, expected: false},
{alert: Alert{Vulnerability: Vulnerability{Score: 6.9}}, limit: 7.0, expected: false},
{alert: Alert{Vulnerability: Vulnerability{Score: 7.0}}, limit: 7.0, expected: true},
{alert: Alert{Vulnerability: Vulnerability{Score: 7.1}}, limit: 7.0, expected: true},
}
for i, test := range tt {
assert.Equalf(t, test.expected, isSevereVulnerability(test.alert, test.limit), "run %v failed", i)
}
}
func TestVulnerabilityScore(t *testing.T) {
t.Parallel()
tt := []struct {
alert Alert
expected float64
}{
{alert: Alert{Vulnerability: Vulnerability{CVSS3Score: 7.0, Score: 6}}, expected: 7.0},
{alert: Alert{Vulnerability: Vulnerability{CVSS3Score: 7.0}}, expected: 7.0},
{alert: Alert{Vulnerability: Vulnerability{Score: 6}}, expected: 6},
}
for i, test := range tt {
assert.Equalf(t, test.expected, vulnerabilityScore(test.alert), "run %v failed", i)
}
}
Reference in New Issue Copy Permalink