test: capture valid json output with policy

snyk · Nov 13, 2024 · 72bb996 · 72bb996
1 parent 8ef2e3e
commit 72bb996
Show file tree

Hide file tree

Showing 5 changed files with 163 additions and 2 deletions.
diff --git a/test/acceptance/workspaces/npm-package-single-ignored-vuln/.snyk b/test/acceptance/workspaces/npm-package-single-ignored-vuln/.snyk
@@ -0,0 +1,8 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.14.1
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'SNYK-JS-CXCT-535487':
+    - '*':
+        reason: None given
+        expires: '2100-03-01T19:48:49.699Z'
diff --git a/test/acceptance/workspaces/npm-package-single-ignored-vuln/package-lock.json b/test/acceptance/workspaces/npm-package-single-ignored-vuln/package-lock.json
diff --git a/test/acceptance/workspaces/npm-package-single-ignored-vuln/package.json b/test/acceptance/workspaces/npm-package-single-ignored-vuln/package.json
@@ -0,0 +1,9 @@
+{
+  "name": "npm-package-single-ignored-vuln",
+  "version": "1.0.0",
+  "description": "application with annotated vulns",
+  "dependencies": {
+    "cxct": "0.0.1-security"
+  },
+  "devDependencies": {}
+}
diff --git a/test/acceptance/workspaces/npm-package-single-ignored-vuln/test-graph-results.json b/test/acceptance/workspaces/npm-package-single-ignored-vuln/test-graph-results.json
@@ -0,0 +1,104 @@
+{
+  "result": {
+    "affectedPkgs": {
+      "[email protected]": {
+        "pkg": { "name": "cxct", "version": "0.0.1-security" },
+        "issues": {
+          "SNYK-JS-CXCT-535487": {
+            "issueId": "SNYK-JS-CXCT-535487",
+            "fixInfo": { "isPatchable": false, "upgradePaths": [] }
+          }
+        }
+      }
+    },
+    "issuesData": {
+      "SNYK-JS-CXCT-535487": {
+        "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+        "alternativeIds": [],
+        "creationTime": "2019-11-24T13:10:43.888332Z",
+        "credit": ["npm 󠅮󠅰󠅭security"],
+        "cvssScore": 9.8,
+        "description": "## Overview\n\n[cxct](https://www.npmjs.com/package/cxct) is a malicious package.\n\n\nThe package finds and exfiltrates cryptocurrency wallets.\n\n## Remediation\n\nAvoid using `cxct` altogether.\n\n\n## References\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1344)\n",
+        "disclosureTime": "2019-11-22T00:24:41Z",
+        "exploit": "Not Defined",
+        "fixedIn": [],
+        "functions": [],
+        "functions_new": [],
+        "id": "SNYK-JS-CXCT-535487",
+        "identifiers": { "CVE": [], "CWE": ["CWE-506"], "NSP": [1344] },
+        "language": "js",
+        "modificationTime": "2019-11-24T16:16:16.630345Z",
+        "moduleName": "cxct",
+        "packageManager": "npm",
+        "packageName": "cxct",
+        "patches": [],
+        "publicationTime": "2019-11-24T13:11:04Z",
+        "references": [
+          {
+            "title": "NPM Security Advisory",
+            "url": "https://www.npmjs.com/advisories/1344"
+          }
+        ],
+        "semver": { "vulnerable": ["*"] },
+        "severity": "high",
+        "title": "Malicious 󠅮󠅰󠅭Package",
+        "isPinnable": false
+      }
+    },
+    "remediation": {
+      "unresolved": [
+        {
+          "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+          "alternativeIds": [],
+          "creationTime": "2019-11-24T13:10:43.888332Z",
+          "credit": ["npm 󠅮󠅰󠅭security"],
+          "cvssScore": 9.8,
+          "description": "## Overview\n\n[cxct](https://www.npmjs.com/package/cxct) is a malicious package.\n\n\nThe package finds and exfiltrates cryptocurrency wallets.\n\n## Remediation\n\nAvoid using `cxct` altogether.\n\n\n## References\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1344)\n",
+          "disclosureTime": "2019-11-22T00:24:41Z",
+          "exploit": "Not Defined",
+          "fixedIn": [],
+          "functions": [],
+          "functions_new": [],
+          "id": "SNYK-JS-CXCT-535487",
+          "identifiers": { "CVE": [], "CWE": ["CWE-506"], "NSP": [1344] },
+          "language": "js",
+          "modificationTime": "2019-11-24T16:16:16.630345Z",
+          "moduleName": "cxct",
+          "packageManager": "npm",
+          "packageName": "cxct",
+          "patches": [],
+          "publicationTime": "2019-11-24T13:11:04Z",
+          "references": [
+            {
+              "title": "NPM Security Advisory",
+              "url": "https://www.npmjs.com/advisories/1344"
+            }
+          ],
+          "semver": { "vulnerable": ["*"] },
+          "severity": "high",
+          "title": "Malicious 󠅮󠅰󠅭Package",
+          "isPinnable": false,
+          "from": ["[email protected]", "[email protected]"],
+          "upgradePath": [],
+          "isUpgradable": false,
+          "isPatchable": false,
+          "name": "cxct",
+          "version": "0.0.1-security"
+        }
+      ],
+      "upgrade": {},
+      "patch": {},
+      "ignore": {},
+      "pin": {}
+    }
+  },
+  "meta": {
+    "isPrivate": true,
+    "isLicensesEnabled": false,
+    "licensesPolicy": { "severities": {}, "orgLicenseRules": {} },
+    "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n  SNYK-JS-CXCT-535487:\n    - '*':\n        reason: None Given\n        expires: 2100-12-13T14:20:21.158Z\n        created: 2017-11-13T14:20:21.163Z\n        source: cli\npatch: {}\n",
+    "ignoreSettings": null,
+    "org": "gitphill"
+  },
+  "filesystemPolicy": false
+}
diff --git a/test/jest/acceptance/cli-json-output.spec.ts b/test/jest/acceptance/cli-json-output.spec.ts
@@ -4,6 +4,7 @@ import { getServerPort } from '../util/getServerPort';
 import { runSnykCLI } from '../util/runSnykCLI';
 import { AppliedPolicyRules } from '../../../src/lib/formatters/types';
 import * as Parser from 'jsonparse';
+import { error } from 'console';
 
 jest.setTimeout(1000 * 60);
 
@@ -33,7 +34,7 @@ describe('test --json', () => {
     server.close(() => done());
   });
 
-  it('test with --json returns without error and with JSON return type when no vulns found', async () => {
+  it.only('test with --json returns without error and with JSON return type when no vulns found', async () => {
     const project = await createProjectFromWorkspace('fail-on/no-vulns');
     server.setCustomResponse(await project.readJSON('vulns-result.json'));
 
@@ -135,7 +136,7 @@ describe('test --json', () => {
     }, 120000);
   });
 
-  describe('when policy data is available', () => {
+  describe.only('when policy data is available', () => {
     it('includes a user note and reason', async () => {
       const project = await createProjectFromWorkspace(
         'npm-package-single-vuln',
@@ -164,5 +165,30 @@ describe('test --json', () => {
       expect(code).toEqual(1);
       expect(server.getRequests().length).toBeGreaterThanOrEqual(1);
     });
+
+    it('returns well structured json', async () => {
+      const project = await createProjectFromWorkspace(
+        'npm-package-single-ignored-vuln',
+      );
+      server.setCustomResponse(
+        await project.readJSON('test-graph-results.json'),
+      );
+
+      const { code, stdout } = await runSnykCLI(`test -d --json --log-level=trace`, {
+        cwd: project.path(),
+        env,
+      });
+
+      try {
+        const returnedJson = JSON.parse(stdout);
+
+        expect(returnedJson.vulnerabilities).toHaveLength(0);
+        expect(code).toEqual(0);
+        expect(server.getRequests().length).toBeGreaterThanOrEqual(1);
+      } catch (err) {
+        console.log(stdout)
+        throw err
+      }
+    });
   });
 });