From b5f4f83e3e38cb6583705ab367481e1ba37e0f0a Mon Sep 17 00:00:00 2001 From: Casey Marshall Date: Wed, 10 Jul 2024 14:30:58 -0500 Subject: [PATCH] fix: make dotnet acceptance test resilient to system lib vulns A dotnet 8.0.0 vulnerability was discovered on 2024-07-09 which caused dotnet acceptance tests to fail on platforms with the vulnerable version installed. While the toolchain could be updated, the test can be made more robust to future reoccurances of dotnet system vulns. For this test we care more about the operation of the test command rather than its findings, so we can test for consistency between exit code and test output instead. In updating this test, a defect was discovered in the dotnet plugin which corrupts json output. The test works around this, but it will require a dotnet plugin upgrade as a followup to mitigate user impact. # Please enter the commit message for your changes. Lines starting # with '#' will be ignored, and an empty message aborts the commit. # # On branch fix/dotnet-test-fail-20240710 # Changes to be committed: # modified: test/jest/acceptance/snyk-test/basic-test-all-languages.spec.ts # # Untracked files: # distroless-main-jq.json # distroless-main.json # distroless-pr.json # junit.xml # monitor-json-compare.bash # snyk-linux-monitor-main-1.jq.json # snyk-linux-monitor-main-1.json # snyk-linux-monitor-main-2.jq.json # snyk-linux-monitor-main-2.json # snyk-linux-monitor-main.json # snyk-linux-monitor-pr.json # snyk-linux-test-main.json # test.env # test/acceptance/workspaces/swift-app/.build/ # test/acceptance/workspaces/swift/.build/ # test/fixtures/find-files/swift/test.build/.build/ # --- .../basic-test-all-languages.spec.ts | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/test/jest/acceptance/snyk-test/basic-test-all-languages.spec.ts b/test/jest/acceptance/snyk-test/basic-test-all-languages.spec.ts index 484d670854..270e063306 100644 --- a/test/jest/acceptance/snyk-test/basic-test-all-languages.spec.ts +++ b/test/jest/acceptance/snyk-test/basic-test-all-languages.spec.ts @@ -240,19 +240,32 @@ describe('`snyk test` of basic projects for each language/ecosystem', () => { } const { code, stderr, stdout } = await runSnykCLI( - 'test -d --dotnet-runtime-resolution', + 'test --dotnet-runtime-resolution --json', { cwd: project.path(), }, ); - if (code !== 0) { + // Debug output on an unexpected exit code + if (code !== 0 && code !== 1) { console.debug(stderr); console.debug('---------------------------'); console.debug(stdout); } - expect(code).toEqual(0); + // Expect an exit code of 0 or 1. Exit code 1 is possible if a new + // vulnerability is discovered in the installed version of dotnet's system + // libraries. + expect([0, 1]).toContain(code); + + // Note: dotnet plugin can print a warning about runtime resolution, which breaks JSON output. + // This replacement regex is a temporary workaround until the dotnet plugin can be fixed. + const sanitizedStdout = stdout.replace(/^[\s\S]*?{/, '{'); + const result = JSON.parse(sanitizedStdout); + expect(result?.ok).toBeDefined(); + + // Expect 'ok' to be true if exit 0, false if exit 1. + expect(result.ok).toBe(code === 0); }, );