From b31caa427946df808241624a181d6966a88fa5c8 Mon Sep 17 00:00:00 2001 From: Salim Bensiali Date: Wed, 23 Mar 2022 07:58:15 +0000 Subject: [PATCH 1/3] Add failing tests for verified_commits.ts\'s `getAlert` function --- src/dependabot/verified_commits.test.ts | 44 +++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/src/dependabot/verified_commits.test.ts b/src/dependabot/verified_commits.test.ts index cab6c82..2576b8a 100644 --- a/src/dependabot/verified_commits.test.ts +++ b/src/dependabot/verified_commits.test.ts @@ -134,11 +134,35 @@ const response = { } } +const responseWithManifestFileAtRoot = { + data: { + repository: { + vulnerabilityAlerts: { + nodes: [ + { + vulnerableManifestFilename: 'package.json', + vulnerableManifestPath: 'package.json', + vulnerableRequirements: '= 4.0.1', + state: 'DISMISSED', + securityVulnerability: { package: { name: 'coffee-script' } }, + securityAdvisory: { cvss: { score: 4.5 }, ghsaId: 'FOO' } + } + ] + } + } + } +} + test('it returns the alert state if it matches all 3', async () => { nock('https://api.github.com').post('/graphql', query) .reply(200, response) expect(await getAlert('coffee-script', '4.0.1', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' }) + + nock('https://api.github.com').post('/graphql', query) + .reply(200, responseWithManifestFileAtRoot) + + expect(await getAlert('coffee-script', '4.0.1', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' }) }) test('it returns the alert state if it matches 2 and the version is blank', async () => { @@ -146,6 +170,11 @@ test('it returns the alert state if it matches 2 and the version is blank', asyn .reply(200, response) expect(await getAlert('coffee-script', '', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' }) + + nock('https://api.github.com').post('/graphql', query) + .reply(200, responseWithManifestFileAtRoot) + + expect(await getAlert('coffee-script', '', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' }) }) test('it returns default if it does not match the version', async () => { @@ -153,6 +182,11 @@ test('it returns default if it does not match the version', async () => { .reply(200, response) expect(await getAlert('coffee-script', '4.0.2', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' }) + + nock('https://api.github.com').post('/graphql', query) + .reply(200, responseWithManifestFileAtRoot) + + expect(await getAlert('coffee-script', '4.0.2', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' }) }) test('it returns default if it does not match the directory', async () => { @@ -160,6 +194,11 @@ test('it returns default if it does not match the directory', async () => { .reply(200, response) expect(await getAlert('coffee-script', '4.0.1', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' }) + + nock('https://api.github.com').post('/graphql', query) + .reply(200, responseWithManifestFileAtRoot) + + expect(await getAlert('coffee-script', '4.0.1', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' }) }) test('it returns default if it does not match the name', async () => { @@ -167,6 +206,11 @@ test('it returns default if it does not match the name', async () => { .reply(200, response) expect(await getAlert('coffee', '4.0.1', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' }) + + nock('https://api.github.com').post('/graphql', query) + .reply(200, responseWithManifestFileAtRoot) + + expect(await getAlert('coffee', '4.0.1', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' }) }) test('trimSlashes should only trim slashes from both ends', () => { From 50776e552465ab8604643a02d885cafa21201b9d Mon Sep 17 00:00:00 2001 From: Salim Bensiali Date: Thu, 24 Mar 2022 07:12:47 +0000 Subject: [PATCH 2/3] Call `trimSlashes` on the computed manifest path instead of on just `directory` --- src/dependabot/verified_commits.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dependabot/verified_commits.ts b/src/dependabot/verified_commits.ts index 7c3a692..4e9cb99 100644 --- a/src/dependabot/verified_commits.ts +++ b/src/dependabot/verified_commits.ts @@ -78,7 +78,7 @@ export async function getAlert (name: string, version: string, directory: string const nodes = alerts?.repository?.vulnerabilityAlerts?.nodes const found = nodes.find(a => (version === '' || a.vulnerableRequirements === `= ${version}`) && - trimSlashes(a.vulnerableManifestPath) === `${trimSlashes(directory)}/${a.vulnerableManifestFilename}` && + trimSlashes(a.vulnerableManifestPath) === trimSlashes(`${directory}/${a.vulnerableManifestFilename}`) && a.securityVulnerability.package.name === name) return { From aa4ffba345be99ce50416118e38921fea1fbc835 Mon Sep 17 00:00:00 2001 From: Salim Bensiali Date: Wed, 30 Mar 2022 05:12:13 +1000 Subject: [PATCH 3/3] Update dist --- dist/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dist/index.js b/dist/index.js index 0673d59..81a1ec5 100644 --- a/dist/index.js +++ b/dist/index.js @@ -9218,7 +9218,7 @@ function getAlert(name, version, directory, client, context) { }`); const nodes = (_b = (_a = alerts === null || alerts === void 0 ? void 0 : alerts.repository) === null || _a === void 0 ? void 0 : _a.vulnerabilityAlerts) === null || _b === void 0 ? void 0 : _b.nodes; const found = nodes.find(a => (version === '' || a.vulnerableRequirements === `= ${version}`) && - trimSlashes(a.vulnerableManifestPath) === `${trimSlashes(directory)}/${a.vulnerableManifestFilename}` && + trimSlashes(a.vulnerableManifestPath) === trimSlashes(`${directory}/${a.vulnerableManifestFilename}`) && a.securityVulnerability.package.name === name); return { alertState: (_c = found === null || found === void 0 ? void 0 : found.state) !== null && _c !== void 0 ? _c : '',