👷 ✅ Added CI Pipeline & Unit Tests (#5)

* ➕ Added github.com/stretchr/testify

* ✅ Added Test for FindVulnerableCallSite

* 👷 Added Unit Testing to Pipeline

Also renamed file to be more reflective of that change

* 🔥 Removed all action description

* ✅ Implemented RemoveDuplicates Test

* ♻️ Simplified Error handling of UploadReport

* ✅ Created Test for UploadReport

* ➕ Added mock package

* ♻️ Using mock pkg now in test

* 🔧 Updated Names of steps

* ♻️ Workdir is provided now

* ⚰️ Removed unused function

* ✨ Workdir is provided by main now

* ✅ Added Test for Sarif Reporter

* 🔧 Added Code Coverage to CI Pipeline

.github/workflows/ci.yml

@@ -0,0 +1,49 @@
+name: Build
+on: [push, pull_request]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # We must fetch at least the immediate parents so that if this is
+          # a pull request then we can checkout the head.
+          fetch-depth: 2
+      # If this run was triggered by a pull request event, then checkout
+      # the head of the pull request instead of the merge commit.
+      - run: git checkout HEAD^2
+        if: ${{ github.event_name == 'pull_request' }}
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+      - name: Compile Action
+        run: go build -v ./...
+  unit-testing:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # We must fetch at least the immediate parents so that if this is
+          # a pull request then we can checkout the head.
+          fetch-depth: 2
+      # If this run was triggered by a pull request event, then checkout
+      # the head of the pull request instead of the merge commit.
+      - run: git checkout HEAD^2
+        if: ${{ github.event_name == 'pull_request' }}
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+      - name: Run Unit Test with Racecondition Detector
+        run: go test -race ./...
+      - name: Run Unit Tests with Coverage
+        run: go test -coverprofile=coverage.txt -covermode=atomic -v ./...
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          # token is not needed for public repositories
+          files: coverage.txt
+          flags: unit-tests
+          name: codecov-action
+          fail_ci_if_error: false

go.mod

@@ -5,20 +5,25 @@ go 1.19
 require golang.org/x/vuln v0.0.0-20220914160157-cac67f5c7c81
 
 require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/stretchr/objx v0.4.0 // indirect
 	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
 	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 require (
 	github.com/google/go-github/v47 v47.0.0
 	github.com/owenrumney/go-sarif/v2 v2.1.2
 	github.com/rs/zerolog v1.28.0
+	github.com/stretchr/testify v1.8.0
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1

go.sum

@@ -36,8 +36,13 @@ github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.28.0 h1:MirSo27VyNi7RJYP3078AA1+Cyzd2GB66qy3aUHvsWY=
 github.com/rs/zerolog v1.28.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
 github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
@@ -79,5 +84,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk=
 mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5 h1:Jh3LAeMt1eGpxomyu3jVkmVZWW2MxZ1qIIV2TZ/nRio=

main.go

@@ -13,16 +13,17 @@ import (
 
 func main() {
 	zerolog.SetGlobalLevel(zerolog.InfoLevel)
-
 	logger := zerolog.New(zerolog.ConsoleWriter{Out: os.Stdout, TimeFormat: zerolog.TimeFormatUnix}).
 		With().
 		Timestamp().
 		Logger() // Main Logger
 
-	reporter := sarif.NewSarifReporter(logger)
+	workDir, _ := os.Getwd()
+
 	github := github.NewSarifUploader(logger)
-	scanner := vulncheck.NewScanner(logger)
-	processor := action.NewVulncheckProcessor()
+	reporter := sarif.NewSarifReporter(logger, workDir)
+	scanner := vulncheck.NewScanner(logger, workDir)
+	processor := action.NewVulncheckProcessor(workDir)
 
 	if os.Getenv("DEBUG") == "true" {
 		zerolog.SetGlobalLevel(zerolog.DebugLevel)

pkg/action/preprocessor.go

@@ -1,7 +1,6 @@
 package action
 
 import (
-	"os"
 	"strings"
 
 	"github.com/Templum/govulncheck-action/pkg/types"
@@ -12,9 +11,7 @@ type VulncheckProcessor struct {
 	workDir string
 }
 
-func NewVulncheckProcessor() *VulncheckProcessor {
-	workDir, _ := os.Getwd()
-
+func NewVulncheckProcessor(workDir string) *VulncheckProcessor {
 	return &VulncheckProcessor{
 		workDir: workDir,
 	}

pkg/action/preprocessor_test.go

@@ -0,0 +1,152 @@
+package action
+
+import (
+	"go/token"
+	"path"
+	"testing"
+
+	"github.com/Templum/govulncheck-action/pkg/types"
+	helper "github.com/Templum/govulncheck-action/pkg/vulncheck"
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/vuln/vulncheck"
+)
+
+func TestFindVulnerableCallSite(t *testing.T) {
+	userCallSite := vulncheck.StackEntry{
+		Function: &vulncheck.FuncNode{
+			ID:       2,
+			Name:     "Testcase",
+			RecvType: "",
+			PkgPath:  "github.com/Templum/playground/pkg/json",
+			Pos: &token.Position{
+				Filename: "/workspaces/unit/pkg/json/testcase.go",
+				Offset:   130,
+				Line:     10,
+				Column:   6,
+			},
+			CallSites: []*vulncheck.CallSite{}, // Not needed for this function
+		},
+		Call: &vulncheck.CallSite{
+			Parent:   2,
+			Name:     "Get",
+			RecvType: "",
+			Resolved: true,
+			Pos: &token.Position{
+				Filename: "/workspaces/unit/pkg/json/testcase.go",
+				Offset:   162,
+				Line:     11,
+				Column:   20,
+			},
+		},
+	}
+
+	stack := []vulncheck.StackEntry{
+		userCallSite,
+		{
+			Function: &vulncheck.FuncNode{
+				ID:       12,
+				Name:     "Get",
+				RecvType: "",
+				PkgPath:  "github.com/tidwall/gjson",
+				Pos: &token.Position{
+					Filename: "/go/pkg/mod/github.com/tidwall/[email protected]/gjson.go",
+					Offset:   37859,
+					Line:     1873,
+					Column:   6,
+				},
+				CallSites: []*vulncheck.CallSite{}, // Not needed for this function
+			},
+			Call: &vulncheck.CallSite{
+				Parent:   12,
+				Name:     "parseObject",
+				RecvType: "",
+				Resolved: true,
+				Pos: &token.Position{
+					Filename: "/go/pkg/mod/github.com/tidwall/[email protected]/gjson.go",
+					Offset:   39894,
+					Line:     1963,
+					Column:   16,
+				},
+			},
+		},
+		{
+			Function: &vulncheck.FuncNode{
+				ID:       16,
+				Name:     "parseObject",
+				RecvType: "",
+				PkgPath:  "github.com/tidwall/gjson",
+				Pos: &token.Position{
+					Filename: "/go/pkg/mod/github.com/tidwall/[email protected]/gjson.go",
+					Offset:   21927,
+					Line:     1114,
+					Column:   2,
+				},
+				CallSites: []*vulncheck.CallSite{}, // Not needed for this function
+			},
+			Call: nil,
+		}, // Vulnerability
+	}
+
+	t.Run("should return empty entry if nothing is found", func(t *testing.T) {
+		callSite := FindVulnerableCallSite("/workspaces/other", stack)
+
+		assert.Nil(t, callSite.Call, "should have no call")
+		assert.Nil(t, callSite.Function, "should have no function")
+	})
+
+	t.Run("should return first calling site located in user code", func(t *testing.T) {
+		callSite := FindVulnerableCallSite("/workspaces/unit", stack)
+
+		assert.NotNil(t, callSite.Call, "should have a call")
+		assert.NotNil(t, callSite.Function, "should have a function")
+		assert.Equal(t, userCallSite, callSite, "should find the correct call site")
+	})
+}
+
+func CalculateTotalFindings(input types.VulnerableStacks) int {
+	output := 0
+
+	for _, findings := range input {
+		output += len(findings)
+	}
+
+	return output
+}
+
+func TestVulncheckProcessor_RemoveDuplicates(t *testing.T) {
+	scanner := helper.NewLocalScanner(zerolog.Nop(), path.Join("..", "..", "hack", "found.json"))
+	result, _ := scanner.Scan()
+	input := helper.Resolve(result)
+
+	hasDuplicateCallsites := make(types.VulnerableStacks)
+	hasDuplicateVuln := make(types.VulnerableStacks)
+
+	for key, value := range input {
+		if key.OSV.ID == "GO-2021-0113" {
+			hasDuplicateVuln[key] = value
+		}
+
+		if key.OSV.ID == "GO-2021-0061" && key.Symbol == "decoder.unmarshal" {
+			hasDuplicateCallsites[key] = value
+		}
+	}
+
+	t.Run("should remove duplicates which are called from the same site", func(t *testing.T) {
+		target := NewVulncheckProcessor("/workspaces/govulncheck-action")
+		reduced := target.RemoveDuplicates(hasDuplicateCallsites)
+
+		assert.NotNil(t, reduced, "should not be nil")
+		assert.Equal(t, len(reduced), len(hasDuplicateCallsites), "should have same amount of entries")
+		assert.Less(t, CalculateTotalFindings(reduced), CalculateTotalFindings(hasDuplicateCallsites), "reduced should be less after removal of duplicates")
+	})
+
+	t.Run("should remove duplicates which are for the same vulnerability", func(t *testing.T) {
+		target := NewVulncheckProcessor("/workspaces/govulncheck-action")
+		reduced := target.RemoveDuplicates(hasDuplicateVuln)
+
+		assert.NotNil(t, reduced, "should not be nil")
+		assert.Less(t, len(reduced), len(hasDuplicateVuln), "should only have one entry now")
+		assert.Less(t, CalculateTotalFindings(reduced), CalculateTotalFindings(hasDuplicateVuln), "reduced should be less after removal of duplicates")
+	})
+}

pkg/github/sarif_report.go

@@ -7,7 +7,6 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
-	"errors"
 	"os"
 	"strings"
 
@@ -74,11 +73,7 @@ func (g *GithubSarifUploader) UploadReport(report types.Reporter) error {
 		return nil
 	}
 
-	if err != nil {
-		return err
-	}
-
-	return errors.New("unexpected response from github")
+	return err
 }
 
 func (g *GithubSarifUploader) prepareReport(report types.Reporter) (string, error) {