add small test suite to twistlock action (#59)

* add small test suite to twistlock aciton

* build dist

.github/workflows/checks.yml

@@ -29,3 +29,13 @@ jobs:
       - uses: volta-cli/action@v1
       - run: yarn
       - run: yarn problems
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v1
+      - uses: volta-cli/action@v1
+      - run: yarn
+      - run: yarn workspace @resideo/twistlock-action test

package.json

@@ -28,14 +28,18 @@
     "lint": "eslint \"**/*.{js,ts}*\""
   },
   "devDependencies": {
+    "@effection/jest": "^2.0.2",
     "@resideo/eslint-config-typescript": "^0.0.6",
     "@resideo/tsconfig": "^0.0.5",
+    "@types/jest": "^28.1.6",
     "@typescript-eslint/eslint-plugin": "^2.18.0",
     "@typescript-eslint/parser": "^2.18.0",
     "eslint": "^6.7.2",
+    "jest": "^28.1.3",
     "lerna": "^3.20.2",
     "npm-run-all": "^4.1.5",
     "prettier": "^2.6.1",
+    "ts-jest": "^28.0.7",
     "typescript": "^4.4.3"
   },
   "resolutions": {

twistlock/_tests_/fixtures.ts

@@ -0,0 +1,109 @@
+export const imageScanResult = {
+  results: [
+    {
+      packages: [
+        {
+          type: "nodejs",
+          name: "minimatch",
+          version: "4.2.1",
+          path: "/home/node/app/node_modules/@graphql-codegen/cli/node_modules/minimatch",
+          licenses: ["ISC"],
+        },
+
+        {
+          type: "nodejs",
+          name: "minimatch",
+          version: "3.0.4",
+          path: "/usr/local/lib/node_modules/npm/node_modules/minimatch",
+          licenses: ["ISC"],
+        },
+        {
+          type: "nodejs",
+          name: "minimatch",
+          version: "3.0.4",
+          path: "/home/node/app/node_modules/minimatch",
+          licenses: ["ISC"],
+        },
+      ],
+      applications: [
+        {
+          name: "node",
+          version: "14.20.0",
+          path: "/usr/local/bin/node",
+        },
+      ],
+      compliances: [
+        {
+          id: 425,
+          title: "Private keys stored in image",
+          severity: "high",
+          cause:
+            "Found: /home/node/app/apps/template/node_modules/agent-base/test/ssl-cert-snakeoil.key",
+          layerTime: "1970-01-01T00:00:00Z",
+          category: "Twistlock Labs",
+        },
+      ],
+      complianceDistribution: {
+        critical: 0,
+        high: 1,
+        medium: 0,
+        low: 0,
+        total: 1,
+      },
+      complianceScanPassed: false,
+      vulnerabilities: [
+        {
+          id: "PRISMA-2022-0039",
+          status: "fixed in 3.0.5",
+          cvss: 7.5,
+          description:
+            "minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). It\\'s possible to cause a denial of service when calling function braceExpand (The regex /\\\\{.*\\\\}/ is vulnerable and can be exploited).",
+          severity: "high",
+          packageName: "minimatch",
+          packageVersion: "3.0.4",
+          link: "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6",
+          riskFactors: ["DoS", "Has fix", "High severity"],
+          impactedVersions: ["\u003c3.0.5"],
+          publishedDate: "2022-02-21T09:51:41Z",
+          discoveredDate: "2022-07-29T21:05:04Z",
+          graceDays: -128,
+          fixDate: "2022-02-21T09:51:41Z",
+          layerTime: "2022-07-12T01:20:10Z",
+        },
+        {
+          id: "CVE-2021-3807",
+          status: "fixed in 3.0.1, 4.1.1, 5.0.1, 6.0.1",
+          cvss: 7,
+          vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+          description:
+            "ansi-regex is vulnerable to Inefficient Regular Expression Complexity",
+          severity: "high",
+          packageName: "ansi-regex",
+          packageVersion: "4.1.0",
+          link: "https://github.com/advisories/GHSA-93q8-gq69-wqmw",
+          riskFactors: [
+            "High severity",
+            "Recent vulnerability",
+            "Attack complexity: low",
+            "Attack vector: network",
+            "Has fix",
+          ],
+          impactedVersions: ["\u003c4.1.1", "\u003e=4.0.0"],
+          publishedDate: "2021-09-17T07:15:00Z",
+          discoveredDate: "2022-07-29T21:05:04Z",
+          graceDays: -282,
+          fixDate: "2021-09-20T20:20:09Z",
+          layerTime: "2022-07-12T01:20:10Z",
+        },
+      ],
+      vulnerabilityDistribution: {
+        critical: 0,
+        high: 3,
+        medium: 2,
+        low: 2,
+        total: 7,
+      },
+      vulnerabilityScanPassed: false,
+    },
+  ],
+};

twistlock/_tests_/image.test.ts

@@ -0,0 +1,44 @@
+import { it } from "@effection/jest";
+import { imageScanResult } from "./fixtures";
+
+import { yarnWhyAll, sortAndCategorize } from "../src/yarnWhyFormat";
+
+describe("image scan", () => {
+  const repositoryPath = ["/home/node"];
+  it("yarnWhyAll", function* () {
+    const { vulnerabilities, packages: packageList } =
+      imageScanResult.results[0];
+    const { packagesToDisplay, skipPackageMessage } = yield yarnWhyAll({
+      vulnerabilities,
+      packageList,
+      repositoryPath,
+      logging: false,
+      runYarnWhy: false,
+    });
+    expect(packagesToDisplay[0].allInstances).toEqual([
+      "4.2.1 at /home/node/app/node_modules/@graphql-codegen/cli/node_modules/minimatch",
+      "3.0.4 at /usr/local/lib/node_modules/npm/node_modules/minimatch",
+      "3.0.4 at /home/node/app/node_modules/minimatch",
+    ]);
+    expect(skipPackageMessage).toBe("");
+  });
+
+  it("sortAndCategorize", function* () {
+    const { vulnerabilities, packages: packageList } =
+      imageScanResult.results[0];
+    const { packagesToDisplay } = yield yarnWhyAll({
+      vulnerabilities,
+      packageList,
+      repositoryPath,
+      logging: false,
+      runYarnWhy: false,
+    });
+
+    const sorted = sortAndCategorize(packagesToDisplay, repositoryPath);
+
+    // expect(JSON.stringify(sorted, null, 2)).toBe("");
+    expect(sorted[1].severity).toBe("high");
+    expect(sorted[1].packages[0].packageName).toBe("minimatch");
+    expect(sorted[1].packages[0].packageVersion).toBe("3.0.4");
+  });
+});

twistlock/dist/_tests_/fixtures.d.ts

@@ -0,0 +1,76 @@
+export declare const imageScanResult: {
+    results: {
+        packages: {
+            type: string;
+            name: string;
+            version: string;
+            path: string;
+            licenses: string[];
+        }[];
+        applications: {
+            name: string;
+            version: string;
+            path: string;
+        }[];
+        compliances: {
+            id: number;
+            title: string;
+            severity: string;
+            cause: string;
+            layerTime: string;
+            category: string;
+        }[];
+        complianceDistribution: {
+            critical: number;
+            high: number;
+            medium: number;
+            low: number;
+            total: number;
+        };
+        complianceScanPassed: boolean;
+        vulnerabilities: ({
+            id: string;
+            status: string;
+            cvss: number;
+            description: string;
+            severity: string;
+            packageName: string;
+            packageVersion: string;
+            link: string;
+            riskFactors: string[];
+            impactedVersions: string[];
+            publishedDate: string;
+            discoveredDate: string;
+            graceDays: number;
+            fixDate: string;
+            layerTime: string;
+            vector?: undefined;
+        } | {
+            id: string;
+            status: string;
+            cvss: number;
+            vector: string;
+            description: string;
+            severity: string;
+            packageName: string;
+            packageVersion: string;
+            link: string;
+            riskFactors: string[];
+            impactedVersions: string[];
+            publishedDate: string;
+            discoveredDate: string;
+            graceDays: number;
+            fixDate: string;
+            layerTime: string;
+        })[];
+        vulnerabilityDistribution: {
+            critical: number;
+            high: number;
+            medium: number;
+            low: number;
+            total: number;
+        };
+        vulnerabilityScanPassed: boolean;
+    }[];
+};
+//# sourceMappingURL=fixtures.d.ts.map

twistlock/dist/_tests_/image.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=image.test.d.ts.map

twistlock/dist/src/yarnWhyFormat.d.ts

@@ -8,6 +8,22 @@ export interface VulnerabilitiesCategorized {
     severity: string;
     packages: VulnerabilityTagged[];
 }
+export declare const yarnWhyAll: ({ vulnerabilities, packageList, repositoryPath, logging, runYarnWhy, }: {
+    vulnerabilities: any;
+    packageList: any;
+    repositoryPath: any;
+    logging?: boolean | undefined;
+    runYarnWhy?: boolean | undefined;
+}) => Generator<import("effection").Operation<void[]>, {
+    packagesToDisplay: VulnerabilityTagged[];
+    packagesToSkip: Vulnerability[];
+    skipPackageMessage: string;
+}, unknown>;
+export declare const withinPathScope: (scanPathScope: string[], pkg: VulnerabilityTagged) => boolean;
+export declare const sortAndCategorize: (afterYarnWhy: any, scanPathScope: any) => {
+    severity: string;
+    packages: VulnerabilityTagged[];
+}[];
 export declare function yarnWhyFormat({ vulnerabilities, packageList, repositoryPath, scanPathScope, }: {
     vulnerabilities: any;
     packageList: any;

twistlock/jest.config.js

@@ -0,0 +1,9 @@
+module.exports = {
+  preset: "ts-jest",
+  testEnvironment: "node",
+  globals: {
+    "ts-jest": {
+      tsconfig: "tsconfig.json",
+    },
+  },
+};

twistlock/package.json

@@ -6,7 +6,8 @@
   "scripts": {
     "build": "ncc build index.ts --minify",
     "watch": "yarn build --watch",
-    "problems": "tsc --noEmit"
+    "problems": "tsc --noEmit",
+    "test": "jest"
   },
   "dependencies": {
     "@actions/artifact": "^1.0.0",