integration: validate new Npm matching

Signed-off-by: Alfredo Deza <adeza@anchore.com>
2024-09-20 14:31:59 +00:00 · 2020-07-23 17:47:25 -04:00 · 2020-07-23 17:47:25 -04:00 · f66bf54d04
commit f66bf54d04
parent fa4abe79ec
3 changed files with 65 additions and 9 deletions
--- a/integration/db_mock_test.go
+++ b/integration/db_mock_test.go
@ -14,6 +14,15 @@ type mockStore struct {
 func NewMockDbStore() *mockStore {
 	return &mockStore{
 		backend: map[string]map[string][]db.Vulnerability{
+			"github:npm": {
+				"validator": []db.Vulnerability{
+					{
+						ID:                "CVE-javascript-validator",
+						VersionConstraint: "< 3.2.1",
+						VersionFormat:     "unknown",
+					},
+				},
+			},
 			"github:python": {
 				"Pygments": []db.Vulnerability{
 					{
--- a/integration/match_coverage_test.go
+++ b/integration/match_coverage_test.go
@ -1,6 +1,8 @@
 package integration

 import (
+	"testing"
+
 	"github.com/anchore/go-testutils"
 	"github.com/anchore/imgbom/imgbom/pkg"
 	"github.com/anchore/imgbom/imgbom/scope"
@ -9,7 +11,7 @@ import (
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/result"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"
-	"testing"
+	"github.com/sergi/go-diff/diffmatchpatch"
 )

 func getPackagesByPath(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog, thePath string) []*pkg.Package {
@ -24,6 +26,29 @@ func getPackagesByPath(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog,
 	return catalog.PackagesByFile(refs[0])
 }

+func addJavascriptMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog, theStore *mockStore, theResult *result.Result) {
+	packages := getPackagesByPath(t, theScope, catalog, "/javascript/pkg-lock/package-lock.json")
+	if len(packages) != 1 {
+		t.Logf("Javascript Packages: %+v", packages)
+		t.Fatalf("problem with upstream imgbom cataloger (javascript)")
+	}
+	thePkg := packages[0]
+	theVuln := theStore.backend["github:npm"][thePkg.Name][0]
+	vulnObj, err := vulnerability.NewVulnerability(theVuln)
+	if err != nil {
+		t.Fatalf("failed to create vuln obj: %+v", err)
+	}
+	theResult.Add(thePkg, match.Match{
+		Type:            match.ExactDirectMatch,
+		Confidence:      1.0,
+		Vulnerability:   *vulnObj,
+		Package:         thePkg,
+		SearchKey:       "language[javascript] constraint[< 3.2.1 (unknown)]",
+		IndirectPackage: nil,
+		Matcher:         match.JavascriptMatcher,
+	})
+}
+
 func addPythonMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog, theStore *mockStore, theResult *result.Result) {
 	packages := getPackagesByPath(t, theScope, catalog, "/python/dist-info/METADATA")
 	if len(packages) != 1 {
@ -167,6 +192,7 @@ func TestPkgCoverageImage(t *testing.T) {
 				addRubyMatches(t, theScope, catalog, theStore, &expectedResults)
 				addJavaMatches(t, theScope, catalog, theStore, &expectedResults)
 				addDpkgMatches(t, theScope, catalog, theStore, &expectedResults)
+				addJavascriptMatches(t, theScope, catalog, theStore, &expectedResults)
 				return expectedResults
 			},
 		},
@ -201,24 +227,34 @@ func TestPkgCoverageImage(t *testing.T) {
 			expectedResults := test.expectedFn(*theScope, catalog, theStore)

 			// build expected match set...
-			expectedMatchSet := internal.NewStringSet()
-			expectedCount := 0
+			//expectedMatchSet := internal.NewStringSet()
+			expectedMatches := map[string]string{}
+			//expectedCount := 0
 			for eMatch := range expectedResults.Enumerate() {
-				expectedCount++
+				//expectedCount++
 				// NOTE: this does not include all fields...
-				expectedMatchSet.Add(eMatch.String())
+				//expectedMatchSet.Add(eMatch.String())
+				expectedMatches[eMatch.Package.Name] = eMatch.String()
 			}

+			expectedCount := len(expectedMatches)
+
 			// ensure that all matches are covered
 			actualCount := 0
 			for aMatch := range actualResults.Enumerate() {
 				actualCount++
 				observedMatchers.Add(aMatch.Matcher.String())
-
-				if !expectedMatchSet.Contains(aMatch.String()) {
-					// NOTE: this is not the same as comparing an expected sequence which would allow for detailed diffing
-					t.Errorf("Disjoint Match: %+v", aMatch)
+				value, ok := expectedMatches[aMatch.Package.Name]
+				if !ok {
+					t.Errorf("Package: %s was expected but not found", aMatch.Package.Name)
 				}
+
+				if value != aMatch.String() {
+					dmp := diffmatchpatch.New()
+					diffs := dmp.DiffMain(value, aMatch.String(), true)
+					t.Errorf("mismatched output:\n%s", dmp.DiffPrettyText(diffs))
+				}
+
 			}

 			if expectedCount != actualCount {
--- a/integration/test-fixtures/image-debian-match-coverage/javascript/pkg-lock/package-lock.json
+++ b/integration/test-fixtures/image-debian-match-coverage/javascript/pkg-lock/package-lock.json
@ -0,0 +1,11 @@
+{
+  "requires": true,
+  "lockfileVersion": 1,
+  "dependencies": {
+    "validator": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/validator/-/validator-1.0.0.tgz",
+      "integrity": "sha1-n4P1sZyZYjsC4uj6EerJzKux6GQ="
+    }
+  }
+}