From 5096cf2fd56b5913a6a73272ed678fa51887f863 Mon Sep 17 00:00:00 2001 From: AlvoBen Date: Mon, 1 Apr 2024 16:56:02 +0300 Subject: [PATCH 1/6] add package manager types --- internal/commands/scarealtime/sca-realtime-utils.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/commands/scarealtime/sca-realtime-utils.go b/internal/commands/scarealtime/sca-realtime-utils.go index 02d119c66..dd0d8336f 100644 --- a/internal/commands/scarealtime/sca-realtime-utils.go +++ b/internal/commands/scarealtime/sca-realtime-utils.go @@ -22,6 +22,7 @@ var GetPackageManagerFromResolvingModuleType = map[string]string{ "composer": "Php", "gomodules": "Go", "pip": "Python", + "poetry": "Python", "rubygems": "Ruby", "npm": "Npm", "yarn": "Npm", @@ -34,6 +35,8 @@ var GetPackageManagerFromResolvingModuleType = map[string]string{ "swiftpm": "Ios", "carthage": "Ios", "cocoapods": "Ios", + "nuget": "Nuget", + "cpp": "Cpp", } // downloadSCAResolverAndHashFileIfNeeded Downloads SCA Realtime if it is not downloaded yet From 67ca6cb1d34ea1157d0a9e3b060183e90f904c0a Mon Sep 17 00:00:00 2001 From: AlvoBen Date: Tue, 2 Apr 2024 09:53:12 +0300 Subject: [PATCH 2/6] add unit test --- internal/commands/scarealtime/sca-realtime.go | 59 +++++++++++-------- .../commands/scarealtime/sca-realtime_test.go | 35 +++++++++++ 2 files changed, 68 insertions(+), 26 deletions(-) diff --git a/internal/commands/scarealtime/sca-realtime.go b/internal/commands/scarealtime/sca-realtime.go index 72b589185..8c23a3780 100644 --- a/internal/commands/scarealtime/sca-realtime.go +++ b/internal/commands/scarealtime/sca-realtime.go @@ -130,33 +130,9 @@ func GetSCAVulnerabilities(scaRealTimeWrapper wrappers.ScaRealTimeWrapper) error var scaRealtimeScanErrors []wrappers.ScaRealtimeScanError for _, dependencyResolutionResult := range scaResolverResults.DependencyResolutionResults { - // We're using a map to avoid adding repeated packages in request body - dependencyMap := make(map[string]wrappers.ScaDependencyBodyRequest) - - for i := range dependencyResolutionResult.Dependencies { - var dependency = dependencyResolutionResult.Dependencies[i] - var packageManager = GetPackageManagerFromResolvingModuleType[strings.ToLower(dependency.ResolvingModuleType)] - // if no package manager is found uses the resolving module type - if packageManager == "" { - packageManager = strings.ToLower(dependency.ResolvingModuleType) - } - - dependencyMap[dependency.ID.NodeID] = wrappers.ScaDependencyBodyRequest{ - PackageName: dependency.ID.Name, - Version: dependency.ID.Version, - PackageManager: packageManager, - } - if len(dependency.Children) > 0 { - for _, dependencyChildren := range dependency.Children { - dependencyMap[dependencyChildren.NodeID] = wrappers.ScaDependencyBodyRequest{ - PackageName: dependencyChildren.Name, - Version: dependencyChildren.Version, - PackageManager: packageManager, - } - } - } - } + // We're using a map to avoid adding repeated packages in request body + dependencyMap := createDependencyMapFromDependencyResolution(&dependencyResolutionResult) // Get all ScaDependencyBodyRequest from the map to call SCA API var bodyRequest []wrappers.ScaDependencyBodyRequest @@ -211,6 +187,37 @@ func GetSCAVulnerabilities(scaRealTimeWrapper wrappers.ScaRealTimeWrapper) error return nil } +func createDependencyMapFromDependencyResolution(dependencyResolutionResult *DependencyResolution) map[string]wrappers.ScaDependencyBodyRequest { + // We're using a map to avoid adding repeated packages in request body + dependencyMap := make(map[string]wrappers.ScaDependencyBodyRequest) + + for i := range dependencyResolutionResult.Dependencies { + var dependency = dependencyResolutionResult.Dependencies[i] + var packageManager = GetPackageManagerFromResolvingModuleType[strings.ToLower(dependency.ResolvingModuleType)] + + // if no package manager is found uses the resolving module type + if packageManager == "" { + packageManager = strings.ToLower(dependency.ResolvingModuleType) + } + + dependencyMap[dependency.ID.NodeID] = wrappers.ScaDependencyBodyRequest{ + PackageName: dependency.ID.Name, + Version: dependency.ID.Version, + PackageManager: packageManager, + } + if len(dependency.Children) > 0 { + for _, dependencyChildren := range dependency.Children { + dependencyMap[dependencyChildren.NodeID] = wrappers.ScaDependencyBodyRequest{ + PackageName: dependencyChildren.Name, + Version: dependencyChildren.Version, + PackageManager: packageManager, + } + } + } + } + return dependencyMap +} + func GetScaVulnerabilitiesPackages(scaRealTimeWrapper wrappers.ScaRealTimeWrapper, bodyRequest []wrappers.ScaDependencyBodyRequest) (vulnerabilities []wrappers.ScaVulnerabilitiesResponseModel, err, err1 error) { //nolint:lll // We need to call the SCA API for each DependencyResolution so that we can save the file name vulnerabilitiesResponseModel, errorModel, errVulnerabilities := scaRealTimeWrapper.GetScaVulnerabilitiesPackages(bodyRequest) diff --git a/internal/commands/scarealtime/sca-realtime_test.go b/internal/commands/scarealtime/sca-realtime_test.go index 90d8f9c98..9a3ac893b 100644 --- a/internal/commands/scarealtime/sca-realtime_test.go +++ b/internal/commands/scarealtime/sca-realtime_test.go @@ -57,3 +57,38 @@ func TestRequiredProjectDir(t *testing.T) { err := cmd.Execute() assert.Error(t, err, "Provided path does not exist: "+invalidProjectPath, err.Error()) } + +func TestCreateDependecyMapFromDependecyResolution_Success(t *testing.T) { + dependecyResolutionResult := DependencyResolution{ + Dependencies: []Dependency{ + NewDependency("8ce2d33f-5783-4fe1-b9a7-3ce2c9a3aae9", "Microsoft. NETCore. Platforms", + "1.1.0", "Nuget", []interface{}{"NetStandard20"}), + NewDependency("60b40261-18b2-4cf6-bdf5-e23ad408de3b", "NETStandard.Library", + "2.0.3", "Nuget", []interface{}{"NetStandard20"}), + }, + } + dependencyMap := createDependencyMapFromDependencyResolution(&dependecyResolutionResult) + assert.Equal(t, len(dependencyMap), 2) + assert.Equal(t, dependencyMap["60b40261-18b2-4cf6-bdf5-e23ad408de3b"].PackageManager, "Nuget") + assert.Equal(t, dependencyMap["60b40261-18b2-4cf6-bdf5-e23ad408de3b"].Version, "2.0.3") + assert.Equal(t, dependencyMap["60b40261-18b2-4cf6-bdf5-e23ad408de3b"].PackageName, "NETStandard.Library") + assert.Equal(t, dependencyMap["8ce2d33f-5783-4fe1-b9a7-3ce2c9a3aae9"].PackageManager, "Nuget") + assert.Equal(t, dependencyMap["8ce2d33f-5783-4fe1-b9a7-3ce2c9a3aae9"].Version, "1.1.0") + assert.Equal(t, dependencyMap["8ce2d33f-5783-4fe1-b9a7-3ce2c9a3aae9"].PackageName, "Microsoft. NETCore. Platforms") +} + +func NewDependency(nodeID, name, version, resolvingModuleType string, targetFrameworks []interface{}) Dependency { + return Dependency{ + ID: NewID(nodeID, name, version), + ResolvingModuleType: resolvingModuleType, + TargetFrameworks: targetFrameworks, + } +} + +func NewID(nodeID, name, version string) ID { + return ID{ + NodeID: nodeID, + Name: name, + Version: version, + } +} From 6a9ea2a20e9a7228a3dc5af06a7874aec47181ec Mon Sep 17 00:00:00 2001 From: AlvoBen Date: Tue, 2 Apr 2024 09:53:55 +0300 Subject: [PATCH 3/6] add unit test --- internal/commands/scarealtime/sca-realtime.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/commands/scarealtime/sca-realtime.go b/internal/commands/scarealtime/sca-realtime.go index 8c23a3780..d182d3c2b 100644 --- a/internal/commands/scarealtime/sca-realtime.go +++ b/internal/commands/scarealtime/sca-realtime.go @@ -130,7 +130,6 @@ func GetSCAVulnerabilities(scaRealTimeWrapper wrappers.ScaRealTimeWrapper) error var scaRealtimeScanErrors []wrappers.ScaRealtimeScanError for _, dependencyResolutionResult := range scaResolverResults.DependencyResolutionResults { - // We're using a map to avoid adding repeated packages in request body dependencyMap := createDependencyMapFromDependencyResolution(&dependencyResolutionResult) From 1dffefbb5697d11fc8d40f1ebf5dfe260904eefa Mon Sep 17 00:00:00 2001 From: AlvoBen Date: Tue, 2 Apr 2024 10:00:52 +0300 Subject: [PATCH 4/6] Change createDependencyMapFromDependencyResolution signature to fix linter errors --- internal/commands/scarealtime/sca-realtime.go | 4 ++-- internal/commands/scarealtime/sca-realtime_test.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/commands/scarealtime/sca-realtime.go b/internal/commands/scarealtime/sca-realtime.go index d182d3c2b..2474a5570 100644 --- a/internal/commands/scarealtime/sca-realtime.go +++ b/internal/commands/scarealtime/sca-realtime.go @@ -131,7 +131,7 @@ func GetSCAVulnerabilities(scaRealTimeWrapper wrappers.ScaRealTimeWrapper) error for _, dependencyResolutionResult := range scaResolverResults.DependencyResolutionResults { // We're using a map to avoid adding repeated packages in request body - dependencyMap := createDependencyMapFromDependencyResolution(&dependencyResolutionResult) + dependencyMap := createDependencyMapFromDependencyResolution(dependencyResolutionResult) // Get all ScaDependencyBodyRequest from the map to call SCA API var bodyRequest []wrappers.ScaDependencyBodyRequest @@ -186,7 +186,7 @@ func GetSCAVulnerabilities(scaRealTimeWrapper wrappers.ScaRealTimeWrapper) error return nil } -func createDependencyMapFromDependencyResolution(dependencyResolutionResult *DependencyResolution) map[string]wrappers.ScaDependencyBodyRequest { +func createDependencyMapFromDependencyResolution(dependencyResolutionResult DependencyResolution) map[string]wrappers.ScaDependencyBodyRequest { // We're using a map to avoid adding repeated packages in request body dependencyMap := make(map[string]wrappers.ScaDependencyBodyRequest) diff --git a/internal/commands/scarealtime/sca-realtime_test.go b/internal/commands/scarealtime/sca-realtime_test.go index 9a3ac893b..33857ce17 100644 --- a/internal/commands/scarealtime/sca-realtime_test.go +++ b/internal/commands/scarealtime/sca-realtime_test.go @@ -67,7 +67,7 @@ func TestCreateDependecyMapFromDependecyResolution_Success(t *testing.T) { "2.0.3", "Nuget", []interface{}{"NetStandard20"}), }, } - dependencyMap := createDependencyMapFromDependencyResolution(&dependecyResolutionResult) + dependencyMap := createDependencyMapFromDependencyResolution(dependecyResolutionResult) assert.Equal(t, len(dependencyMap), 2) assert.Equal(t, dependencyMap["60b40261-18b2-4cf6-bdf5-e23ad408de3b"].PackageManager, "Nuget") assert.Equal(t, dependencyMap["60b40261-18b2-4cf6-bdf5-e23ad408de3b"].Version, "2.0.3") From fe62b3477d152f031aa5010f3e01dcf2bf594316 Mon Sep 17 00:00:00 2001 From: AlvoBen Date: Tue, 2 Apr 2024 10:14:08 +0300 Subject: [PATCH 5/6] fix lint errors --- internal/commands/scarealtime/sca-realtime.go | 6 +++--- internal/commands/scarealtime/sca-realtime_test.go | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/internal/commands/scarealtime/sca-realtime.go b/internal/commands/scarealtime/sca-realtime.go index 2474a5570..feed5b429 100644 --- a/internal/commands/scarealtime/sca-realtime.go +++ b/internal/commands/scarealtime/sca-realtime.go @@ -129,9 +129,9 @@ func GetSCAVulnerabilities(scaRealTimeWrapper wrappers.ScaRealTimeWrapper) error var modelResults []wrappers.ScaVulnerabilitiesResponseModel var scaRealtimeScanErrors []wrappers.ScaRealtimeScanError - for _, dependencyResolutionResult := range scaResolverResults.DependencyResolutionResults { + for i, dependencyResolutionResult := range scaResolverResults.DependencyResolutionResults { // We're using a map to avoid adding repeated packages in request body - dependencyMap := createDependencyMapFromDependencyResolution(dependencyResolutionResult) + dependencyMap := createDependencyMapFromDependencyResolution(&scaResolverResults.DependencyResolutionResults[i]) // Get all ScaDependencyBodyRequest from the map to call SCA API var bodyRequest []wrappers.ScaDependencyBodyRequest @@ -186,7 +186,7 @@ func GetSCAVulnerabilities(scaRealTimeWrapper wrappers.ScaRealTimeWrapper) error return nil } -func createDependencyMapFromDependencyResolution(dependencyResolutionResult DependencyResolution) map[string]wrappers.ScaDependencyBodyRequest { +func createDependencyMapFromDependencyResolution(dependencyResolutionResult *DependencyResolution) map[string]wrappers.ScaDependencyBodyRequest { // We're using a map to avoid adding repeated packages in request body dependencyMap := make(map[string]wrappers.ScaDependencyBodyRequest) diff --git a/internal/commands/scarealtime/sca-realtime_test.go b/internal/commands/scarealtime/sca-realtime_test.go index 33857ce17..43dc2676f 100644 --- a/internal/commands/scarealtime/sca-realtime_test.go +++ b/internal/commands/scarealtime/sca-realtime_test.go @@ -67,7 +67,8 @@ func TestCreateDependecyMapFromDependecyResolution_Success(t *testing.T) { "2.0.3", "Nuget", []interface{}{"NetStandard20"}), }, } - dependencyMap := createDependencyMapFromDependencyResolution(dependecyResolutionResult) + dependecyResolutionResultReference := &dependecyResolutionResult + dependencyMap := createDependencyMapFromDependencyResolution(dependecyResolutionResultReference) assert.Equal(t, len(dependencyMap), 2) assert.Equal(t, dependencyMap["60b40261-18b2-4cf6-bdf5-e23ad408de3b"].PackageManager, "Nuget") assert.Equal(t, dependencyMap["60b40261-18b2-4cf6-bdf5-e23ad408de3b"].Version, "2.0.3") From c03e72b9e79678383a04c7ef26ff96bb7605f9a2 Mon Sep 17 00:00:00 2001 From: AlvoBen Date: Tue, 2 Apr 2024 10:59:19 +0300 Subject: [PATCH 6/6] Resolve pr review conversation --- internal/commands/scarealtime/sca-realtime_test.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/internal/commands/scarealtime/sca-realtime_test.go b/internal/commands/scarealtime/sca-realtime_test.go index 43dc2676f..891b5fd8b 100644 --- a/internal/commands/scarealtime/sca-realtime_test.go +++ b/internal/commands/scarealtime/sca-realtime_test.go @@ -58,7 +58,7 @@ func TestRequiredProjectDir(t *testing.T) { assert.Error(t, err, "Provided path does not exist: "+invalidProjectPath, err.Error()) } -func TestCreateDependecyMapFromDependecyResolution_Success(t *testing.T) { +func TestCreateDependencyMapFromDependencyResolution_NugetDependencies_Success(t *testing.T) { dependecyResolutionResult := DependencyResolution{ Dependencies: []Dependency{ NewDependency("8ce2d33f-5783-4fe1-b9a7-3ce2c9a3aae9", "Microsoft. NETCore. Platforms", @@ -67,8 +67,7 @@ func TestCreateDependecyMapFromDependecyResolution_Success(t *testing.T) { "2.0.3", "Nuget", []interface{}{"NetStandard20"}), }, } - dependecyResolutionResultReference := &dependecyResolutionResult - dependencyMap := createDependencyMapFromDependencyResolution(dependecyResolutionResultReference) + dependencyMap := createDependencyMapFromDependencyResolution(&dependecyResolutionResult) assert.Equal(t, len(dependencyMap), 2) assert.Equal(t, dependencyMap["60b40261-18b2-4cf6-bdf5-e23ad408de3b"].PackageManager, "Nuget") assert.Equal(t, dependencyMap["60b40261-18b2-4cf6-bdf5-e23ad408de3b"].Version, "2.0.3")