fix: resolve comments and todos

snyk-tech-services · May 26, 2021 · bc12f11 · bc12f11
1 parent d507cd1
commit bc12f11
Show file tree

Hide file tree

Showing 4 changed files with 118 additions and 107 deletions.
diff --git a/src/lib/convert-issue-to-spdx.ts b/src/lib/convert-issue-to-spdx.ts
@@ -1,15 +1,15 @@
-import * as allType from '../types';
+import * as types from '../types';
 
 function getVulnerabilityRating(
-  issue: allType.SnykIssue,
-): allType.VulnerabilityRating[] {
-  const vulnerabilityRatingScore: allType.VulnerabilityRatingScore = {
-    base: issue.cvssScore ? issue.cvssScore.toString() : '',
+  issue: types.SnykIssue,
+): types.VulnerabilityRating[] {
+  const vulnerabilityRatingScore: types.VulnerabilityRatingScore = {
+    base: issue.cvssScore,
     exploitability: issue.exploit,
     impact: issue.semver.vulnerable[0],
   };
 
-  const vulnerabilityRating: allType.VulnerabilityRating = {
+  const vulnerabilityRating: types.VulnerabilityRating = {
     method: issue.CVSSv3 ? 'CVSS_3' : 'undefined', // must be CVSS_2, CVSS_3, OWASP_RISK or OTHER
     score: [vulnerabilityRatingScore],
     severity: issue.severity, // exploitability score of the vulnerability either None, Low, Medium, High or Critical
@@ -20,14 +20,14 @@ function getVulnerabilityRating(
 }
 
 function getExternalReferencesRelationships(
-  references: allType.SnykIssueReference[],
-): allType.ExternalReferencesRelationship[] {
-  let externalReferencesRelationship: allType.ExternalReferencesRelationship[] = [];
+  references: types.SnykIssueReference[],
+): types.ExternalReferencesRelationship[] {
+  let externalReferencesRelationship: types.ExternalReferencesRelationship[] = [];
 
   externalReferencesRelationship = references
     ? references.map((step) => {
         return {
-          category: '', // must be either ADVISORY, ARTICLE, FIX, REPORT or OTHER.
+          category: undefined, // not amndatory,but should be either ADVISORY, ARTICLE, FIX, REPORT or OTHER.
           locator: step.url, // url
         };
       })
@@ -37,18 +37,18 @@ function getExternalReferencesRelationships(
 }
 
 function getVulnerabilityExternalReferences(
-  issue: allType.SnykIssue,
-): allType.ExternalReference[] {
-  const externalReference: allType.ExternalReference = {
+  issue: types.SnykIssue,
+): types.ExternalReference[] {
+  const externalReference: types.ExternalReference = {
     externalReferencesRelationships: getExternalReferencesRelationships(
       issue.references,
     ),
     modified: issue.modificationTime, // YYYY-MM-DDThh:mm:ssZ
     published: issue.publicationTime,
-    withdrawn: '', // TODO I don't know where to find this one
+    withdrawn: undefined, // not mandatory, setting at undefined
   };
 
-  const externalReferences: allType.ExternalReference[] = [externalReference];
+  const externalReferences: types.ExternalReference[] = [externalReference];
 
   return externalReferences;
 }
@@ -58,40 +58,40 @@ function getCwes(cwe: string[]): number[] {
 
   cwes = cwe
     ? cwe.map((step) => {
-        return parseInt(step.slice(4, step.length));
+        return parseInt(step.replace('CWE-', ''));
       })
     : [];
 
   return cwes;
 }
 
 function getVulnerabilityRelationship(
-  issue: allType.SnykIssue,
-): allType.VulnerabilityRelationship[] {
-  const vulnerabilityAffect: allType.AffectedBy = {
+  issue: types.SnykIssue,
+): types.VulnerabilityRelationship[] {
+  const vulnerabilityAffect: types.AffectedBy = {
     to: issue.from,
     type: 'AFFECTS',
   };
 
-  const vulnerabilityfoundBy: allType.AffectedBy = {
+  const vulnerabilityfoundBy: types.AffectedBy = {
     to: issue.credit,
     type: 'FOUND_BY',
   };
 
   // not mandatory, unclear what should be in here
-  const vulnerabilitySuppliedBy: allType.AffectedBy = {
+  const vulnerabilitySuppliedBy: types.AffectedBy = {
     to: issue.credit,
     type: 'SUPPLIED_BY',
   };
 
-  const ratedBy: allType.RatedBy = {
-    cwes: getCwes(issue.cwe),
+  const ratedBy: types.RatedBy = {
+    cwes: issue.identifiers ? getCwes(issue.identifiers.CWE) : [],
     rating: getVulnerabilityRating(issue),
-    to: issue.credit, // TODO: we might need to get that one reviewed, doc is unclear
+    to: issue.credit,
     type: 'RATED_BY',
   };
 
-  const relationship: allType.VulnerabilityRelationship[] = [
+  const relationship: types.VulnerabilityRelationship[] = [
     {
       affect: vulnerabilityAffect,
       foundBy: vulnerabilityfoundBy,
@@ -103,7 +103,7 @@ function getVulnerabilityRelationship(
   return relationship;
 }
 
-export function convertSnykIssueToSpdx(issue: any): allType.Vulnerability {
+export function convertSnykIssueToSpdx(issue: any): types.Vulnerability {
   return {
     id: issue.id,
     name: issue.id,

diff --git a/src/types.ts b/src/types.ts
@@ -70,13 +70,13 @@ export interface VulnerabilityRating {
   }
 
 export interface VulnerabilityRatingScore {
-      base: string;
+      base: number;
       exploitability: string;
       impact: string;
   }
 
 export interface ExternalReferencesRelationship {
-      category: string // must be either ADVISORY, ARTICLE, FIX, REPORT or OTHER.
+      category: string | undefined// must be either ADVISORY, ARTICLE, FIX, REPORT or OTHER.
       locator: string // url
   }
 
@@ -135,7 +135,6 @@ export interface ProfilePackage {
 
 export interface SnykIssue {
   id: string;
-  cwe: string[];
   title : string;
   description : string;
   from: string[];
@@ -149,6 +148,7 @@ export interface SnykIssue {
   publicationTime: string;
   references: SnykIssueReference[];
   creationTime: string;
+  identifiers: SnykIssueIdentifiers;
 }
 
 export interface SnykIssueSemver {
@@ -211,16 +211,6 @@ export interface DependencyPins {
 export interface PinRemediation extends UpgradeVulns {
   isTransitive: boolean;
 }
-// TODO: add more as needed
-// add only fields needed for conversion
-export interface SnykIssue {
-  id: string;
-  title: string;
-  description: string;
-  from: string[];
-  credit: string[];
-  identifiers: SnykIssueIdentifiers[];
-}
 
 interface SnykIssueIdentifiers {
   ALTERNATIVE?: string[];
@@ -229,6 +219,3 @@ interface SnykIssueIdentifiers {
   NSP?: number;
 }
 
-export interface SnykTestOutput {
-  vulnerabilities: SnykIssue[];
-}
diff --git a/test/lib/__snapshots__/convert-issue-to-spdx.spec.ts.snap b/test/lib/__snapshots__/convert-issue-to-spdx.spec.ts.snap
@@ -73,13 +73,13 @@ Upgrade \`json\` to version 2.3.0 or higher.
     Object {
       "externalReferencesRelationships": Array [
         Object {
-          "category": "",
+          "category": undefined,
           "locator": "https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/",
         },
       ],
       "modified": "2020-06-12T14:37:02.660300Z",
       "published": "2020-03-19T16:04:21Z",
-      "withdrawn": "",
+      "withdrawn": undefined,
     },
   ],
   "id": "SNYK-RUBY-JSON-560838",
@@ -100,13 +100,15 @@ Upgrade \`json\` to version 2.3.0 or higher.
         "type": "FOUND_BY",
       },
       "ratedBy": Object {
-        "cwes": Array [],
+        "cwes": Array [
+          400,
+        ],
         "rating": Array [
           Object {
             "method": "CVSS_3",
             "score": Array [
               Object {
-                "base": "9.3",
+                "base": 9.3,
                 "exploitability": "Not Defined",
                 "impact": "<2.3.0",
               },