npmaudit:chore - improve tests and code cleaning (#902)

This commit add some new asserts on successful parsing npm results to verify that all fields of Vulnerability was filled. Note that the test cases from `TestParseOutputNpm` was moved to `TestNpmAuditParseOutput` to centralize all tests as it is done in the other tests of the other formatters. Some code organization was also made, and the entities packages was removed and the npm schema output was moved to npmaudit package. Updates #718 Signed-off-by: Matheus Alcantara <[email protected]>
ZupIT · Dec 27, 2021 · 1e7268d · 1e7268d
1 parent 4c1fffb
commit 1e7268d
Show file tree

Hide file tree

Showing 8 changed files with 190 additions and 235 deletions.
diff --git a/internal/services/formatters/javascript/npmaudit/entities/finding.go b/internal/services/formatters/javascript/npmaudit/entities/finding.go
diff --git a/internal/services/formatters/javascript/npmaudit/entities/metadata.go b/internal/services/formatters/javascript/npmaudit/entities/metadata.go
diff --git a/internal/services/formatters/javascript/npmaudit/entities/output.go b/internal/services/formatters/javascript/npmaudit/entities/output.go
diff --git a/internal/services/formatters/javascript/npmaudit/entities/vulnerabilities.go b/internal/services/formatters/javascript/npmaudit/entities/vulnerabilities.go
diff --git a/internal/services/formatters/javascript/npmaudit/formatter.go b/internal/services/formatters/javascript/npmaudit/formatter.go
@@ -29,11 +29,10 @@ import (
 	"github.com/ZupIT/horusec-devkit/pkg/enums/tools"
 	"github.com/ZupIT/horusec-devkit/pkg/utils/logger"
 
-	dockerEntities "github.com/ZupIT/horusec/internal/entities/docker"
+	"github.com/ZupIT/horusec/internal/entities/docker"
 	"github.com/ZupIT/horusec/internal/enums/images"
 	"github.com/ZupIT/horusec/internal/helpers/messages"
 	"github.com/ZupIT/horusec/internal/services/formatters"
-	"github.com/ZupIT/horusec/internal/services/formatters/javascript/npmaudit/entities"
 	vulnhash "github.com/ZupIT/horusec/internal/utils/vuln_hash"
 )
 
@@ -69,8 +68,8 @@ func (f *Formatter) startNpmAudit(projectSubPath string) (string, error) {
 	return output, f.parseOutput(output, projectSubPath)
 }
 
-func (f *Formatter) getDockerConfig(projectSubPath string) *dockerEntities.AnalysisData {
-	analysisData := &dockerEntities.AnalysisData{
+func (f *Formatter) getDockerConfig(projectSubPath string) *docker.AnalysisData {
+	analysisData := &docker.AnalysisData{
 		CMD:      f.GetConfigCMDByFileExtension(projectSubPath, CMD, "package-lock.json", tools.NpmAudit),
 		Language: languages.Javascript,
 	}
@@ -100,56 +99,50 @@ func (f *Formatter) IsNotFoundError(containerOutput string) error {
 	return nil
 }
 
-func (f *Formatter) newContainerOutputFromString(containerOutput string) (output *entities.Output, err error) {
+func (f *Formatter) newContainerOutputFromString(containerOutput string) (output *npmOutput, err error) {
 	if containerOutput == "" {
 		logger.LogDebugWithLevel(messages.MsgDebugOutputEmpty, map[string]interface{}{"tool": tools.NpmAudit.ToString()})
-		return &entities.Output{}, nil
+		return &npmOutput{}, nil
 	}
 
 	return output, json.Unmarshal([]byte(containerOutput), &output)
 }
 
-func (f *Formatter) processOutput(output *entities.Output, projectSubPath string) {
+func (f *Formatter) processOutput(output *npmOutput, projectSubPath string) {
 	for _, advisory := range output.Advisories {
 		advisoryPointer := advisory
-		f.AddNewVulnerabilityIntoAnalysis(f.setVulnerabilitySeverityData(&advisoryPointer, projectSubPath))
+		f.AddNewVulnerabilityIntoAnalysis(f.newVulnerability(&advisoryPointer, projectSubPath))
 	}
 }
 
-func (f *Formatter) setVulnerabilitySeverityData(
-	issue *entities.Issue, projectSubPath string) (data *vulnerability.Vulnerability) {
-	data = f.getDefaultVulnerabilitySeverity(projectSubPath)
-	data.Severity = issue.GetSeverity()
-	data.Details = issue.Overview
-	data.Code = issue.ModuleName
-	data.Line = f.getVulnerabilityLineByName(f.getVersionText(issue.GetVersion()), data.Code, data.File)
-	data = vulnhash.Bind(data)
-	return f.SetCommitAuthor(data)
-}
-
-func (f *Formatter) getDefaultVulnerabilitySeverity(projectSubPath string) *vulnerability.Vulnerability {
-	vulnerabilitySeverity := &vulnerability.Vulnerability{}
-	vulnerabilitySeverity.File = f.GetFilepathFromFilename("package-lock.json", projectSubPath)
-	vulnerabilitySeverity.SecurityTool = tools.NpmAudit
-	vulnerabilitySeverity.Language = languages.Javascript
-	return vulnerabilitySeverity
+func (f *Formatter) newVulnerability(issue *npmIssue, projectSubPath string) *vulnerability.Vulnerability {
+	vuln := &vulnerability.Vulnerability{
+		File:         f.GetFilepathFromFilename("package-lock.json", projectSubPath),
+		SecurityTool: tools.NpmAudit,
+		Language:     languages.Javascript,
+		Severity:     issue.getSeverity(),
+		Details:      issue.Overview,
+		Code:         issue.ModuleName,
+	}
+	vuln.Line = f.getVulnerabilityLineByName(f.getVersionText(issue.getVersion()), vuln.Code, vuln.File)
+	return f.SetCommitAuthor(vulnhash.Bind(vuln))
 }
 
 func (f *Formatter) getVersionText(version string) string {
 	return fmt.Sprintf(`"version": %q`, version)
 }
 
-func (f *Formatter) getVulnerabilityLineByName(version, module, file string) string {
-	fileExisting, err := os.Open(filepath.Join(f.GetConfigProjectPath(), file))
+func (f *Formatter) getVulnerabilityLineByName(version, module, filename string) string {
+	file, err := os.Open(filepath.Join(f.GetConfigProjectPath(), filename))
 	if err != nil {
 		return ""
 	}
 
 	defer func() {
-		logger.LogErrorWithLevel(messages.MsgErrorDeferFileClose, fileExisting.Close())
+		logger.LogErrorWithLevel(messages.MsgErrorDeferFileClose, file.Close())
 	}()
 
-	return f.getLine(version, module, bufio.NewScanner(fileExisting))
+	return f.getLine(version, module, bufio.NewScanner(file))
 }
 
 func (f *Formatter) getLine(version, module string, scanner *bufio.Scanner) string {