chore: add fallback audit to tests

author: Gar <gar+gh@danger.computer> 2022-04-17 19:36:31 +0300
committer: Luke Karrys <luke@lukekarrys.com> 2022-04-20 02:26:40 +0300
commit: 21375c6c356e9beddbc96720b1d03ea2db05be0e (patch)
tree: 830ac4097956de2327f3f7c3ea4924d8f747985d /test
parent: ced0acfe5998a5be9313815f76f5c1439a09db78 (diff)
1 files changed, 76 insertions, 14 deletions
diff --git a/test/lib/commands/audit.js b/test/lib/commands/audit.js
index 1afb8d333..da6de4774 100644
--- a/test/lib/commands/audit.js
+++ b/test/lib/commands/audit.js
@@ -2,9 +2,9 @@ const t = require('tap')
 
 const { load: loadMockNpm } = require('../../fixtures/mock-npm')
 const MockRegistry = require('../../fixtures/mock-registry.js')
-const util = require('util')
 const zlib = require('zlib')
-const gzip = util.promisify(zlib.gzip)
+const gzip = zlib.gzipSync
+const gunzip = zlib.gunzipSync
 const path = require('path')
 const fs = require('fs')
 
@@ -43,7 +43,14 @@ const tree = {
       },
     },
   }),
-  'test-dep-a': {
+  'test-dep-a-vuln': {
+    'package.json': JSON.stringify({
+      name: 'test-dep-a',
+      version: '1.0.0',
+    }),
+    'vulnerable.txt': 'vulnerable test-dep-a',
+  },
+  'test-dep-a-fixed': {
     'package.json': JSON.stringify({
       name: 'test-dep-a',
       version: '1.0.1',
@@ -66,8 +73,11 @@ t.test('normal audit', async t => {
     packuments: [{ version: '1.0.0' }, { version: '1.0.1' }],
   })
   await registry.package({ manifest })
-  const advisory = registry.advisory({ id: 100 })
-  const bulkBody = await gzip(JSON.stringify({ 'test-dep-a': ['1.0.0'] }))
+  const advisory = registry.advisory({
+    id: 100,
+    vulnerable_versions: '<1.0.1',
+  })
+  const bulkBody = gzip(JSON.stringify({ 'test-dep-a': ['1.0.0'] }))
   registry.nock.post('/-/npm/v1/security/advisories/bulk', bulkBody)
     .reply(200, {
       'test-dep-a': [advisory],
@@ -79,6 +89,55 @@ t.test('normal audit', async t => {
   t.matchSnapshot(joinedOutput())
 })
 
+t.test('fallback audit ', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    prefixDir: tree,
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+  })
+  const manifest = registry.manifest({
+    name: 'test-dep-a',
+    packuments: [{ version: '1.0.0' }, { version: '1.0.1' }],
+  })
+  await registry.package({ manifest })
+  const advisory = registry.advisory({
+    id: 100,
+    module_name: 'test-dep-a',
+    vulnerable_versions: '<1.0.1',
+    findings: [{ version: '1.0.0', paths: ['test-dep-a'] }],
+  })
+  registry.nock
+    .post('/-/npm/v1/security/advisories/bulk').reply(404)
+    .post('/-/npm/v1/security/audits/quick', body => {
+      const unzipped = JSON.parse(gunzip(Buffer.from(body, 'hex')))
+      return t.match(unzipped, {
+        name: 'test-dep',
+        version: '1.0.0',
+        requires: { 'test-dep-a': '*' },
+        dependencies: { 'test-dep-a': { version: '1.0.0' } },
+      })
+    }).reply(200, {
+      actions: [],
+      muted: [],
+      advisories: {
+        100: advisory,
+      },
+      metadata: {
+        vulnerabilities: { info: 0, low: 0, moderate: 0, high: 1, critical: 0 },
+        dependencies: 1,
+        devDependencies: 0,
+        optionalDependencies: 0,
+        totalDependencies: 1,
+      },
+    })
+  await npm.exec('audit', [])
+  t.ok(process.exitCode, 'would have exited uncleanly')
+  process.exitCode = 0
+  t.matchSnapshot(joinedOutput())
+})
+
 t.test('json audit', async t => {
   const { npm, joinedOutput } = await loadMockNpm(t, {
     prefixDir: tree,
@@ -97,7 +156,7 @@ t.test('json audit', async t => {
   })
   await registry.package({ manifest })
   const advisory = registry.advisory({ id: 100 })
-  const bulkBody = await gzip(JSON.stringify({ 'test-dep-a': ['1.0.0'] }))
+  const bulkBody = gzip(JSON.stringify({ 'test-dep-a': ['1.0.0'] }))
   registry.nock.post('/-/npm/v1/security/advisories/bulk', bulkBody)
     .reply(200, {
       'test-dep-a': [advisory],
@@ -109,7 +168,7 @@ t.test('json audit', async t => {
   t.matchSnapshot(joinedOutput())
 })
 
-t.test('audit fix', async t => {
+t.test('audit fix - bulk endpoint', async t => {
   const { npm, joinedOutput } = await loadMockNpm(t, {
     prefixDir: tree,
   })
@@ -124,20 +183,23 @@ t.test('audit fix', async t => {
   await registry.package({
     manifest,
     tarballs: {
-      '1.0.1': path.join(npm.prefix, 'test-dep-a'),
+      '1.0.1': path.join(npm.prefix, 'test-dep-a-fixed'),
     },
   })
   const advisory = registry.advisory({ id: 100, vulnerable_versions: '1.0.0' })
-  // Can't validate this request body because it changes with each node
-  // version/npm version and nock's body validation is not async, while
-  // zlib.gunzip is
-  registry.nock.post('/-/npm/v1/security/advisories/bulk')
+  registry.nock.post('/-/npm/v1/security/advisories/bulk', body => {
+    const unzipped = JSON.parse(gunzip(Buffer.from(body, 'hex')))
+    return t.same(unzipped, { 'test-dep-a': ['1.0.0'] })
+  })
     .reply(200, { // first audit
       'test-dep-a': [advisory],
     })
-    .post('/-/npm/v1/security/advisories/bulk')
+    .post('/-/npm/v1/security/advisories/bulk', body => {
+      const unzipped = JSON.parse(gunzip(Buffer.from(body, 'hex')))
+      return t.same(unzipped, { 'test-dep-a': ['1.0.1'] })
+    })
     .reply(200, { // after fix
-      'test-dep-a': [advisory],
+      'test-dep-a': [],
     })
   await npm.exec('audit', ['fix'])
   t.matchSnapshot(joinedOutput())
author	Gar <gar+gh@danger.computer>	2022-04-17 19:36:31 +0300
committer	Luke Karrys <luke@lukekarrys.com>	2022-04-20 02:26:40 +0300
commit	21375c6c356e9beddbc96720b1d03ea2db05be0e (patch)
tree	830ac4097956de2327f3f7c3ea4924d8f747985d /test
parent	ced0acfe5998a5be9313815f76f5c1439a09db78 (diff)