diff options
author | Gar <gar+gh@danger.computer> | 2022-04-17 19:36:31 +0300 |
---|---|---|
committer | Luke Karrys <luke@lukekarrys.com> | 2022-04-20 02:26:40 +0300 |
commit | 21375c6c356e9beddbc96720b1d03ea2db05be0e (patch) | |
tree | 830ac4097956de2327f3f7c3ea4924d8f747985d /test | |
parent | ced0acfe5998a5be9313815f76f5c1439a09db78 (diff) |
chore: add fallback audit to tests
Diffstat (limited to 'test')
-rw-r--r-- | test/lib/commands/audit.js | 90 |
1 files changed, 76 insertions, 14 deletions
diff --git a/test/lib/commands/audit.js b/test/lib/commands/audit.js index 1afb8d333..da6de4774 100644 --- a/test/lib/commands/audit.js +++ b/test/lib/commands/audit.js @@ -2,9 +2,9 @@ const t = require('tap') const { load: loadMockNpm } = require('../../fixtures/mock-npm') const MockRegistry = require('../../fixtures/mock-registry.js') -const util = require('util') const zlib = require('zlib') -const gzip = util.promisify(zlib.gzip) +const gzip = zlib.gzipSync +const gunzip = zlib.gunzipSync const path = require('path') const fs = require('fs') @@ -43,7 +43,14 @@ const tree = { }, }, }), - 'test-dep-a': { + 'test-dep-a-vuln': { + 'package.json': JSON.stringify({ + name: 'test-dep-a', + version: '1.0.0', + }), + 'vulnerable.txt': 'vulnerable test-dep-a', + }, + 'test-dep-a-fixed': { 'package.json': JSON.stringify({ name: 'test-dep-a', version: '1.0.1', @@ -66,8 +73,11 @@ t.test('normal audit', async t => { packuments: [{ version: '1.0.0' }, { version: '1.0.1' }], }) await registry.package({ manifest }) - const advisory = registry.advisory({ id: 100 }) - const bulkBody = await gzip(JSON.stringify({ 'test-dep-a': ['1.0.0'] })) + const advisory = registry.advisory({ + id: 100, + vulnerable_versions: '<1.0.1', + }) + const bulkBody = gzip(JSON.stringify({ 'test-dep-a': ['1.0.0'] })) registry.nock.post('/-/npm/v1/security/advisories/bulk', bulkBody) .reply(200, { 'test-dep-a': [advisory], @@ -79,6 +89,55 @@ t.test('normal audit', async t => { t.matchSnapshot(joinedOutput()) }) +t.test('fallback audit ', async t => { + const { npm, joinedOutput } = await loadMockNpm(t, { + prefixDir: tree, + }) + const registry = new MockRegistry({ + tap: t, + registry: npm.config.get('registry'), + }) + const manifest = registry.manifest({ + name: 'test-dep-a', + packuments: [{ version: '1.0.0' }, { version: '1.0.1' }], + }) + await registry.package({ manifest }) + const advisory = registry.advisory({ + id: 100, + module_name: 'test-dep-a', + vulnerable_versions: '<1.0.1', + findings: [{ version: '1.0.0', paths: ['test-dep-a'] }], + }) + registry.nock + .post('/-/npm/v1/security/advisories/bulk').reply(404) + .post('/-/npm/v1/security/audits/quick', body => { + const unzipped = JSON.parse(gunzip(Buffer.from(body, 'hex'))) + return t.match(unzipped, { + name: 'test-dep', + version: '1.0.0', + requires: { 'test-dep-a': '*' }, + dependencies: { 'test-dep-a': { version: '1.0.0' } }, + }) + }).reply(200, { + actions: [], + muted: [], + advisories: { + 100: advisory, + }, + metadata: { + vulnerabilities: { info: 0, low: 0, moderate: 0, high: 1, critical: 0 }, + dependencies: 1, + devDependencies: 0, + optionalDependencies: 0, + totalDependencies: 1, + }, + }) + await npm.exec('audit', []) + t.ok(process.exitCode, 'would have exited uncleanly') + process.exitCode = 0 + t.matchSnapshot(joinedOutput()) +}) + t.test('json audit', async t => { const { npm, joinedOutput } = await loadMockNpm(t, { prefixDir: tree, @@ -97,7 +156,7 @@ t.test('json audit', async t => { }) await registry.package({ manifest }) const advisory = registry.advisory({ id: 100 }) - const bulkBody = await gzip(JSON.stringify({ 'test-dep-a': ['1.0.0'] })) + const bulkBody = gzip(JSON.stringify({ 'test-dep-a': ['1.0.0'] })) registry.nock.post('/-/npm/v1/security/advisories/bulk', bulkBody) .reply(200, { 'test-dep-a': [advisory], @@ -109,7 +168,7 @@ t.test('json audit', async t => { t.matchSnapshot(joinedOutput()) }) -t.test('audit fix', async t => { +t.test('audit fix - bulk endpoint', async t => { const { npm, joinedOutput } = await loadMockNpm(t, { prefixDir: tree, }) @@ -124,20 +183,23 @@ t.test('audit fix', async t => { await registry.package({ manifest, tarballs: { - '1.0.1': path.join(npm.prefix, 'test-dep-a'), + '1.0.1': path.join(npm.prefix, 'test-dep-a-fixed'), }, }) const advisory = registry.advisory({ id: 100, vulnerable_versions: '1.0.0' }) - // Can't validate this request body because it changes with each node - // version/npm version and nock's body validation is not async, while - // zlib.gunzip is - registry.nock.post('/-/npm/v1/security/advisories/bulk') + registry.nock.post('/-/npm/v1/security/advisories/bulk', body => { + const unzipped = JSON.parse(gunzip(Buffer.from(body, 'hex'))) + return t.same(unzipped, { 'test-dep-a': ['1.0.0'] }) + }) .reply(200, { // first audit 'test-dep-a': [advisory], }) - .post('/-/npm/v1/security/advisories/bulk') + .post('/-/npm/v1/security/advisories/bulk', body => { + const unzipped = JSON.parse(gunzip(Buffer.from(body, 'hex'))) + return t.same(unzipped, { 'test-dep-a': ['1.0.1'] }) + }) .reply(200, { // after fix - 'test-dep-a': [advisory], + 'test-dep-a': [], }) await npm.exec('audit', ['fix']) t.matchSnapshot(joinedOutput()) |