Merge pull request #6029 from snyk/fix/UNIFY-667_unmanaged_json_ignores

fix: unmanaged json output to use ignores file

Author: PeterSchafer

src/lib/ecosystems/resolve-test-facts.ts

@@ -1,37 +1,37 @@
-import { AuthFailedError } from '../errors';
-import { Options, PolicyOptions } from '../types';
 import { spinner } from '../../lib/spinner';
+import { sleep } from '../common';
+import { AuthFailedError } from '../errors';
+import { findAndLoadPolicy } from '../policy';
+import {
+  createDepGraph,
+  getDepGraph,
+  getIssues,
+  pollingTestWithTokenUntilDone,
+  requestTestPollingToken,
+} from '../polling/polling-test';
+import { SEVERITY } from '../snyk-test/common';
+import { Issue, IssueDataUnmanaged } from '../snyk-test/legacy';
+import { Options, PolicyOptions, SupportedProjectTypes } from '../types';
+import { extractAndApplyPluginAnalytics } from './plugin-analytics';
+import { filterIgnoredIssues } from './policy';
 import {
   Ecosystem,
+  FileSignaturesDetails,
   ScanResult,
   TestResult,
-  FileSignaturesDetails,
 } from './types';
 import {
+  Attributes,
   CreateDepGraphResponse,
-  GetIssuesResponse,
   FileHashes,
-  Attributes,
+  GetIssuesResponse,
 } from './unmanaged/types';
-import {
-  requestTestPollingToken,
-  pollingTestWithTokenUntilDone,
-  createDepGraph,
-  getDepGraph,
-  getIssues,
-} from '../polling/polling-test';
-import { extractAndApplyPluginAnalytics } from './plugin-analytics';
-import { findAndLoadPolicy } from '../policy';
-import { filterIgnoredIssues } from './policy';
-import { IssueDataUnmanaged, Issue } from '../snyk-test/legacy';
 import {
   convertDepGraph,
   convertMapCasing,
   convertToCamelCase,
   getOrg,
 } from './unmanaged/utils';
-import { sleep } from '../common';
-import { SEVERITY } from '../snyk-test/common';
 
 export async function resolveAndTestFacts(
   ecosystem: Ecosystem,
@@ -152,6 +152,21 @@ async function fetchIssues(
   };
 }
 
+function buildVulnerabilityFromIssue(
+  issueData: IssueDataUnmanaged,
+  issue: Issue,
+  packageManager: SupportedProjectTypes,
+): IssueDataUnmanaged {
+  const pkgCoordinate = `${issue.pkgName}@${issue.pkgVersion}`;
+  issueData.from = [pkgCoordinate];
+  issueData.name = pkgCoordinate;
+  issueData.packageManager = packageManager;
+  issueData.version = issue.pkgVersion || '';
+  issueData.upgradePath = [false];
+  issueData.isPatchable = false;
+  return issueData;
+}
+
 export async function resolveAndTestFactsUnmanagedDeps(
   scans: {
     [dir: string]: ScanResult[];
@@ -203,25 +218,11 @@ export async function resolveAndTestFactsUnmanagedDeps(
           orgId,
         );
 
-        const issuesMap: Map<string, Issue> = new Map();
+        const issuesMap = new Map<string, Issue>();
         issues.forEach((i) => {
-          issuesMap[i.issueId] = i;
+          issuesMap.set(i.issueId, i);
         });
 
-        const vulnerabilities: IssueDataUnmanaged[] = [];
-        for (const issuesDataKey in issuesData) {
-          const pkgCoordinate = `${issuesMap[issuesDataKey]?.pkgName}@${issuesMap[issuesDataKey]?.pkgVersion}`;
-          const issueData = issuesData[issuesDataKey];
-
-          issueData.from = [pkgCoordinate];
-          issueData.name = pkgCoordinate;
-          issueData.packageManager = packageManager;
-          issueData.version = issuesMap[issuesDataKey]?.pkgVersion;
-          issueData.upgradePath = [false];
-          issueData.isPatchable = false;
-          vulnerabilities.push(issueData);
-        }
-
         const policy = await findAndLoadPolicy(path, 'cpp', options);
 
         const [issuesFiltered, issuesDataFiltered] = filterIgnoredIssues(
@@ -230,6 +231,37 @@ export async function resolveAndTestFactsUnmanagedDeps(
           policy,
         );
 
+        // Build vulnerabilities array from filtered data.
+        const vulnerabilities: IssueDataUnmanaged[] = [];
+        for (const issuesDataKey in issuesDataFiltered) {
+          const issue = issuesMap.get(issuesDataKey);
+          if (issue) {
+            const issueData = issuesDataFiltered[
+              issuesDataKey
+            ] as IssueDataUnmanaged;
+            vulnerabilities.push(
+              buildVulnerabilityFromIssue(issueData, issue, packageManager),
+            );
+          }
+        }
+
+        // Build filtered.ignore array with ignored vulnerabilities
+        const filteredIgnore: IssueDataUnmanaged[] = [];
+        for (const issuesDataKey in issuesData) {
+          // If the issue was in the original data but not in the filtered data, it was ignored
+          if (!(issuesDataKey in issuesDataFiltered)) {
+            const issue = issuesMap.get(issuesDataKey);
+            if (issue) {
+              const issueData = {
+                ...issuesData[issuesDataKey],
+              } as IssueDataUnmanaged;
+              filteredIgnore.push(
+                buildVulnerabilityFromIssue(issueData, issue, packageManager),
+              );
+            }
+          }
+        }
+
         extractAndApplyPluginAnalytics([
           {
             name: 'packageManager',
@@ -256,6 +288,9 @@ export async function resolveAndTestFactsUnmanagedDeps(
           dependencyCount,
           packageManager,
           displayTargetFile,
+          filtered: {
+            ignore: filteredIgnore,
+          },
         });
       } catch (error) {
         const hasStatusCodeError = error.code >= 400 && error.code <= 500;
@@ -312,20 +347,21 @@ export async function resolveAndTestFactsRegistry(
           policy,
         );
 
-        const issuesMap: Map<string, Issue> = new Map();
+        const issuesMap = new Map<string, Issue>();
         response.issues.forEach((i) => {
-          issuesMap[i.issueId] = i;
+          issuesMap.set(i.issueId, i);
         });
 
         const vulnerabilities: IssueDataUnmanaged[] = [];
         for (const issuesDataKey in response.issuesData) {
-          if (issuesMap[issuesDataKey]) {
+          const issue = issuesMap.get(issuesDataKey);
+          if (issue) {
             const issueData = response.issuesData[issuesDataKey];
-            const pkgCoordinate = `${issuesMap[issuesDataKey].pkgName}@${issuesMap[issuesDataKey].pkgVersion}`;
+            const pkgCoordinate = `${issue.pkgName}@${issue.pkgVersion}`;
             issueData.from = [pkgCoordinate];
             issueData.name = pkgCoordinate;
             issueData.packageManager = packageManager;
-            issueData.version = issuesMap[issuesDataKey]?.pkgVersion;
+            issueData.version = issue.pkgVersion || '';
             issueData.upgradePath = [false];
             issueData.isPatchable = false;
             vulnerabilities.push(issueData);

test/acceptance/fake-server.ts

@@ -3,10 +3,10 @@ import * as express from 'express';
 import * as fs from 'fs';
 import * as http from 'http';
 import * as https from 'https';
-import * as path from 'path';
 import * as net from 'net';
-import { getFixturePath } from '../jest/util/getFixturePath';
 import * as os from 'os';
+import * as path from 'path';
+import { getFixturePath } from '../jest/util/getFixturePath';
 
 const featureFlagDefaults = (): Map<string, boolean> => {
   return new Map([
@@ -285,6 +285,88 @@ export const fakeServer = (basePath: string, snykToken: string): FakeServer => {
     res.send(defaultResponse);
   });
 
+  app.post('/hidden/orgs/:orgId/unmanaged_ecosystem/depgraphs', (req, res) => {
+    res.status(201);
+    res.send({
+      jsonapi: { version: '1.0' },
+      links: { self: req.url },
+      data: {
+        id: 'test-dep-graph-id',
+        type: 'unmanaged-dep-graph',
+        location: `/orgs/${req.params.orgId}/unmanaged_ecosystem/depgraphs/test-dep-graph-id`,
+      },
+    });
+  });
+
+  app.get(
+    '/hidden/orgs/:orgId/unmanaged_ecosystem/depgraphs/:id',
+    (req, res) => {
+      const result = customResponse?.result as any;
+      const depGraphData = result?.depGraphData || {};
+
+      res.status(200);
+      res.send({
+        jsonapi: { version: '1.0' },
+        links: { self: req.url },
+        data: {
+          id: req.params.id,
+          type: 'unmanaged-dep-graph',
+          attributes: {
+            start_time: Date.now(),
+            in_progress: false,
+            dep_graph_data: depGraphData,
+            component_details: {},
+          },
+        },
+      });
+    },
+  );
+
+  app.post('/hidden/orgs/:orgId/unmanaged_ecosystem/issues', (req, res) => {
+    if (customResponse && customResponse.result) {
+      // Convert camelCase fixture format to snake_case API format
+      const result = customResponse.result as any;
+
+      const apiResult: any = {
+        start_time: Date.now(),
+        issues: result.issues || [],
+        issues_data: result.issuesData || {},
+        dep_graph: result.depGraphData || {},
+        deps_file_paths: result.depsFilePaths || {},
+        file_signatures_details: result.fileSignaturesDetails || {},
+        type: 'unmanaged',
+      };
+
+      res.status(200);
+      res.send({
+        jsonapi: { version: '1.0' },
+        links: { self: req.url },
+        data: {
+          id: 'test-issues-id',
+          result: apiResult,
+        },
+      });
+      return;
+    }
+    res.status(200);
+    res.send({
+      jsonapi: { version: '1.0' },
+      links: { self: req.url },
+      data: {
+        id: 'test-issues-id',
+        result: {
+          start_time: Date.now(),
+          issues: [],
+          issues_data: {},
+          dep_graph: {},
+          deps_file_paths: {},
+          file_signatures_details: {},
+          type: 'unmanaged',
+        },
+      },
+    });
+  });
+
   app.get(basePath + '/vuln/:registry/:module', (req, res) => {
     try {
       // Use one of the fixtures if it exists.

test/fixtures/unmanaged/test-dep-graph-result-with-ignore.json

@@ -0,0 +1,109 @@
+{
+  "result": {
+    "issues": [
+      {
+        "issueId": "SNYK-UNMANAGED-CPIO-2319543",
+        "pkgName": "https://ftp.gnu.org|cpio",
+        "pkgVersion": "2.12",
+        "fixInfo": {
+          "isPatchable": false,
+          "nearestFixedInVersion": "",
+          "upgradePaths": []
+        }
+      }
+    ],
+    "issuesData": {
+      "SNYK-UNMANAGED-CPIO-2319543": {
+        "id": "SNYK-UNMANAGED-CPIO-2319543",
+        "packageManager": "Unmanaged (C/C++)",
+        "packageName": "https://ftp.gnu.org|cpio",
+        "severity": "medium",
+        "isIgnored": true,
+        "name": "https://ftp.gnu.org|[email protected]",
+        "version": "2.12",
+        "from": [
+          "https://ftp.gnu.org|[email protected]"
+        ],
+        "upgradePath": [
+          false
+        ],
+        "ignoreReasons": [
+          {
+            "reason": "Test ignore",
+            "created": "2024-01-01T00:00:00.000Z",
+            "expires": "2026-01-01T00:00:00.000Z"
+          }
+        ]
+      }
+    },
+    "depGraphData": {
+      "schemaVersion": "1.2.0",
+      "pkgManager": {
+        "name": "unmanaged",
+        "repositories": []
+      },
+      "pkgs": [
+        {
+          "id": "https://ftp.gnu.org|[email protected]",
+          "info": {
+            "name": "https://ftp.gnu.org|cpio",
+            "version": "2.12"
+          }
+        }
+      ],
+      "graph": {
+        "rootNodeId": "root-node",
+        "nodes": [
+          {
+            "nodeId": "root-node",
+            "pkgId": "https://ftp.gnu.org|[email protected]",
+            "deps": []
+          }
+        ]
+      }
+    },
+    "depsFilePaths": {
+      "https://ftp.gnu.org|[email protected]": [
+        "deps/cpio-2.12/src/cpio.c"
+      ]
+    },
+    "fileSignaturesDetails": {
+      "https://ftp.gnu.org|[email protected]": {
+        "filePaths": [
+          "deps/cpio-2.12/src/cpio.c"
+        ],
+        "confidence": 1
+      }
+    },
+    "vulnerabilities": [],
+    "filtered": {
+      "ignore": [
+        {
+          "id": "SNYK-UNMANAGED-CPIO-2319543",
+          "packageManager": "Unmanaged (C/C++)",
+          "name": "https://ftp.gnu.org|[email protected]",
+          "version": "2.12",
+          "from": [
+            "https://ftp.gnu.org|[email protected]"
+          ],
+          "upgradePath": [
+            false
+          ],
+          "isPatchable": false,
+          "ignoreReasons": [
+            {
+              "reason": "Test ignore",
+              "created": "2024-01-01T00:00:00.000Z",
+              "expires": "2026-01-01T00:00:00.000Z"
+            }
+          ]
+        }
+      ]
+    },
+    "dependencyCount": 1
+  },
+  "meta": {
+    "org": "test-org",
+    "isPrivate": false
+  }
+}