Fix Scan Pull Request failing tests (#1240)

Author: eranturgeman

scanpullrequest/scanpullrequest_test.go

@@ -31,7 +31,6 @@ import (
 	coreconfig "github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-security/utils/formats"
 	"github.com/jfrog/jfrog-cli-security/utils/results"
-	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/jfrog/frogbot/v2/utils"
@@ -56,8 +55,11 @@ var basicConfigProfile = services2.ConfigProfile{
 			ModuleName:   "test-module",
 			PathFromRoot: ".",
 			ScanConfig: services2.ScanConfig{
-				ScaScannerConfig:  services2.ScaScannerConfig{EnableScaScan: true},
-				SastScannerConfig: services2.SastScannerConfig{EnableSastScan: true},
+				ScaScannerConfig:                services2.ScaScannerConfig{EnableScaScan: true},
+				SastScannerConfig:               services2.SastScannerConfig{EnableSastScan: true},
+				ContextualAnalysisScannerConfig: services2.CaScannerConfig{EnableCaScan: true},
+				SecretsScannerConfig:            services2.SecretsScannerConfig{EnableSecretsScan: true},
+				IacScannerConfig:                services2.IacScannerConfig{EnableIacScan: true},
 			},
 		},
 	},
@@ -1353,19 +1355,11 @@ func preparePullRequestTest(t *testing.T, projectName string) (utils.Repository,
 			Target: vcsclient.BranchInfo{Name: testTargetBranchName, Repository: projectName, Owner: owner},
 		},
 	}
-	server := httptest.NewServer(createGitLabHandler(t, gitServerParams))
-
 	testDir, cleanUp := utils.CopyTestdataProjectsToTemp(t, "scanpullrequest")
+	server := httptest.NewServer(createGitLabHandler(t, testDir, gitServerParams))
 	config, client := prepareConfigAndClient(t, xrayVersion, xscVersion, server, params, gitServerParams)
 
-	// Renames test git folder to .git
-	currentDir := filepath.Join(testDir, projectName)
-	restoreDir, err := utils.Chdir(currentDir)
-	assert.NoError(t, err)
-
 	return config, client, func() {
-		assert.NoError(t, restoreDir())
-		assert.NoError(t, fileutils.RemoveTempDir(currentDir))
 		cleanUp()
 		server.Close()
 		restoreEnv()
@@ -1379,7 +1373,7 @@ type GitServerParams struct {
 }
 
 // Create HTTP handler to mock GitLab server
-func createGitLabHandler(t *testing.T, params GitServerParams) http.HandlerFunc {
+func createGitLabHandler(t *testing.T, testDir string, params GitServerParams) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		repoInfo := params.RepoOwner + "%2F" + params.RepoName
 		switch {
@@ -1389,28 +1383,26 @@ func createGitLabHandler(t *testing.T, params GitServerParams) http.HandlerFunc
 		// Mimic get pull request by ID
 		case r.RequestURI == fmt.Sprintf("/api/v4/projects/%s/merge_requests/%d", repoInfo, params.prDetails.ID):
 			w.WriteHeader(http.StatusOK)
-			// expectedResponse, err := os.ReadFile(filepath.Join("..", "expectedPullRequestDetailsResponse.json"))
-			// assert.NoError(t, err)
 			_, err := fmt.Fprintf(w, `{ "id": %d, "iid": 133, "project_id": 15513260, "title": "Dummy pull request", "description": "this is pr description", "state": "opened", "target_branch": "%s", "source_branch": "%s", "author": {"username": "testuser"}}`, params.prDetails.ID, params.prDetails.Target.Name, params.prDetails.Source.Name)
 			assert.NoError(t, err)
 		// Mimic download specific branch to scan
 		case r.RequestURI == fmt.Sprintf("/api/v4/projects/%s/repository/archive.tar.gz?sha=%s", repoInfo, params.prDetails.Source.Name):
 			w.WriteHeader(http.StatusOK)
-			repoFile, err := os.ReadFile(filepath.Join("..", params.RepoName, "sourceBranch.gz"))
+			repoFile, err := os.ReadFile(filepath.Join(testDir, params.RepoName, "sourceBranch.gz"))
 			assert.NoError(t, err)
 			_, err = w.Write(repoFile)
 			assert.NoError(t, err)
 		// Download repository mock
 		case r.RequestURI == fmt.Sprintf("/api/v4/projects/%s/repository/archive.tar.gz?sha=%s", repoInfo, params.prDetails.Target.Name):
 			w.WriteHeader(http.StatusOK)
-			repoFile, err := os.ReadFile(filepath.Join("..", params.RepoName, "targetBranch.gz"))
+			repoFile, err := os.ReadFile(filepath.Join(testDir, params.RepoName, "targetBranch.gz"))
 			assert.NoError(t, err)
 			_, err = w.Write(repoFile)
 			assert.NoError(t, err)
 			return
 		case r.RequestURI == fmt.Sprintf("/api/v4/projects/%s/merge_requests/133/notes", repoInfo) && r.Method == http.MethodGet:
 			w.WriteHeader(http.StatusOK)
-			comments, err := os.ReadFile(filepath.Join("..", "commits.json"))
+			comments, err := os.ReadFile(filepath.Join(testDir, "commits.json"))
 			assert.NoError(t, err)
 			_, err = w.Write(comments)
 			assert.NoError(t, err)
@@ -1430,11 +1422,10 @@ func createGitLabHandler(t *testing.T, params GitServerParams) http.HandlerFunc
 
 			var expectedResponse []byte
 			if strings.Contains(params.RepoName, "multi-dir") {
-				expectedResponse = outputwriter.GetJsonBodyOutputFromFile(t, filepath.Join("..", "expected_response_multi_dir.md"))
+				expectedResponse = outputwriter.GetJsonBodyOutputFromFile(t, filepath.Join(testDir, "expected_response_multi_dir.md"))
 			} else {
-				expectedResponse = outputwriter.GetJsonBodyOutputFromFile(t, filepath.Join("..", "expected_response.md"))
+				expectedResponse = outputwriter.GetJsonBodyOutputFromFile(t, filepath.Join(testDir, "expected_response.md"))
 			}
-			assert.NoError(t, err)
 			assert.JSONEq(t, string(expectedResponse), buf.String())
 
 			w.WriteHeader(http.StatusOK)
@@ -1445,7 +1436,7 @@ func createGitLabHandler(t *testing.T, params GitServerParams) http.HandlerFunc
 			_, err := w.Write([]byte(jsonResponse))
 			assert.NoError(t, err)
 		case r.RequestURI == fmt.Sprintf("/api/v4/projects/%s/merge_requests/133/discussions", repoInfo):
-			discussions, err := os.ReadFile(filepath.Join("..", "list_merge_request_discussion_items.json"))
+			discussions, err := os.ReadFile(filepath.Join(testDir, "list_merge_request_discussion_items.json"))
 			assert.NoError(t, err)
 			_, err = w.Write(discussions)
 			assert.NoError(t, err)

testdata/scanpullrequest/expected_response.md

@@ -23,14 +23,9 @@
 
 ### 📦 Vulnerable Dependencies
 
-<div align='center'>
-
-| Severity                | ID                  | Contextual Analysis                  | Direct Dependencies                  | Impacted Dependency                  | Fixed Versions                  |
-| :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: |
-| ![critical (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableCritical.png)<br>Critical | CVE-2021-44906 | Not Applicable | minimist:1.2.5 | minimist 1.2.5 | [0.2.4]<br>[1.2.6] |
-
-</div>
-
+| Severity                | ID                  | Contextual Analysis                  | Dependency Path                  |
+| :---------------------: | :-----------------------------------: | :-----------------------------------: | ----------------------------------- |
+| ![critical (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableCritical.png)<br>Critical | CVE-2021-44906 | Not Applicable | <details><summary><b>1 Direct</b></summary>minimist:1.2.5<br></details> |
 
 ### 🔖 Details
 
@@ -39,36 +34,11 @@
 ### Vulnerability Details
 |                 |                   |
 | --------------------- | :-----------------------------------: |
-| **Jfrog Research Severity:** | <img src="https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/smallHigh.svg" alt=""/> High |
 | **Contextual Analysis:** | Not Applicable |
-| **Direct Dependencies:** | minimist:1.2.5 |
-| **Impacted Dependency:** | minimist:1.2.5 |
-| **Fixed Versions:** | [0.2.4], [1.2.6] |
 | **CVSS V3:** | 9.8 |
+| **Dependency Path:** | <details><summary><b>minimist: 1.2.5 (Direct)</b></summary>Fix Version: 1.2.6<br></details> |
 
-Insufficient input validation in Minimist npm package leads to prototype pollution of constructor functions when parsing arbitrary arguments.
-
-### 🔬 JFrog Research Details
-
-**Description:**
-[Minimist](https://github.com/substack/minimist) is a simple and very popular argument parser. It is used by more than 14 million by Mar 2022. This package developers stopped developing it since April 2020 and its community released a [newer version](https://github.com/meszaros-lajos-gyorgy/minimist-lite) supported by the community.
-
-
-An incomplete fix for [CVE-2020-7598](https://nvd.nist.gov/vuln/detail/CVE-2020-7598) partially blocked prototype pollution attacks. Researchers discovered that it does not check for constructor functions which means they can be overridden. This behavior can be triggered easily when using it insecurely (which is the common usage). For example:
-```
-var argv = parse(['--_.concat.constructor.prototype.y', '123']);
-t.equal((function(){}).foo, undefined);
-t.equal(argv.y, undefined);
-```
-In this example, `prototype.y`  is assigned with `123` which will be derived to every newly created object. 
-
-This vulnerability can be triggered when the attacker-controlled input is parsed using Minimist without any validation. As always with prototype pollution, the impact depends on the code that follows the attack, but denial of service is almost always guaranteed.
-
-**Remediation:**
-##### Development mitigations
-
-Add the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.
-
+Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).
 
 ---
 <div align='center'>