Merge pull request #27 from snyk/feat/unified-test-by-default

feat: DGP-691 - defaults OS test to use the unified Test API

Author: bsalomon-snyk

internal/commands/ostest/ostest.go

@@ -45,6 +45,9 @@ const FeatureFlagRiskScore = "feature_flag_experimental_risk_score"
 // FeatureFlagRiskScoreInCLI is used to gate the risk score feature in the CLI.
 const FeatureFlagRiskScoreInCLI = "feature_flag_experimental_risk_score_in_cli"
 
+// ForceLegacyCLIEnvVar is an internal environment variable to force the legacy CLI flow.
+const ForceLegacyCLIEnvVar = "SNYK_FORCE_LEGACY_CLI"
+
 // ApplicationJSONContentType matches the content type for legacy JSON findings records.
 const ApplicationJSONContentType = "application/json"
 
@@ -107,23 +110,33 @@ func OSWorkflow(
 		return runReachabilityFlow(ctx, config, errFactory, ictx, logger, sbom, sourceDir)
 
 	default:
-		riskScoreThreshold := config.GetInt(flags.FlagRiskScoreThreshold)
-		if !config.GetBool(flags.FlagUnifiedTestAPI) && riskScoreThreshold == -1 {
-			logger.Debug().Msg("Using legacy flow since risk score threshold and unified test flags are disabled")
+		if config.GetBool(ForceLegacyCLIEnvVar) {
+			logger.Debug().Msgf("Using legacy flow due to %s environment variable.", ForceLegacyCLIEnvVar)
 			return code_workflow.EntryPointLegacy(ictx)
 		}
 
-		// Unified test flow (with risk score threshold or unified-test flag)
+		ffRiskScore := config.GetBool(FeatureFlagRiskScore)
+		ffRiskScoreInCLI := config.GetBool(FeatureFlagRiskScoreInCLI)
+		useUnifiedFlow := ffRiskScore && ffRiskScoreInCLI
 
-		if riskScoreThreshold >= 0 {
-			if !config.GetBool(FeatureFlagRiskScore) {
+		// The unified test flow is only used if both risk score feature flags are enabled.
+		riskScoreThreshold := config.GetInt(flags.FlagRiskScoreThreshold)
+		if riskScoreThreshold != -1 && !useUnifiedFlow {
+			// The user tried to use a risk score threshold without the required feature flags.
+			// Return a specific error for the first missing flag found.
+			if !ffRiskScore {
 				return nil, errFactory.NewFeatureNotPermittedError(FeatureFlagRiskScore)
 			}
-			if !config.GetBool(FeatureFlagRiskScoreInCLI) {
-				return nil, errFactory.NewFeatureNotPermittedError(FeatureFlagRiskScoreInCLI)
-			}
+			return nil, errFactory.NewFeatureNotPermittedError(FeatureFlagRiskScoreInCLI)
 		}
 
+		if !useUnifiedFlow {
+			logger.Debug().Msg("Using legacy flow since one or both experimental risk score feature flags are not enabled.")
+			return code_workflow.EntryPointLegacy(ictx)
+		}
+
+		// Unified test flow
+
 		filename := config.GetString(flags.FlagFile)
 		if filename == "" {
 			logger.Error().Msg("No file specified for testing")

internal/commands/ostest/ostest_test.go

@@ -39,85 +39,37 @@ func TestOSWorkflow_LegacyFlow(t *testing.T) {
 	assert.NoError(t, err)
 }
 
-// TestOSWorkflow_UnifiedTestFlag tests the workflow when run with the unified test flag.
-func TestOSWorkflow_UnifiedTestFlag(t *testing.T) {
-	// Setup - Unified test flag set to true
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	mockEngine := mocks.NewMockEngine(ctrl)
-	mockInvocationCtx := createMockInvocationCtxWithURL(t, ctrl, mockEngine, mockServerURL)
-
-	// Set the unified test flag and required risk score feature flags
-	mockInvocationCtx.GetConfiguration().Set(flags.FlagUnifiedTestAPI, true)
-	mockInvocationCtx.GetConfiguration().Set(ostest.FeatureFlagRiskScore, true)
-	mockInvocationCtx.GetConfiguration().Set(ostest.FeatureFlagRiskScoreInCLI, true)
-
-	// Mock the depgraph workflow
-	mockEngine.EXPECT().
-		InvokeWithConfig(gomock.Any(), gomock.Any()).
-		Return(nil, assert.AnError).
-		Times(1)
-
-	// Execute
-	_, err := ostest.OSWorkflow(mockInvocationCtx, []workflow.Data{})
-
-	// Verify - Should return error from depgraph workflow
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "failed to create depgraph")
-}
-
-// TestOSWorkflow_RiskScoreThreshold tests the workflow when run with a risk score threshold.
-func TestOSWorkflow_RiskScoreThreshold(t *testing.T) {
-	// Setup - Risk score threshold set
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	mockEngine := mocks.NewMockEngine(ctrl)
-	mockInvocationCtx := createMockInvocationCtxWithURL(t, ctrl, mockEngine, mockServerURL)
-
-	// Set a risk score threshold
-	mockInvocationCtx.GetConfiguration().Set(flags.FlagRiskScoreThreshold, 700)
-	// Enable Risk Score feature flags for this test case
-	mockInvocationCtx.GetConfiguration().Set(ostest.FeatureFlagRiskScore, true)
-	mockInvocationCtx.GetConfiguration().Set(ostest.FeatureFlagRiskScoreInCLI, true)
-
-	// Mock the depgraph workflow
-	mockEngine.EXPECT().
-		InvokeWithConfig(gomock.Any(), gomock.Any()).
-		Return(nil, assert.AnError).
-		Times(1)
-
-	// Execute
-	_, err := ostest.OSWorkflow(mockInvocationCtx, []workflow.Data{})
-
-	// Verify - Should return error from depgraph workflow
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "failed to create depgraph")
-}
-
-// TestOSWorkflow_SBOMReachabilityFlag_MissingFF tests requirement of the SBOM reachability feature flag.
-func TestOSWorkflow_SBOMReachabilityFlag_MissingFF(t *testing.T) {
-	// Setup - Unified test flag set to true
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	mockEngine := mocks.NewMockEngine(ctrl)
-	mockInvocationCtx := createMockInvocationCtxWithURL(t, ctrl, mockEngine, mockServerURL)
-
-	// Set the sbom reachability flags
-	mockInvocationCtx.GetConfiguration().Set(flags.FlagReachability, true)
-	mockInvocationCtx.GetConfiguration().Set(flags.FlagSBOM, "bom.json")
-
-	// Execute
-	_, err := ostest.OSWorkflow(mockInvocationCtx, []workflow.Data{})
-
-	// Verify - Should return feature not permitted error
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "The feature you are trying to use is not available for your organization")
+func TestOSWorkflow_ForceLegacyFlowWithEnvVar(t *testing.T) {
+	t.Run("forces legacy flow when env var is set, even with unified flow flags", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		mockEngine := mocks.NewMockEngine(ctrl)
+		mockInvocationCtx := createMockInvocationCtxWithURL(t, ctrl, mockEngine, mockServerURL)
+
+		// Setup: set the env var and all flags that would normally trigger the unified flow
+		config := mockInvocationCtx.GetConfiguration()
+		config.Set(ostest.ForceLegacyCLIEnvVar, true)
+		config.Set(ostest.FeatureFlagRiskScore, true)
+		config.Set(ostest.FeatureFlagRiskScoreInCLI, true)
+		config.Set(flags.FlagRiskScoreThreshold, 500)
+
+		// Mock the legacy flow, which should be called despite the unified flow flags
+		mockEngine.EXPECT().
+			InvokeWithConfig(gomock.Any(), gomock.Any()).
+			Return([]workflow.Data{}, nil).
+			Times(1)
+
+		// Execute
+		_, err := ostest.OSWorkflow(mockInvocationCtx, []workflow.Data{})
+
+		// Verify
+		assert.NoError(t, err)
+	})
 }
 
-// TODO: Test combinations with sbom and reachability flags.
+// TestOSWorkflow_FlagCombinations tests various flag combinations to ensure correct routing
+// between the legacy, unified, and reachability test flows.
 func TestOSWorkflow_FlagCombinations(t *testing.T) {
 	tests := []struct {
 		name          string
@@ -127,7 +79,6 @@ func TestOSWorkflow_FlagCombinations(t *testing.T) {
 		{
 			name: "Unified test API flag set to true, expects depgraph error",
 			setup: func(config configuration.Configuration, mockEngine *mocks.MockEngine) {
-				config.Set(flags.FlagUnifiedTestAPI, true)
 				config.Set(ostest.FeatureFlagRiskScore, true)
 				config.Set(ostest.FeatureFlagRiskScoreInCLI, true)
 				mockEngine.EXPECT().
@@ -167,20 +118,6 @@ func TestOSWorkflow_FlagCombinations(t *testing.T) {
 			},
 			expectedError: "failed to create depgraph",
 		},
-		{
-			name: "Both unified test and risk score set",
-			setup: func(config configuration.Configuration, mockEngine *mocks.MockEngine) {
-				config.Set(flags.FlagUnifiedTestAPI, true)
-				config.Set(flags.FlagRiskScoreThreshold, 700)
-				config.Set(ostest.FeatureFlagRiskScore, true)
-				config.Set(ostest.FeatureFlagRiskScoreInCLI, true)
-				mockEngine.EXPECT().
-					InvokeWithConfig(gomock.Any(), gomock.Any()).
-					Return(nil, assert.AnError).
-					Times(1)
-			},
-			expectedError: "failed to create depgraph",
-		},
 		{
 			name: "SBOM reachability without feature flag",
 			setup: func(config configuration.Configuration, _ *mocks.MockEngine) {
@@ -193,7 +130,8 @@ func TestOSWorkflow_FlagCombinations(t *testing.T) {
 		{
 			name: "Severity threshold set with unified test flag, expects depgraph error",
 			setup: func(config configuration.Configuration, mockEngine *mocks.MockEngine) {
-				config.Set(flags.FlagUnifiedTestAPI, true)
+				config.Set(ostest.FeatureFlagRiskScore, true)
+				config.Set(ostest.FeatureFlagRiskScoreInCLI, true)
 				config.Set(flags.FlagSeverityThreshold, "high")
 				mockEngine.EXPECT().
 					InvokeWithConfig(gomock.Any(), gomock.Any()).
@@ -227,6 +165,30 @@ func TestOSWorkflow_FlagCombinations(t *testing.T) {
 			},
 			expectedError: "", // No error, should succeed via legacy path
 		},
+		{
+			name: "Only one risk score FF enabled, uses legacy flow",
+			setup: func(config configuration.Configuration, mockEngine *mocks.MockEngine) {
+				config.Set(ostest.FeatureFlagRiskScore, true)
+				// ffRiskScoreInCLI is false by default
+				mockEngine.EXPECT().
+					InvokeWithConfig(gomock.Any(), gomock.Any()).
+					Return([]workflow.Data{}, nil).
+					Times(1)
+			},
+			expectedError: "", // No error, should succeed via legacy path
+		},
+		{
+			name: "Only CLI risk score FF enabled, uses legacy flow",
+			setup: func(config configuration.Configuration, mockEngine *mocks.MockEngine) {
+				config.Set(ostest.FeatureFlagRiskScoreInCLI, true)
+				// ffRiskScore is false by default
+				mockEngine.EXPECT().
+					InvokeWithConfig(gomock.Any(), gomock.Any()).
+					Return([]workflow.Data{}, nil).
+					Times(1)
+			},
+			expectedError: "", // No error, should succeed via legacy path
+		},
 	}
 
 	for _, test := range tests {
@@ -266,7 +228,6 @@ func createMockInvocationCtxWithURL(t *testing.T, ctrl *gomock.Controller, engin
 	mockConfig.Set(configuration.API_URL, sbomServiceURL)
 
 	// Initialize with default values for our flags
-	mockConfig.Set(flags.FlagUnifiedTestAPI, false)
 	mockConfig.Set(flags.FlagRiskScoreThreshold, -1)
 	mockConfig.Set(flags.FlagFile, "test-file.txt") // Add default test file
 

internal/flags/flags.go

@@ -9,7 +9,6 @@ const (
 	FlagProjectName        = "project-name"
 	FlagRiskScoreThreshold = "risk-score-threshold"
 	FlagSeverityThreshold  = "severity-threshold"
-	FlagUnifiedTestAPI     = "unified-test"
 
 	// SBOM reachability.
 	FlagReachability = "reachability"
@@ -67,7 +66,6 @@ func OSTestFlagSet() *pflag.FlagSet {
 	flagSet.String(FlagFile, "", "Specify a package file.")
 	flagSet.String(FlagProjectName, "", "Specify a name for the project.")
 
-	flagSet.Bool(FlagUnifiedTestAPI, false, "Use the unified test API workflow.")
 	flagSet.Int(FlagRiskScoreThreshold, -1, "Include findings at or over this risk score threshold.")
 	flagSet.String(FlagSeverityThreshold, "", "Report only findings at the specified level or higher.")