fix: using sync file system methods, defensive checks and added logs

Author: dylanmorley

.github/CONTRIBUTING.md

@@ -9,6 +9,37 @@ Unit tests can be run via `npm run test:unit` command.
 
 To run the code, a GitHub PR against `develop` should be raised with the committed code to the branch PR. The PR runs deployment script with deploy to development environment. The script builds the code that's added as part of your change and installs it in Azure DevOps organization as an extension that can be added to run a pipeline.
 
+### Local debugging
+
+A number of environment variable are required for debugging, here's an example launch config for `VSCode` that sets mandatory parameters such as `AGENT_TEMPDIRECTORY`, `INPUT_failOnIssues` and `INPUT_authToken`
+
+```
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "type": "node",
+            "request": "launch",
+            "name": "Launch Program",
+            "program": "${workspaceFolder}/snykTask/src/index.ts",
+            "env": {
+                "AGENT_TEMPDIRECTORY": "some/temp/path",
+                "INPUT_failOnIssues": "true",
+                "INPUT_authToken": "your-auth-token-guid-from-portal", 
+                "INPUT_targetFile": "path-to-visual-studio-solution.sln", 
+                "INPUT_organization" : "your-org-guid-from-portal",
+                "INPUT_monitorWhen" : "never",
+                "INPUT_severityThreshold" : "low",
+                "INPUT_failOnThreshold" : "critical"
+              },            
+            "outFiles": [
+                "${workspaceFolder}/**/*.js"
+            ]
+        }
+    ]
+}
+```
+
 ## Release
 The release process is fully-automated: all you need to do is create a PR to merge `develop` into `master` and call the PR `Merge develop into master for release`.
 

snykTask/src/__tests__/task-lib.test.ts

@@ -46,19 +46,29 @@ test('getOptionsToExecuteSnyk builds IExecOptions like we need it', () => {
   expect(options.ignoreReturnCode).toBe(true);
 });
 
-test('finds vulnerabilities greater than medium threshold', async () => {
+test('finds vulnerabilities greater than medium threshold', () => {
   const fixturePath = 'snykTask/test/fixtures/high-vulnerabilities.json';
-  const itemsFound = await doVulnerabilitiesExistForFailureThreshold(
+  const itemsFound = doVulnerabilitiesExistForFailureThreshold(
     fixturePath,
     'medium',
   );
 
   expect(itemsFound).toBe(true);
 });
 
-test('ignores vulnerabilities lower than high threshold', async () => {
+test('defaults to found when file does not exist', () => {
+  const fixturePath = 'snykTask/test/fixtures/does-not-exist.json';
+  const itemsFound = doVulnerabilitiesExistForFailureThreshold(
+    fixturePath,
+    'medium',
+  );
+
+  expect(itemsFound).toBe(true);
+});
+
+test('ignores vulnerabilities lower than high threshold', () => {
   const fixturePath = 'snykTask/test/fixtures/low-vulnerabilities.json';
-  const itemsFound = await doVulnerabilitiesExistForFailureThreshold(
+  const itemsFound = doVulnerabilitiesExistForFailureThreshold(
     fixturePath,
     'high',
   );

snykTask/src/index.ts

@@ -403,7 +403,7 @@ async function run() {
     ) {
       const failureThreshold: string = taskArgs.failOnThreshold;
       const matchingVulnerabilitiesFound =
-        await doVulnerabilitiesExistForFailureThreshold(
+        doVulnerabilitiesExistForFailureThreshold(
           jsonReportFullPath,
           failureThreshold,
         );

snykTask/src/task-lib.ts

@@ -3,7 +3,6 @@ import * as tr from 'azure-pipelines-task-lib/toolrunner';
 import * as tl from 'azure-pipelines-task-lib/task';
 import stream = require('stream');
 import * as fs from 'fs';
-import * as fsPromises from 'fs/promises';
 import * as path from 'path';
 
 export const JSON_ATTACHMENT_TYPE = 'JSON_ATTACHMENT_TYPE';
@@ -109,19 +108,32 @@ export function getSeverityOrdinal(severity: string): number {
   throw new Error(`Cannot get severity ordinal for ${severity} severity`);
 }
 
-export async function doVulnerabilitiesExistForFailureThreshold(
+export function doVulnerabilitiesExistForFailureThreshold(
   filePath: string,
   threshold: string,
-): Promise<boolean> {
-  const file = await fsPromises.readFile(filePath, 'utf8');
+): boolean {
+  if (!fs.existsSync(filePath)) {
+    console.log(
+      `${filePath} does not exist...cannot use it to search for vulnerabilities, defaulting to detected`,
+    );
+    return true;
+  }
+
+  const file = fs.readFileSync(filePath, 'utf8');
   const json = JSON.parse(file);
   const thresholdOrdinal = getSeverityOrdinal(threshold);
 
-  for (const vulnerability of json['vulnerabilities']) {
-    if (getSeverityOrdinal(vulnerability['severity']) >= thresholdOrdinal) {
-      return true;
+  for (let i = 0; i < json.length; i++) {
+    let project = json[i];
+    for (const vulnerability of project['vulnerabilities']) {
+      if (getSeverityOrdinal(vulnerability['severity']) >= thresholdOrdinal) {
+        return true;
+      }
     }
   }
 
+  console.log(
+    `no vulnerabilities of at least '${threshold}' severity were detected, not failing build`,
+  );
   return false;
 }

snykTask/test/fixtures/high-vulnerabilities.json

@@ -1,13 +1,15 @@
-{
-  "vulnerabilities": [
-    {
-      "severity": "critical"
-    },
-    {
-      "severity": "high"
-    }    
-  ],
-  "ok": true,
-  "dependencyCount": 0,
-  "org": "demo-applications"
-}
+[
+  {
+    "vulnerabilities": [
+      {
+        "severity": "critical"
+      },
+      {
+        "severity": "high"
+      }    
+    ],
+    "ok": true,
+    "dependencyCount": 0,
+    "org": "demo-applications"
+    }
+]

snykTask/test/fixtures/low-vulnerabilities.json

@@ -1,13 +1,15 @@
-{
-  "vulnerabilities": [
-    {
-      "severity": "medium"
-    },
-    {
-      "severity": "low"
-    }    
-  ],
-  "ok": true,
-  "dependencyCount": 0,
-  "org": "demo-applications"
-}
+[
+  {
+    "vulnerabilities": [
+      {
+        "severity": "medium"
+      },
+      {
+        "severity": "low"
+      }    
+    ],
+    "ok": true,
+    "dependencyCount": 0,
+    "org": "demo-applications"
+  }  
+]