feat: add legal instructions

snyk · Aug 9, 2019 · 5e4e3f2 · 5e4e3f2
1 parent 28e44ae
commit 5e4e3f2
Show file tree

Hide file tree

Showing 8 changed files with 766 additions and 6 deletions.
diff --git a/src/cli/commands/test/formatters/legacy-format-issue.ts b/src/cli/commands/test/formatters/legacy-format-issue.ts
@@ -42,6 +42,7 @@ export function formatIssues(vuln: GroupedVuln, options: Options & TestOptions)
       : '',
     fixedIn: options.docker ? createFixedInText(vuln) : '',
     dockerfilePackage: options.docker ? dockerfileInstructionText(vuln) : '',
+    legalInstructions: vuln.legalInstructions ? chalk.bold('\n  Legal instructions: ' + vuln.legalInstructions) : '',
   };
 
   return (
@@ -54,7 +55,8 @@ export function formatIssues(vuln: GroupedVuln, options: Options & TestOptions)
     vulnOutput.remediationInfo +
     vulnOutput.dockerfilePackage +
     vulnOutput.fixedIn +
-    vulnOutput.extraInfo
+    vulnOutput.extraInfo +
+    vulnOutput.legalInstructions
   );
 }
 

diff --git a/src/cli/commands/test/formatters/remediation-based-format-issues.ts b/src/cli/commands/test/formatters/remediation-based-format-issues.ts
@@ -12,6 +12,7 @@ interface BasicVulnInfo {
   name: string;
   version: string;
   fixedIn: string[];
+  legalInstructions?: string;
 }
 
 export function formatIssuesWithRemediation(
@@ -32,6 +33,7 @@ export function formatIssuesWithRemediation(
       name: vuln.name,
       version: vuln.version,
       fixedIn: vuln.fixedIn,
+      legalInstructions: vuln.legalInstructions,
     };
   }
   const results = [chalk.bold.white('Remediation advice')];
@@ -79,7 +81,8 @@ function constructPatchesText(
       basicVulnInfo[id].title,
       basicVulnInfo[id].severity,
       basicVulnInfo[id].isNew,
-      `${basicVulnInfo[id].name}@${basicVulnInfo[id].version}`);
+      `${basicVulnInfo[id].name}@${basicVulnInfo[id].version}`,
+      basicVulnInfo[id].legalInstructions);
     patchedTextArray.push(patchedText + thisPatchFixes);
   }
 
@@ -109,7 +112,8 @@ function constructUpgradesText(
           basicVulnInfo[id].title,
           basicVulnInfo[id].severity,
           basicVulnInfo[id].isNew,
-          `${basicVulnInfo[id].name}@${basicVulnInfo[id].version}`))
+          `${basicVulnInfo[id].name}@${basicVulnInfo[id].version}`,
+          basicVulnInfo[id].legalInstructions))
       .join('\n');
     upgradeTextArray.push(upgradeText + thisUpgradeFixes);
   }
@@ -127,7 +131,12 @@ function constructUnfixableText(unresolved: IssueData[]) {
       : '\n  No upgrade or patch available';
     const packageNameAtVersion = chalk.bold.whiteBright(`\n  ${issue.packageName}@${issue.version}\n`);
     unfixableIssuesTextArray
-      .push(packageNameAtVersion + formatIssue(issue.id, issue.title, issue.severity, issue.isNew) + `${extraInfo}`);
+      .push(packageNameAtVersion + formatIssue(
+        issue.id,
+        issue.title,
+        issue.severity,
+        issue.isNew,
+        issue.legalInstructions) + `${extraInfo}`);
   }
 
   return unfixableIssuesTextArray;
@@ -138,7 +147,8 @@ function formatIssue(
   title: string,
   severity: SEVERITY,
   isNew: boolean,
-  vulnerableModule?: string): string {
+  vulnerableModule?: string,
+  legalInstructions?: string): string {
   const severitiesColourMapping = {
     low: {
       colorFunc(text) {
@@ -161,7 +171,8 @@ function formatIssue(
 
   return severitiesColourMapping[severity].colorFunc(
     `  ✗ ${chalk.bold(title)}${newBadge} [${titleCaseText(severity)} Severity]`,
-    ) + `[${config.ROOT}/vuln/${id}]` + name;
+    ) + `[${config.ROOT}/vuln/${id}]` + name
+    + (legalInstructions ? `${chalk.bold('\nLegal instructions')}: ${legalInstructions}` : '') ;
 }
 
 function titleCaseText(text) {

diff --git a/src/cli/commands/test/index.ts b/src/cli/commands/test/index.ts
@@ -479,6 +479,7 @@ function groupVulnerabilities(vulns): GroupedVuln[] {
       map[curr.id].dockerfileInstruction = curr.dockerfileInstruction;
       map[curr.id].dockerBaseImage = curr.dockerBaseImage;
       map[curr.id].nearestFixedInVersion = curr.nearestFixedInVersion;
+      map[curr.id].legalInstructions = curr.legalInstructions;
     }
 
     map[curr.id].list.push(curr);

diff --git a/src/lib/snyk-test/legacy.ts b/src/lib/snyk-test/legacy.ts
@@ -48,6 +48,7 @@ export interface GroupedVuln {
   dockerfileInstruction: string;
   dockerBaseImage: string;
   nearestFixedInVersion: string;
+  legalInstructions?: string;
 }
 
 export interface IssueData {
@@ -69,6 +70,7 @@ export interface IssueData {
   title: string;
   severity: SEVERITY;
   fixedIn: string[];
+  legalInstructions?: string;
 }
 
 interface AnnotatedIssue extends IssueData {

diff --git a/test/acceptance/display-test-results.test.ts b/test/acceptance/display-test-results.test.ts
@@ -28,6 +28,41 @@ test('`test ruby-app` remediation displayed',  async (t) => {
   t.end();
 });
 
+
+test('`test ruby-app` legal instructions displayed',  async (t) => {
+  chdirWorkspaces();
+  const stubbedResponse = JSON.parse(
+    fs.readFileSync(__dirname + '/workspaces/ruby-app/test-graph-response-with-legal-instruction.json', 'utf8'),
+  );
+  const snykTestStub = sinon.stub(snyk, 'test').returns(stubbedResponse);
+  try {
+    await snykTest('ruby-app');
+  } catch (error) {
+    const res = error.message;
+    t.match(res, 'Legal instructions');
+  }
+
+  snykTestStub.restore();
+  t.end();
+});
+
+test('`test pip-app-license-issue` legal instructions displayed (legacy formatter)',  async (t) => {
+  chdirWorkspaces();
+  const stubbedResponse = JSON.parse(
+    fs.readFileSync(__dirname + '/workspaces/pip-app-license-issue/test-pip-stub-with-legal-instructions.json', 'utf8'),
+  );
+  const snykTestStub = sinon.stub(snyk, 'test').returns(stubbedResponse);
+  try {
+    await snykTest('pip-app-license-issue');
+  } catch (error) {
+    const res = error.message;
+    t.match(res, 'Legal instructions');
+  }
+
+  snykTestStub.restore();
+  t.end();
+});
+
 function chdirWorkspaces(subdir: string = '') {
   process.chdir(__dirname + '/workspaces' + (subdir ? '/' + subdir : ''));
 }
diff --git a/test/acceptance/workspaces/pip-app-license-issue/requirements.txt b/test/acceptance/workspaces/pip-app-license-issue/requirements.txt
@@ -0,0 +1,3 @@
+# The following library requires Python >= 3.4.2
+# For more see: https://pypi.python.org/pypi?:action=browse&show=all&c=595
+aiohttp==2.2.2
diff --git a/test/acceptance/workspaces/pip-app-license-issue/test-pip-stub-with-legal-instructions.json b/test/acceptance/workspaces/pip-app-license-issue/test-pip-stub-with-legal-instructions.json
@@ -0,0 +1,51 @@
+{
+  "vulnerabilities": [
+    {
+      "license": "LGPL-3.0",
+      "semver": {
+        "vulnerable": [
+          "[0,)"
+        ]
+      },
+      "id": "snyk:lic:pip:chardet:LGPL-3.0",
+      "type": "license",
+      "legalInstructions": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.",
+      "packageManager": "pip",
+      "language": "python",
+      "packageName": "chardet",
+      "title": "LGPL-3.0 license",
+      "description": "LGPL-3.0 license",
+      "publicationTime": "2019-04-11T10:30:09.818Z",
+      "creationTime": "2019-04-11T10:30:09.818Z",
+      "patches": [],
+      "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/LGPL-3.0.txt",
+      "severity": "medium",
+      "from": [
+        "python-pip3-app-no-policy@0.0.0",
+        "aiohttp@2.2.2",
+        "chardet@3.0.4"
+      ],
+      "upgradePath": [],
+      "isUpgradable": false,
+      "isPatchable": false,
+      "name": "chardet",
+      "version": "3.0.4"
+    }
+  ],
+  "ok": false,
+  "dependencyCount": 6,
+  "org": "lwywoo",
+  "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.13.5\nignore: {}\npatch: {}\n",
+  "isPrivate": true,
+  "licensesPolicy": null,
+  "packageManager": "pip",
+  "ignoreSettings": null,
+  "summary": "1 vulnerable dependency path",
+  "filesystemPolicy": false,
+  "filtered": {
+    "ignore": [],
+    "patch": []
+  },
+  "uniqueCount": 1,
+  "path": "/Users/snyk/laura/fixtures/python-pip3-app-no-policy"
+}