trivy:chore - improve tests and code cleaning (#899)

This commit add some new asserts on successful parsing Trivy results, to
verify that all fields of Vulnerability was filled.

Some code organization was also made, and the entities packages was
removed and the Trivy schema output was moved to trivy package.

Updates #718

Signed-off-by: Matheus Alcantara <matheus.alcantara@zup.com.br>

internal/services/formatters/generic/trivy/formatter.go

@@ -25,15 +25,14 @@ import (
 	"github.com/ZupIT/horusec-devkit/pkg/enums/languages"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/severities"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/tools"
-	enumsVulnerability "github.com/ZupIT/horusec-devkit/pkg/enums/vulnerability"
+	enumvulnerability "github.com/ZupIT/horusec-devkit/pkg/enums/vulnerability"
 	"github.com/ZupIT/horusec-devkit/pkg/utils/logger"
 	"github.com/google/uuid"
 
-	dockerEntities "github.com/ZupIT/horusec/internal/entities/docker"
+	"github.com/ZupIT/horusec/internal/entities/docker"
 	"github.com/ZupIT/horusec/internal/enums/images"
 	"github.com/ZupIT/horusec/internal/helpers/messages"
 	"github.com/ZupIT/horusec/internal/services/formatters"
-	"github.com/ZupIT/horusec/internal/services/formatters/generic/trivy/entities"
 	"github.com/ZupIT/horusec/internal/utils/file"
 	vulnhash "github.com/ZupIT/horusec/internal/utils/vuln_hash"
 )
@@ -125,8 +124,8 @@ func (f *Formatter) parse(projectSubPath, configOutput, fileSystemOutput string)
 	return fileSystemOutput, f.parseOutput(fileSystemOutput, CmdFs, projectSubPath)
 }
 
-func (f *Formatter) getDockerConfig(cmd, projectSubPath string) *dockerEntities.AnalysisData {
-	analysisData := &dockerEntities.AnalysisData{
+func (f *Formatter) getDockerConfig(cmd, projectSubPath string) *docker.AnalysisData {
+	analysisData := &docker.AnalysisData{
 		CMD:      f.AddWorkDirInCmd(cmd, projectSubPath, tools.Trivy),
 		Language: languages.Generic,
 	}
@@ -135,7 +134,7 @@ func (f *Formatter) getDockerConfig(cmd, projectSubPath string) *dockerEntities.
 }
 
 func (f *Formatter) parseOutput(output, cmd, projectSubPath string) error {
-	report := &entities.Output{}
+	report := new(trivyOutput)
 
 	if output == "" {
 		return nil
@@ -146,42 +145,43 @@ func (f *Formatter) parseOutput(output, cmd, projectSubPath string) error {
 	}
 
 	for _, result := range report.Results {
-		f.setVulnerabilities(cmd, result, filepath.Join(projectSubPath, result.Target))
+		f.addVulnerabilities(cmd, result, filepath.Join(projectSubPath, result.Target))
 	}
 
 	return nil
 }
 
-func (f *Formatter) setVulnerabilities(cmd string, result *entities.Result, path string) {
+func (f *Formatter) addVulnerabilities(cmd string, result *trivyOutputResult, path string) {
 	switch cmd {
 	case CmdFs:
-		f.setVulnerabilitiesOutput(result.Vulnerabilities, path)
+		f.addVulnerabilitiesOutput(result.Vulnerabilities, path)
 	case CmdConfig:
-		f.setVulnerabilitiesOutput(result.Vulnerabilities, path)
-		f.setMisconfigurationOutput(result.Misconfigurations, path)
+		f.addVulnerabilitiesOutput(result.Vulnerabilities, path)
+		f.addMisconfigurationOutput(result.Misconfigurations, path)
 	}
 }
 
-func (f *Formatter) setVulnerabilitiesOutput(vulnerabilities []*entities.Vulnerability, target string) {
+func (f *Formatter) addVulnerabilitiesOutput(vulnerabilities []*trivyVulnerability, target string) {
 	for _, vuln := range vulnerabilities {
 		addVuln := f.getVulnBase()
 		addVuln.Code = fmt.Sprintf("%s v%s", vuln.PkgName, vuln.InstalledVersion)
 		_, _, addVuln.Line = file.GetDependencyInfo(addVuln.Code, target)
 		addVuln.File = target
-		addVuln.Details = vuln.GetDetails()
+		addVuln.Details = vuln.getDetails()
 		addVuln.Severity = severities.GetSeverityByString(vuln.Severity)
 		addVuln = vulnhash.Bind(addVuln)
 		f.AddNewVulnerabilityIntoAnalysis(addVuln)
 	}
 }
 
-func (f *Formatter) setMisconfigurationOutput(result []*entities.Misconfiguration, target string) {
+func (f *Formatter) addMisconfigurationOutput(result []*trivyMisconfiguration, target string) {
 	for _, vuln := range result {
 		addVuln := f.getVulnBase()
 		addVuln.File = target
 		addVuln.Code = vuln.Title
-		addVuln.Details = fmt.Sprintf("%s - %s - %s - %s",
-			vuln.Description, vuln.Message, vuln.Resolution, vuln.References)
+		addVuln.Details = fmt.Sprintf(
+			"%s - %s - %s - %s", vuln.Description, vuln.Message, vuln.Resolution, vuln.References,
+		)
 		addVuln.Severity = severities.GetSeverityByString(vuln.Severity)
 		addVuln = vulnhash.Bind(addVuln)
 		f.AddNewVulnerabilityIntoAnalysis(addVuln)
@@ -196,6 +196,6 @@ func (f *Formatter) getVulnBase() *vulnerability.Vulnerability {
 		Confidence:      confidence.Medium,
 		SecurityTool:    tools.Trivy,
 		Language:        languages.Generic,
-		Type:            enumsVulnerability.Vulnerability,
+		Type:            enumvulnerability.Vulnerability,
 	}
 }

internal/services/formatters/generic/trivy/formatter_test.go

@@ -17,68 +17,129 @@ package trivy
 import (
 	"testing"
 
-	entitiesAnalysis "github.com/ZupIT/horusec-devkit/pkg/entities/analysis"
+	"github.com/ZupIT/horusec-devkit/pkg/entities/analysis"
+	"github.com/ZupIT/horusec-devkit/pkg/enums/languages"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/tools"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/ZupIT/horusec/config"
 	"github.com/ZupIT/horusec/internal/entities/toolsconfig"
-	"github.com/ZupIT/horusec/internal/entities/workdir"
 	"github.com/ZupIT/horusec/internal/services/formatters"
 	"github.com/ZupIT/horusec/internal/utils/testutil"
 )
 
-func TestParseOutput(t *testing.T) {
-	t.Run("Should return 2 vulnerabilities with no errors", func(t *testing.T) {
+func TestTrivyParseOutput(t *testing.T) {
+	t.Run("Should add 2 vulnerabilities on analysis without errors", func(t *testing.T) {
 		dockerAPIControllerMock := testutil.NewDockerMock()
 		dockerAPIControllerMock.On("SetAnalysisID")
-		analysis := &entitiesAnalysis.Analysis{}
-		c := &config.Config{}
-		c.WorkDir = &workdir.WorkDir{}
+		dockerAPIControllerMock.On("CreateLanguageAnalysisContainer").Return(output, nil)
 
-		output := `{"SchemaVersion":2,"ArtifactName":"./","ArtifactType":"filesystem","Metadata":{},"Results":[{"Target":"go.sum","Class":"lang-pkgs","Type":"gomod","Vulnerabilities":[{"VulnerabilityID":"CVE-2020-26160","PkgName":"github.com/dgrijalva/jwt-go","InstalledVersion":"3.2.0+incompatible","Layer":{"DiffID":"sha256:f792cd543fb8711f2afbe7990dddf572b57b29f982ea03c11010972b07a28b36"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2020-26160","Title":"jwt-go: access restriction bypass vulnerability","Description":"jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.","Severity":"HIGH","CweIDs":["CWE-862"],"CVSS":{"nvd":{"V2Vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","V2Score":5,"V3Score":7.5},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","V3Score":7.5}},"References":["https://github.com/dgrijalva/jwt-go/pull/426","https://nvd.nist.gov/vuln/detail/CVE-2020-26160","https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"],"PublishedDate":"2020-09-30T18:15:00Z","LastModifiedDate":"2021-07-21T11:39:00Z"}]}]}`
+		analysis := new(analysis.Analysis)
 
-		dockerAPIControllerMock.On("CreateLanguageAnalysisContainer").Return(output, nil)
+		cfg := config.New()
 
-		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, c)
+		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, cfg)
 		formatter := NewFormatter(service)
-
 		formatter.StartAnalysis("")
+
 		assert.Len(t, analysis.AnalysisVulnerabilities, 2)
+
+		for _, v := range analysis.AnalysisVulnerabilities {
+			vuln := v.Vulnerability
+
+			assert.Equal(t, tools.Trivy, vuln.SecurityTool)
+			assert.Equal(t, languages.Generic, vuln.Language)
+			assert.NotEmpty(t, vuln.Details, "Expected not empty details")
+			assert.NotEmpty(t, vuln.Code, "Expected not empty code")
+			assert.NotEmpty(t, vuln.File, "Expected not empty file name")
+			assert.NotEmpty(t, vuln.Severity, "Expected not empty severity")
+
+		}
 	})
 
-	t.Run("Should return error when invalid output", func(t *testing.T) {
+	t.Run("Should add error on analysis when invalid output", func(t *testing.T) {
 		dockerAPIControllerMock := testutil.NewDockerMock()
 		dockerAPIControllerMock.On("SetAnalysisID")
-		analysis := &entitiesAnalysis.Analysis{}
-		c := &config.Config{}
-		c.WorkDir = &workdir.WorkDir{}
+		dockerAPIControllerMock.On("CreateLanguageAnalysisContainer").Return("invalid", nil)
 
-		output := "!!"
+		analysis := new(analysis.Analysis)
 
-		dockerAPIControllerMock.On("CreateLanguageAnalysisContainer").Return(output, nil)
+		cfg := config.New()
 
-		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, c)
+		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, cfg)
 		formatter := NewFormatter(service)
-
 		formatter.StartAnalysis("")
-		assert.NotEmpty(t, analysis.Errors)
+
+		assert.True(t, analysis.HasErrors(), "Expected errors on analysis")
 	})
 
 	t.Run("Should not execute tool because it's ignored", func(t *testing.T) {
-		analysis := &entitiesAnalysis.Analysis{}
+		analysis := new(analysis.Analysis)
+
 		dockerAPIControllerMock := testutil.NewDockerMock()
-		c := &config.Config{}
-		c.WorkDir = &workdir.WorkDir{}
-		c.ToolsConfig = toolsconfig.ToolsConfig{
+
+		cfg := config.New()
+		cfg.ToolsConfig = toolsconfig.ToolsConfig{
 			tools.Trivy: toolsconfig.Config{
 				IsToIgnore: true,
 			},
 		}
 
-		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, c)
+		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, cfg)
 		formatter := NewFormatter(service)
-
 		formatter.StartAnalysis("")
 	})
 }
+
+const output = `
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "./",
+  "ArtifactType": "filesystem",
+  "Metadata": {},
+  "Results": [
+    {
+      "Target": "go.sum",
+      "Class": "lang-pkgs",
+      "Type": "gomod",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2020-26160",
+          "PkgName": "github.com/dgrijalva/jwt-go",
+          "InstalledVersion": "3.2.0+incompatible",
+          "Layer": {
+            "DiffID": "sha256:f792cd543fb8711f2afbe7990dddf572b57b29f982ea03c11010972b07a28b36"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-26160",
+          "Title": "jwt-go: access restriction bypass vulnerability",
+          "Description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-862"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 7.5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "https://github.com/dgrijalva/jwt-go/pull/426",
+            "https://nvd.nist.gov/vuln/detail/CVE-2020-26160",
+            "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"
+          ],
+          "PublishedDate": "2020-09-30T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        }
+      ]
+    }
+  ]
+}
+`