trivy:chore - improve tests and code cleaning

internal/services/formatters/generic/trivy/formatter.go

@@ -25,15 +25,14 @@ import (
 	"github.com/ZupIT/horusec-devkit/pkg/enums/languages"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/severities"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/tools"
-	enumsVulnerability "github.com/ZupIT/horusec-devkit/pkg/enums/vulnerability"
+	enumvulnerability "github.com/ZupIT/horusec-devkit/pkg/enums/vulnerability"
 	"github.com/ZupIT/horusec-devkit/pkg/utils/logger"
 	"github.com/google/uuid"
 
-	dockerEntities "github.com/ZupIT/horusec/internal/entities/docker"
+	"github.com/ZupIT/horusec/internal/entities/docker"
 	"github.com/ZupIT/horusec/internal/enums/images"
 	"github.com/ZupIT/horusec/internal/helpers/messages"
 	"github.com/ZupIT/horusec/internal/services/formatters"
-	"github.com/ZupIT/horusec/internal/services/formatters/generic/trivy/entities"
 	"github.com/ZupIT/horusec/internal/utils/file"
 	vulnhash "github.com/ZupIT/horusec/internal/utils/vuln_hash"
 )
@@ -125,8 +124,8 @@ func (f *Formatter) parse(projectSubPath, configOutput, fileSystemOutput string)
 	return fileSystemOutput, f.parseOutput(fileSystemOutput, CmdFs, projectSubPath)
 }
 
-func (f *Formatter) getDockerConfig(cmd, projectSubPath string) *dockerEntities.AnalysisData {
-	analysisData := &dockerEntities.AnalysisData{
+func (f *Formatter) getDockerConfig(cmd, projectSubPath string) *docker.AnalysisData {
+	analysisData := &docker.AnalysisData{
 		CMD:      f.AddWorkDirInCmd(cmd, projectSubPath, tools.Trivy),
 		Language: languages.Generic,
 	}
@@ -135,7 +134,7 @@ func (f *Formatter) getDockerConfig(cmd, projectSubPath string) *dockerEntities.
 }
 
 func (f *Formatter) parseOutput(output, cmd, projectSubPath string) error {
-	report := &entities.Output{}
+	report := new(trivyOutput)
 
 	if output == "" {
 		return nil
@@ -146,42 +145,43 @@ func (f *Formatter) parseOutput(output, cmd, projectSubPath string) error {
 	}
 
 	for _, result := range report.Results {
-		f.setVulnerabilities(cmd, result, filepath.Join(projectSubPath, result.Target))
+		f.addVulnerabilities(cmd, result, filepath.Join(projectSubPath, result.Target))
 	}
 
 	return nil
 }
 
-func (f *Formatter) setVulnerabilities(cmd string, result *entities.Result, path string) {
+func (f *Formatter) addVulnerabilities(cmd string, result *trivyOutputResult, path string) {
 	switch cmd {
 	case CmdFs:
-		f.setVulnerabilitiesOutput(result.Vulnerabilities, path)
+		f.addVulnerabilitiesOutput(result.Vulnerabilities, path)
 	case CmdConfig:
-		f.setVulnerabilitiesOutput(result.Vulnerabilities, path)
-		f.setMisconfigurationOutput(result.Misconfigurations, path)
+		f.addVulnerabilitiesOutput(result.Vulnerabilities, path)
+		f.addMisconfigurationOutput(result.Misconfigurations, path)
 	}
 }
 
-func (f *Formatter) setVulnerabilitiesOutput(vulnerabilities []*entities.Vulnerability, target string) {
+func (f *Formatter) addVulnerabilitiesOutput(vulnerabilities []*trivyVulnerability, target string) {
 	for _, vuln := range vulnerabilities {
 		addVuln := f.getVulnBase()
 		addVuln.Code = fmt.Sprintf("%s v%s", vuln.PkgName, vuln.InstalledVersion)
 		_, _, addVuln.Line = file.GetDependencyInfo(addVuln.Code, target)
 		addVuln.File = target
-		addVuln.Details = vuln.GetDetails()
+		addVuln.Details = vuln.getDetails()
 		addVuln.Severity = severities.GetSeverityByString(vuln.Severity)
 		addVuln = vulnhash.Bind(addVuln)
 		f.AddNewVulnerabilityIntoAnalysis(addVuln)
 	}
 }
 
-func (f *Formatter) setMisconfigurationOutput(result []*entities.Misconfiguration, target string) {
+func (f *Formatter) addMisconfigurationOutput(result []*trivyMisconfiguration, target string) {
 	for _, vuln := range result {
 		addVuln := f.getVulnBase()
 		addVuln.File = target
 		addVuln.Code = vuln.Title
-		addVuln.Details = fmt.Sprintf("%s - %s - %s - %s",
-			vuln.Description, vuln.Message, vuln.Resolution, vuln.References)
+		addVuln.Details = fmt.Sprintf(
+			"%s - %s - %s - %s", vuln.Description, vuln.Message, vuln.Resolution, vuln.References,
+		)
 		addVuln.Severity = severities.GetSeverityByString(vuln.Severity)
 		addVuln = vulnhash.Bind(addVuln)
 		f.AddNewVulnerabilityIntoAnalysis(addVuln)
@@ -196,6 +196,6 @@ func (f *Formatter) getVulnBase() *vulnerability.Vulnerability {
 		Confidence:      confidence.Medium,
 		SecurityTool:    tools.Trivy,
 		Language:        languages.Generic,
-		Type:            enumsVulnerability.Vulnerability,
+		Type:            enumvulnerability.Vulnerability,
 	}
 }

internal/services/formatters/generic/trivy/formatter_test.go

@@ -17,68 +17,129 @@ package trivy
 import (
 	"testing"
 
-	entitiesAnalysis "github.com/ZupIT/horusec-devkit/pkg/entities/analysis"
+	"github.com/ZupIT/horusec-devkit/pkg/entities/analysis"
+	"github.com/ZupIT/horusec-devkit/pkg/enums/languages"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/tools"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/ZupIT/horusec/config"
 	"github.com/ZupIT/horusec/internal/entities/toolsconfig"
-	"github.com/ZupIT/horusec/internal/entities/workdir"
 	"github.com/ZupIT/horusec/internal/services/formatters"
 	"github.com/ZupIT/horusec/internal/utils/testutil"
 )
 
-func TestParseOutput(t *testing.T) {
-	t.Run("Should return 2 vulnerabilities with no errors", func(t *testing.T) {
+func TestTrivyParseOutput(t *testing.T) {
+	t.Run("Should add 2 vulnerabilities on analysis without errors", func(t *testing.T) {
 		dockerAPIControllerMock := testutil.NewDockerMock()
 		dockerAPIControllerMock.On("SetAnalysisID")
-		analysis := &entitiesAnalysis.Analysis{}
-		c := &config.Config{}
-		c.WorkDir = &workdir.WorkDir{}
+		dockerAPIControllerMock.On("CreateLanguageAnalysisContainer").Return(output, nil)
 
-		output := `{"SchemaVersion":2,"ArtifactName":"./","ArtifactType":"filesystem","Metadata":{},"Results":[{"Target":"go.sum","Class":"lang-pkgs","Type":"gomod","Vulnerabilities":[{"VulnerabilityID":"CVE-2020-26160","PkgName":"github.com/dgrijalva/jwt-go","InstalledVersion":"3.2.0+incompatible","Layer":{"DiffID":"sha256:f792cd543fb8711f2afbe7990dddf572b57b29f982ea03c11010972b07a28b36"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2020-26160","Title":"jwt-go: access restriction bypass vulnerability","Description":"jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.","Severity":"HIGH","CweIDs":["CWE-862"],"CVSS":{"nvd":{"V2Vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","V2Score":5,"V3Score":7.5},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","V3Score":7.5}},"References":["https://github.com/dgrijalva/jwt-go/pull/426","https://nvd.nist.gov/vuln/detail/CVE-2020-26160","https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"],"PublishedDate":"2020-09-30T18:15:00Z","LastModifiedDate":"2021-07-21T11:39:00Z"}]}]}`
+		analysis := new(analysis.Analysis)
 
-		dockerAPIControllerMock.On("CreateLanguageAnalysisContainer").Return(output, nil)
+		cfg := config.New()
 
-		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, c)
+		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, cfg)
 		formatter := NewFormatter(service)
-
 		formatter.StartAnalysis("")
+
 		assert.Len(t, analysis.AnalysisVulnerabilities, 2)
+
+		for _, v := range analysis.AnalysisVulnerabilities {
+			vuln := v.Vulnerability
+
+			assert.Equal(t, tools.Trivy, vuln.SecurityTool)
+			assert.Equal(t, languages.Generic, vuln.Language)
+			assert.NotEmpty(t, vuln.Details, "Expected not empty details")
+			assert.NotEmpty(t, vuln.Code, "Expected not empty code")
+			assert.NotEmpty(t, vuln.File, "Expected not empty file name")
+			assert.NotEmpty(t, vuln.Severity, "Expected not empty severity")
+
+		}
 	})
 
-	t.Run("Should return error when invalid output", func(t *testing.T) {
+	t.Run("Should add error on analysis when invalid output", func(t *testing.T) {
 		dockerAPIControllerMock := testutil.NewDockerMock()
 		dockerAPIControllerMock.On("SetAnalysisID")
-		analysis := &entitiesAnalysis.Analysis{}
-		c := &config.Config{}
-		c.WorkDir = &workdir.WorkDir{}
+		dockerAPIControllerMock.On("CreateLanguageAnalysisContainer").Return("invalid", nil)
 
-		output := "!!"
+		analysis := new(analysis.Analysis)
 
-		dockerAPIControllerMock.On("CreateLanguageAnalysisContainer").Return(output, nil)
+		cfg := config.New()
 
-		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, c)
+		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, cfg)
 		formatter := NewFormatter(service)
-
 		formatter.StartAnalysis("")
-		assert.NotEmpty(t, analysis.Errors)
+
+		assert.True(t, analysis.HasErrors(), "Expected errors on analysis")
 	})
 
 	t.Run("Should not execute tool because it's ignored", func(t *testing.T) {
-		analysis := &entitiesAnalysis.Analysis{}
+		analysis := new(analysis.Analysis)
+
 		dockerAPIControllerMock := testutil.NewDockerMock()
-		c := &config.Config{}
-		c.WorkDir = &workdir.WorkDir{}
-		c.ToolsConfig = toolsconfig.ToolsConfig{
+
+		cfg := config.New()
+		cfg.ToolsConfig = toolsconfig.ToolsConfig{
 			tools.Trivy: toolsconfig.Config{
 				IsToIgnore: true,
 			},
 		}
 
-		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, c)
+		service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, cfg)
 		formatter := NewFormatter(service)
-
 		formatter.StartAnalysis("")
 	})
 }
+
+const output = `
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "./",
+  "ArtifactType": "filesystem",
+  "Metadata": {},
+  "Results": [
+    {
+      "Target": "go.sum",
+      "Class": "lang-pkgs",
+      "Type": "gomod",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2020-26160",
+          "PkgName": "github.com/dgrijalva/jwt-go",
+          "InstalledVersion": "3.2.0+incompatible",
+          "Layer": {
+            "DiffID": "sha256:f792cd543fb8711f2afbe7990dddf572b57b29f982ea03c11010972b07a28b36"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-26160",
+          "Title": "jwt-go: access restriction bypass vulnerability",
+          "Description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-862"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 7.5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "https://github.com/dgrijalva/jwt-go/pull/426",
+            "https://nvd.nist.gov/vuln/detail/CVE-2020-26160",
+            "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"
+          ],
+          "PublishedDate": "2020-09-30T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        }
+      ]
+    }
+  ]
+}
+`