fix: Actually set the severity on Github findings

underdog-tech · Sep 5, 2023 · 710e5a6 · 710e5a6
1 parent 1f47ce6
commit 710e5a6
Show file tree

Hide file tree

Showing 3 changed files with 138 additions and 89 deletions.
diff --git a/querying/github.go b/querying/github.go
@@ -96,6 +96,13 @@ var githubEcosystems = map[string]config.FindingEcosystemType{
 	"SWIFT":    config.FindingEcosystemSwift,
 }
 
+var githubSeverities = map[string]config.FindingSeverityType{
+	"CRITICAL": config.FindingSeverityCritical,
+	"HIGH":     config.FindingSeverityHigh,
+	"MODERATE": config.FindingSeverityModerate,
+	"LOW":      config.FindingSeverityLow,
+}
+
 func (gh *GithubDataSource) CollectFindings(projects *ProjectCollection, wg *sync.WaitGroup) error {
 	var alertQuery orgVulnerabilityQuery
 	log := logger.Get()
@@ -157,6 +164,7 @@ func (gh *GithubDataSource) processRepoFindings(projects *ProjectCollection, rep
 			if finding.PackageName == "" {
 				finding.PackageName = vuln.SecurityVulnerability.Package.Name
 			}
+			finding.Severity = githubSeverities[vuln.SecurityVulnerability.Severity]
 		}()
 	}
 	return nil

diff --git a/querying/github_test.go b/querying/github_test.go
@@ -16,38 +16,24 @@ import (
 	"github.com/underdog-tech/vulnbot/querying"
 )
 
-func TestCollectFindingsSingleProjectSingleFinding(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+func getTestServer(findingFile string, ownerFile string) *httptest.Server {
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		var bodyJson map[string]string
 		var data []byte
 		_ = json.NewDecoder(r.Body).Decode(&bodyJson)
 		vulnQuery := strings.Contains(bodyJson["query"], "vulnerabilityAlerts")
 		if vulnQuery {
-			data, _ = os.ReadFile("testdata/single_project_single_finding_vulns.json")
+			data, _ = os.ReadFile(findingFile)
 		} else {
-			data, _ = os.ReadFile("testdata/single_project_no_owners.json")
+			data, _ = os.ReadFile(ownerFile)
 		}
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write([]byte(data))
 	}))
-	defer server.Close()
-
-	conf := config.Config{}
-	env := config.Env{}
-	env.GithubOrg = "heart-of-gold"
-	env.GithubToken = "pangalactic-gargleblaster"
-
-	ds := querying.NewGithubDataSource(conf, env)
-	ds.GhClient = githubv4.NewEnterpriseClient(server.URL, &http.Client{})
+}
 
-	projects := querying.NewProjectCollection()
-	wg := new(sync.WaitGroup)
-	wg.Add(1)
-	err := ds.CollectFindings(projects, wg)
-	if err != nil {
-		t.Error(err)
-	}
-	expected := querying.ProjectCollection{
+func getTestProject() querying.ProjectCollection {
+	return querying.ProjectCollection{
 		Projects: []*querying.Project{
 			{
 				Name: "zaphod",
@@ -69,6 +55,31 @@ func TestCollectFindingsSingleProjectSingleFinding(t *testing.T) {
 			},
 		},
 	}
+}
+
+func TestCollectFindingsSingleProjectSingleFinding(t *testing.T) {
+	server := getTestServer(
+		"testdata/single_project_single_finding_vulns.json",
+		"testdata/single_project_no_owners.json",
+	)
+	defer server.Close()
+
+	conf := config.Config{}
+	env := config.Env{}
+	env.GithubOrg = "heart-of-gold"
+	env.GithubToken = "pangalactic-gargleblaster"
+
+	ds := querying.NewGithubDataSource(conf, env)
+	ds.GhClient = githubv4.NewEnterpriseClient(server.URL, &http.Client{})
+
+	projects := querying.NewProjectCollection()
+	wg := new(sync.WaitGroup)
+	wg.Add(1)
+	err := ds.CollectFindings(projects, wg)
+	if err != nil {
+		t.Error(err)
+	}
+	expected := getTestProject()
 	assert.Equal(t, &expected, projects)
 }
 
@@ -77,19 +88,10 @@ func TestCollectFindingsSingleProjectSingleFinding(t *testing.T) {
 // which is not present in config. This is to ensure that we don't end up with empty
 // TeamConfig instances in our project owners set.
 func TestCollectFindingsOwnerNotConfigured(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var bodyJson map[string]string
-		var data []byte
-		_ = json.NewDecoder(r.Body).Decode(&bodyJson)
-		vulnQuery := strings.Contains(bodyJson["query"], "vulnerabilityAlerts")
-		if vulnQuery {
-			data, _ = os.ReadFile("testdata/single_project_single_finding_vulns.json")
-		} else {
-			data, _ = os.ReadFile("testdata/single_project_single_owner.json")
-		}
-		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte(data))
-	}))
+	server := getTestServer(
+		"testdata/single_project_single_finding_vulns.json",
+		"testdata/single_project_single_owner.json",
+	)
 	defer server.Close()
 
 	conf := config.Config{}
@@ -107,45 +109,15 @@ func TestCollectFindingsOwnerNotConfigured(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	expected := querying.ProjectCollection{
-		Projects: []*querying.Project{
-			{
-				Name: "zaphod",
-				Links: map[string]string{
-					"GitHub": "https://heart-of-gold/zaphod",
-				},
-				Findings: []*querying.Finding{
-					{
-						Ecosystem:   config.FindingEcosystemGo,
-						Severity:    config.FindingSeverityCritical,
-						Description: "The Improbability Drive is far too improbable.",
-						PackageName: "improbability-drive",
-						Identifiers: querying.FindingIdentifierMap{
-							querying.FindingIdentifierCVE: "CVE-42",
-						},
-					},
-				},
-				Owners: mapset.NewSet[config.TeamConfig](),
-			},
-		},
-	}
+	expected := getTestProject()
 	assert.Equal(t, &expected, projects)
 }
 
 func TestCollectFindingsOwnerIsConfigured(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var bodyJson map[string]string
-		var data []byte
-		_ = json.NewDecoder(r.Body).Decode(&bodyJson)
-		vulnQuery := strings.Contains(bodyJson["query"], "vulnerabilityAlerts")
-		if vulnQuery {
-			data, _ = os.ReadFile("testdata/single_project_single_finding_vulns.json")
-		} else {
-			data, _ = os.ReadFile("testdata/single_project_single_owner.json")
-		}
-		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte(data))
-	}))
+	server := getTestServer(
+		"testdata/single_project_single_finding_vulns.json",
+		"testdata/single_project_single_owner.json",
+	)
 	defer server.Close()
 
 	crewTeam := config.TeamConfig{
@@ -171,27 +143,44 @@ func TestCollectFindingsOwnerIsConfigured(t *testing.T) {
 	}
 	owners := mapset.NewSet[config.TeamConfig]()
 	owners.Add(crewTeam)
-	expected := querying.ProjectCollection{
-		Projects: []*querying.Project{
-			{
-				Name: "zaphod",
-				Links: map[string]string{
-					"GitHub": "https://heart-of-gold/zaphod",
-				},
-				Findings: []*querying.Finding{
-					{
-						Ecosystem:   config.FindingEcosystemGo,
-						Severity:    config.FindingSeverityCritical,
-						Description: "The Improbability Drive is far too improbable.",
-						PackageName: "improbability-drive",
-						Identifiers: querying.FindingIdentifierMap{
-							querying.FindingIdentifierCVE: "CVE-42",
-						},
-					},
-				},
-				Owners: owners,
-			},
+	expected := getTestProject()
+	expected.Projects[0].Owners = owners
+	assert.Equal(t, &expected, projects)
+}
+
+func TestCollectFindingsMultipleFindings(t *testing.T) {
+	server := getTestServer(
+		"testdata/single_project_multiple_findings.json",
+		"testdata/single_project_no_owners.json",
+	)
+	defer server.Close()
+
+	conf := config.Config{}
+	env := config.Env{}
+	env.GithubOrg = "heart-of-gold"
+	env.GithubToken = "pangalactic-gargleblaster"
+
+	ds := querying.NewGithubDataSource(conf, env)
+	ds.GhClient = githubv4.NewEnterpriseClient(server.URL, &http.Client{})
+
+	projects := querying.NewProjectCollection()
+	wg := new(sync.WaitGroup)
+	wg.Add(1)
+	err := ds.CollectFindings(projects, wg)
+	if err != nil {
+		t.Error(err)
+	}
+	expected := getTestProject()
+	finding2 := querying.Finding{
+		Ecosystem:   config.FindingEcosystemPython,
+		Severity:    config.FindingSeverityModerate,
+		Description: "All the dolphins are leaving.",
+		PackageName: "dolphins",
+		Identifiers: querying.FindingIdentifierMap{
+			querying.FindingIdentifierCVE: "CVE-43",
 		},
 	}
+	expected.Projects[0].Findings = append(expected.Projects[0].Findings, &finding2)
 	assert.Equal(t, &expected, projects)
+
 }
diff --git a/querying/testdata/single_project_multiple_findings.json b/querying/testdata/single_project_multiple_findings.json
@@ -0,0 +1,52 @@
+{
+    "data": {
+        "organization": {
+            "repositories": {
+                "totalCount": 1,
+                "pageInfo": { "hasNextPage": false },
+                "nodes": [
+                    {
+                        "name": "zaphod",
+                        "url": "https://heart-of-gold/zaphod",
+                        "vulnerabilityAlerts": {
+                            "totalCount": 2,
+                            "pageInfo": { "hasNextPage": false },
+                            "nodes": [
+                                {
+                                    "securityAdvisory": {
+                                        "description": "The Improbability Drive is far too improbable.",
+                                        "identifiers": [
+                                            { "type": "CVE", "value": "CVE-42" }
+                                        ]
+                                    },
+                                    "securityVulnerability": {
+                                        "severity": "CRITICAL",
+                                        "package": {
+                                            "ecosystem": "GO",
+                                            "name": "improbability-drive"
+                                        }
+                                    }
+                                },
+                                {
+                                    "securityAdvisory": {
+                                        "description": "All the dolphins are leaving.",
+                                        "identifiers": [
+                                            { "type": "CVE", "value": "CVE-43" }
+                                        ]
+                                    },
+                                    "securityVulnerability": {
+                                        "severity": "MODERATE",
+                                        "package": {
+                                            "ecosystem": "PIP",
+                                            "name": "dolphins"
+                                        }
+                                    }
+                                }
+                            ]
+                        }
+                    }
+                ]
+            }
+        }
+    }
+}