add extra unit tests

tests/validVulnerability.test.js

@@ -83,6 +83,59 @@ function assertValidFields(vuln) {
   }
 }
 
+function version_bits(version) {
+  version = version.replace(/(\d+)([^\d\.]+)/, '$1.$2');
+  version = version.replace(/([^\d\.]+)(\d+)/, '$1.$2');
+  var parts = version.split('.'),
+      rmap = {
+        'rc' : -1,
+        'pre' : -2,
+        'beta' : -3,
+        'b' : -3,
+        'alpha' : -4,
+        'a' : -4,
+        'post' : 1,
+      },
+      v, n;
+
+  var bits = [];
+  for (var i = 0; i < parts.length; ++i) {
+    v = parts[i];
+
+    n = parseInt(v, 10);
+    if ( isNaN(n) ) {
+      n = rmap[v] || -1;
+    }
+    bits.push(n);
+  }
+  return bits;
+}
+
+function version_compare(version1, version2) {
+  var v1parts = version_bits(version1);
+  var v2parts = version_bits(version2);
+  var v2, v1;
+
+  for (var i = 0; i < Math.max(v1parts.length, v2parts.length); ++i) {
+    v1 = v1parts[i] || 0;
+    v2 = v2parts[i] || 0;
+
+    if (v2 > v1) {
+      return 1;
+    }
+    else if (v1 > v2) {
+      return -1;
+    }
+  }
+
+  return 0;
+}
+
+function isVersionOutsideRange(version, range_start, range_end) {
+  return (version_compare(version, range_start) === -1 && version_compare(version, range_end) === -1) ||
+      (version_compare(version, range_start) === 1 && version_compare(version, range_end) === 1);
+}
+
 // Tests
 describe("Valid Vulnerabilities", () => {
   let vulnerabilities;
@@ -113,6 +166,8 @@ describe("Valid Vulnerabilities", () => {
       expect(typeof vuln.language).toBe("string");
       expect(typeof vuln.severity_class).toBe("string");
       expect(typeof vuln.aikido_score).toBe("number");
+      expect(vuln.aikido_score).toBeGreaterThanOrEqual(0);
+      expect(vuln.aikido_score).toBeLessThanOrEqual(100);
       expect(typeof vuln.changelog).toBe("string");
 
       if (vuln.package_name_alias !== undefined && vuln.package_name_alias !== null) {
@@ -121,6 +176,8 @@ describe("Valid Vulnerabilities", () => {
 
       if (vuln.package_wildcard_contains !== undefined && vuln.package_wildcard_contains !== null) {
         expect(typeof vuln.package_wildcard_contains).toBe("string");
+        expect(vuln.package_wildcard_contains.length).toBeGreaterThan(8);
+        expect(vuln.package_wildcard_contains).toMatch(/[^a-zA-Z0-9]/)
       }
 
       if (vuln.extra_specific_non_vulnerable_versions !== undefined && vuln.extra_specific_non_vulnerable_versions !== null) {
@@ -146,9 +203,26 @@ describe("Valid Vulnerabilities", () => {
           expect(vuln.vulnerable_ranges).toBe("*");
         } else {
           expect(Array.isArray(vuln.vulnerable_ranges)).toBe(true);
-          for(const range of vuln.vulnerable_ranges){
+          for(const range of vuln.vulnerable_ranges) {
             // should be array of arrays
             expect(Array.isArray(range)).toBe(true);
+            expect(range.length).toBe(2);
+            //check if range correct
+            versionVulnLo = range[0];
+            versionVulnUp = range[1];
+            if (version_compare(versionVulnLo, versionVulnUp) < 0) {
+              throw new Error(versionVulnLo + " is not smaller than or equal to " + versionVulnUp);
+            }
+          }
+
+          for(let i = 0; i < vuln.patch_versions.length; i++) {
+            versionFixed =  vuln.patch_versions[i];
+            versionVulnLo = vuln.vulnerable_ranges[i][0];
+            versionVulnUp = vuln.vulnerable_ranges[i][1];
+
+            if (isVersionOutsideRange(versionFixed, versionVulnLo, versionVulnUp) === false) {
+              throw new Error("Patch version cannot be inside vulnerable range: " + versionFixed + " - " + versionVulnLo + " - " + versionVulnUp);
+            }
           }
         }
       }
@@ -191,7 +265,7 @@ describe("Valid Vulnerabilities", () => {
     expect(new Set(ids).size).toBe(ids.length);
   });
 
-  test("PHP vulnerabilities do not start with '@'", () => {
+  test("Only JS vulnerabilities can start with '@'", () => {
     for (const vuln of Object.values(vulnerabilities)) {
       if (vuln.language.toLowerCase() !== "js") {
         expect(vuln.package_name.startsWith("@")).toBe(false);