Merge pull request #70 from geraldnash-cb/master

Fix Yarn Audit findings bug and patch-bump version from 2.6.0 -> 2.6.1

README.md

@@ -65,7 +65,7 @@ Example CircleCI `config.yml`:
 version: 2.1
 
 orbs:
-  salus: federacy/salus@2.5.1
+  salus: federacy/salus@2.6.1
 
 workflows:
   main:

integrations/circleci/README.md

@@ -24,7 +24,7 @@ Note: active_scanners and enforced_scanners must be yaml formatted for Salus con
 version: 2.1
 
 orbs:
-  salus: federacy/salus@2.5.1
+  salus: federacy/salus@2.6.1
 
 workflows:
   main:
@@ -38,7 +38,7 @@ workflows:
 version: 2.1
 
 orbs:
-  salus: federacy/salus@2.5.1
+  salus: federacy/salus@2.6.1
 
 workflows:
   main:
@@ -53,7 +53,7 @@ workflows:
 version: 2.1
 
 orbs:
-  salus: federacy/salus@2.5.1
+  salus: federacy/salus@2.6.1
 
 workflows:
   main:
@@ -68,7 +68,7 @@ workflows:
 ```
 version: 2.1
 orbs:
-  salus: federacy/salus@2.5.1
+  salus: federacy/salus@2.6.1
 executors:
   salus_2_4_2:
     docker:

integrations/circleci/orb.yml

@@ -82,7 +82,7 @@ examples:
     usage:
       version: 2.1
       orbs:
-        salus: federacy/salus@2.5.1
+        salus: federacy/salus@2.6.1
       workflows:
         salus_scan:
           jobs: 
@@ -92,7 +92,7 @@ examples:
     usage:
       version: 2.1
       orbs:
-        salus: federacy/salus@2.5.1
+        salus: federacy/salus@2.6.1
       workflows:
         salus_scan:
           jobs: 
@@ -103,7 +103,7 @@ examples:
     usage:
       version: 2.1
       orbs:
-        salus: federacy/salus@2.5.1
+        salus: federacy/salus@2.6.1
       workflows:
         salus_scan:
           jobs: 
@@ -114,7 +114,7 @@ examples:
     usage:
       version: 2.1
       orbs:
-        salus: federacy/salus@2.5.1
+        salus: federacy/salus@2.6.1
       executors:
         salus_2_4_2:
           docker:

lib/salus.rb

@@ -19,7 +19,7 @@
 require 'salus/processor'
 
 module Salus
-  VERSION = '2.6.0'.freeze
+  VERSION = '2.6.1'.freeze
   DEFAULT_REPO_PATH = './repo'.freeze # This is inside the docker container at /home/repo.
 
   SafeYAML::OPTIONS[:default_mode] = :safe

lib/salus/scanners/node_audit.rb

@@ -63,7 +63,7 @@ def run
           # For all advisories,
           prod = raw_advisories_for_id.any? do |raw_advisory|
             # any there there any instances in the prod dependency tree?
-            raw_advisory.fetch(:findings).any? { |finding| !finding.fetch(:dev) }
+            raw_advisory.fetch(:findings).any? { |finding| !finding.fetch(:dev, false) }
           end
 
           Advisory.new(id, module_name, title, severity, url, prod, excepted)

spec/fixtures/integration/expected_report.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.6.0",
+  "version": "2.6.1",
   "passed": true,
   "running_time": 0.0,
   "scans": {

spec/fixtures/npm_audit/failure-2/package.json

@@ -0,0 +1,26 @@
+{
+    "name": "www",
+    "version": "1.0.0",
+    "description": "Test package.json file.",
+    "main": "index.js",
+    "engines": {
+      "npm": ">= 4.0.0",
+      "node": ">= 6.9"
+    },
+    "scripts": {
+      "test": "test"
+    },
+    "repository": {
+      "type": "git",
+      "url": "test"
+    },
+    "author": "",
+    "license": "ISC",
+    "dependencies": {
+      "classnames": "^2.2.5",
+      "mobx": "^3.2.1",
+      "uglify-js": "1.2.3",
+      "merge": "1.2.0"
+    }
+  }
+

spec/fixtures/processor/local_uri/expected_report.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.6.0",
+  "version": "2.6.1",
   "passed": true,
   "running_time": 0.0,
   "scans": {

spec/fixtures/processor/remote_uri/expected_report.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.6.0",
+  "version": "2.6.1",
   "passed": true,
   "running_time": 0.0,
   "scans": {

spec/fixtures/yarn_audit/failure-2/package.json

@@ -0,0 +1,26 @@
+{
+    "name": "www",
+    "version": "1.0.0",
+    "description": "Test package.json file.",
+    "main": "index.js",
+    "engines": {
+      "npm": ">= 4.0.0",
+      "node": ">= 6.9"
+    },
+    "scripts": {
+      "test": "test"
+    },
+    "repository": {
+      "type": "git",
+      "url": "test"
+    },
+    "author": "",
+    "license": "ISC",
+    "dependencies": {
+      "classnames": "^2.2.5",
+      "mobx": "^3.2.1",
+      "uglify-js": "1.2.3",
+      "merge": "1.2.0"
+    }
+  }
+

spec/fixtures/yarn_audit/failure-2/yarn.lock

@@ -0,0 +1,18 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+classnames@^2.2.5:
+  version "2.2.6"
+  resolved "https://registry.yarnpkg.com/classnames/-/classnames-2.2.6.tgz#43935bffdd291f326dad0a205309b38d00f650ce"
+  integrity sha512-JR/iSQOSt+LQIWwrwEzJ9uk0xfN3mTVYMwt1Ir5mUcSN6pU+V4zQFFaJsclJbPuAUQH+yfWef6tm7l1quW3C8Q==
+
+mobx@^3.2.1:
+  version "3.6.2"
+  resolved "https://registry.yarnpkg.com/mobx/-/mobx-3.6.2.tgz#fb9f5ff5090539a1ad54e75dc4c098b602693320"
+  integrity sha512-Dq3boJFLpZEvuh5a/MbHLUIyN9XobKWIb0dBfkNOJffNkE3vtuY0C9kSDVpfH8BB0BPkVw8g22qCv7d05LEhKg==
+
+uglify-js@1.2.3:
+  version "1.2.3"
+  resolved "https://registry.yarnpkg.com/uglify-js/-/uglify-js-1.2.3.tgz#3b0ce6631a28dcaa64302b893123b20876bdc536"
+  integrity sha1-OwzmYxoo3KpkMCuJMSOyCHa9xTY=

spec/lib/salus/scanners/node_audit_spec.rb

@@ -34,6 +34,25 @@
             useless_exceptions: []
           )
         end
+
+        it 'should fail, recording advisory ids and npm output' do
+          repo = Salus::Repo.new("spec/fixtures/#{klass_snake_str}/failure-2")
+          scanner = klass_obj.new(repository: repo, config: {})
+          scanner.run
+
+          expect(scanner.report.passed?).to eq(false)
+          info = scanner.report.to_h.fetch(:info)
+          expect(info.key?(:stdout)).to eq(true)
+          expect(info).to include(
+            prod_advisories: %w[39 48 722],
+            dev_advisories: [],
+            unexcepted_prod_advisories: %w[39 48 722],
+            exceptions: [],
+            prod_exceptions: [],
+            dev_exceptions: [],
+            useless_exceptions: []
+          )
+        end
       end
 
       context 'no CVEs in package.json' do