mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-27 17:55:58 +00:00
179 lines
5.2 KiB
TypeScript
179 lines
5.2 KiB
TypeScript
import { mkdtemp, rm, writeFile } from "node:fs/promises";
|
|
import { tmpdir } from "node:os";
|
|
import path from "node:path";
|
|
import { afterEach, describe, expect, it } from "vitest";
|
|
import {
|
|
classifyVulnerabilityFindings,
|
|
renderDependencyVulnerabilityGateMarkdownReport,
|
|
runDependencyVulnerabilityGate,
|
|
} from "../../scripts/dependency-vulnerability-gate.mjs";
|
|
|
|
const tempDirCleanups: Array<() => Promise<void>> = [];
|
|
|
|
afterEach(async () => {
|
|
await Promise.all(tempDirCleanups.splice(0).map((cleanup) => cleanup()));
|
|
});
|
|
|
|
function advisory({
|
|
id,
|
|
severity,
|
|
title,
|
|
vulnerableVersions = "<=1.0.0",
|
|
}: {
|
|
id: string;
|
|
severity: string;
|
|
title: string;
|
|
vulnerableVersions?: string;
|
|
}) {
|
|
return {
|
|
id,
|
|
severity,
|
|
title,
|
|
vulnerable_versions: vulnerableVersions,
|
|
url: `https://github.com/advisories/${id}`,
|
|
};
|
|
}
|
|
|
|
async function writeLockfile(rootDir: string) {
|
|
await writeFile(
|
|
path.join(rootDir, "pnpm-lock.yaml"),
|
|
`lockfileVersion: '9.0'
|
|
|
|
importers:
|
|
.:
|
|
dependencies:
|
|
runtime-high:
|
|
version: 1.0.0
|
|
devDependencies:
|
|
dev-high:
|
|
version: 1.0.0
|
|
|
|
snapshots:
|
|
runtime-high@1.0.0: {}
|
|
dev-high@1.0.0: {}
|
|
transitive-critical@1.0.0: {}
|
|
`,
|
|
"utf8",
|
|
);
|
|
}
|
|
|
|
describe("dependency-vulnerability-gate", () => {
|
|
it("blocks critical advisories anywhere and high advisories in the production graph", () => {
|
|
const result = classifyVulnerabilityFindings({
|
|
allAdvisories: {
|
|
"dev-high": [advisory({ id: "GHSA-dev-high", severity: "high", title: "dev high" })],
|
|
"transitive-critical": [
|
|
advisory({ id: "GHSA-critical", severity: "critical", title: "critical issue" }),
|
|
],
|
|
},
|
|
productionAdvisories: {
|
|
"runtime-high": [
|
|
advisory({ id: "GHSA-runtime-high", severity: "high", title: "runtime high" }),
|
|
],
|
|
},
|
|
});
|
|
|
|
expect(result.blockers.map((finding) => finding.id)).toEqual([
|
|
"GHSA-critical",
|
|
"GHSA-runtime-high",
|
|
]);
|
|
expect(result.findings.map((finding) => finding.id)).toEqual([
|
|
"GHSA-critical",
|
|
"GHSA-dev-high",
|
|
"GHSA-runtime-high",
|
|
]);
|
|
});
|
|
|
|
it("blocks malware advisories regardless of severity or graph", () => {
|
|
const result = classifyVulnerabilityFindings({
|
|
allAdvisories: {
|
|
dev: [advisory({ id: "GHSA-malware", severity: "low", title: "Malware in dev" })],
|
|
},
|
|
productionAdvisories: {},
|
|
});
|
|
|
|
expect(result.blockers).toMatchObject([
|
|
{
|
|
id: "GHSA-malware",
|
|
malware: true,
|
|
severity: "low",
|
|
},
|
|
]);
|
|
});
|
|
|
|
it("queries full and production lockfile graphs separately", async () => {
|
|
const rootDir = await mkdtemp(path.join(tmpdir(), "openclaw-vuln-gate-"));
|
|
tempDirCleanups.push(() => rm(rootDir, { recursive: true, force: true }));
|
|
await writeLockfile(rootDir);
|
|
const payloads: Record<string, string[]>[] = [];
|
|
|
|
const report = await runDependencyVulnerabilityGate({
|
|
rootDir,
|
|
fetchImpl: async (_url, init) => {
|
|
const payload = JSON.parse(String(init?.body));
|
|
payloads.push(payload);
|
|
const packages = Object.keys(payload);
|
|
const body: Record<string, unknown[]> = {};
|
|
if (packages.includes("runtime-high")) {
|
|
body["runtime-high"] = [
|
|
advisory({ id: "GHSA-runtime-high", severity: "high", title: "runtime high" }),
|
|
];
|
|
}
|
|
if (packages.includes("dev-high")) {
|
|
body["dev-high"] = [
|
|
advisory({ id: "GHSA-dev-high", severity: "high", title: "dev high" }),
|
|
];
|
|
}
|
|
return new Response(JSON.stringify(body), {
|
|
status: 200,
|
|
headers: { "content-type": "application/json" },
|
|
});
|
|
},
|
|
});
|
|
|
|
expect(payloads).toHaveLength(2);
|
|
expect(payloads[0]).toEqual({
|
|
"dev-high": ["1.0.0"],
|
|
"runtime-high": ["1.0.0"],
|
|
"transitive-critical": ["1.0.0"],
|
|
});
|
|
expect(payloads[1]).toEqual({
|
|
"runtime-high": ["1.0.0"],
|
|
});
|
|
expect(report.blockers.map((finding) => finding.id)).toEqual(["GHSA-runtime-high"]);
|
|
expect(report.findings.map((finding) => finding.id)).toEqual([
|
|
"GHSA-dev-high",
|
|
"GHSA-runtime-high",
|
|
]);
|
|
});
|
|
|
|
it("documents the resolved transitive dependency graph scope in Markdown", () => {
|
|
const markdown = renderDependencyVulnerabilityGateMarkdownReport({
|
|
generatedAt: "2026-05-12T00:00:00.000Z",
|
|
policy: {
|
|
blocks: [
|
|
"known malware advisories anywhere in the installed graph",
|
|
"critical advisories anywhere in the installed graph",
|
|
"high advisories in the production/runtime graph",
|
|
],
|
|
reports: [
|
|
"moderate and lower advisories",
|
|
"high advisories outside production/runtime graph",
|
|
],
|
|
vulnerabilityExceptions: false,
|
|
},
|
|
graphs: {
|
|
all: { packages: 2, packageVersions: 2 },
|
|
production: { packages: 1, packageVersions: 1 },
|
|
},
|
|
blockers: [],
|
|
findings: [],
|
|
});
|
|
|
|
expect(markdown).toContain("# npm Advisory Vulnerability Gate: Resolved Dependency Graph");
|
|
expect(markdown).toContain("## Scope");
|
|
expect(markdown).toContain("resolved package versions from pnpm-lock.yaml");
|
|
expect(markdown).toContain("It includes transitive dependencies.");
|
|
});
|
|
});
|