Add additional tests for git scanning, and markdown format (#569)

Added additional tests and improves test coverage >80%.

- Tests for git scanning
- Tests for markdown format
- Tests for rust building

cmd/osv-scanner/main_test.go

@@ -177,9 +177,9 @@ func TestRun(t *testing.T) {
 			`,
 			wantStderr: "",
 		},
-		// one specific supported sbom with vulns
+		// folder of supported sbom with vulns
 		{
-			name:         "",
+			name:         "folder of supported sbom with vulns",
 			args:         []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "./fixtures/sbom-insecure/"},
 			wantExitCode: 1,
 			wantStdout: `
@@ -206,6 +206,21 @@ func TestRun(t *testing.T) {
 			`,
 			wantStderr: "",
 		},
+		// one specific supported sbom with vulns
+		{
+			name:         "one specific supported sbom with vulns",
+			args:         []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--sbom", "./fixtures/sbom-insecure/alpine.cdx.xml"},
+			wantExitCode: 1,
+			wantStdout: `
+      	Scanned <rootdir>/fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 15 packages
+      	+--------------------------------+------+-----------+---------+-----------+---------------------------------------+
+      	| OSV URL                        | CVSS | ECOSYSTEM | PACKAGE | VERSION   | SOURCE                                |
+      	+--------------------------------+------+-----------+---------+-----------+---------------------------------------+
+      	| https://osv.dev/CVE-2022-37434 | 9.8  | Alpine    | zlib    | 1.2.10-r2 | fixtures/sbom-insecure/alpine.cdx.xml |
+      	+--------------------------------+------+-----------+---------+-----------+---------------------------------------+
+			`,
+			wantStderr: "",
+		},
 		// one specific unsupported lockfile
 		{
 			name:         "",
@@ -464,12 +479,14 @@ func TestRun(t *testing.T) {
 		// output format: markdown table
 		{
 			name:         "",
-			args:         []string{"", "--format", "markdown", "./fixtures/locks-many/composer.lock"},
-			wantExitCode: 0,
+			args:         []string{"", "--format", "markdown", "--config", "./fixtures/osv-scanner-empty-config.toml", "./fixtures/locks-many/package-lock.json"},
+			wantExitCode: 1,
 			wantStdout: `
-				Scanning dir ./fixtures/locks-many/composer.lock
-				Scanned <rootdir>/fixtures/locks-many/composer.lock file and found 1 package
-				No vulnerabilities found
+				Scanning dir ./fixtures/locks-many/package-lock.json
+        Scanned <rootdir>/fixtures/locks-many/package-lock.json file and found 1 package
+        | OSV URL | CVSS | Ecosystem | Package | Version | Source |
+        | --- | --- | --- | --- | --- | --- |
+        | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | fixtures/locks-many/package-lock.json |
 			`,
 			wantStderr: "",
 		},

internal/sourceanalysis/fixtures-rust/rust-project/.gitignore

@@ -0,0 +1 @@
+target/

internal/sourceanalysis/fixtures-rust/rust-project/Cargo.toml

@@ -0,0 +1,9 @@
+[package]
+name = "test-project"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+# smallvec = "=0.6.13"

internal/sourceanalysis/fixtures-rust/rust-project/src/main.rs

@@ -0,0 +1,8 @@
+fn main() {
+    println!("Hello, world!");
+    test_func();
+}
+
+fn test_func() {
+    println!("test func")
+}

internal/sourceanalysis/rust_test.go

@@ -4,10 +4,13 @@ import (
 	"bytes"
 	"os"
 	"path/filepath"
+	"reflect"
 	"strings"
 	"testing"
 
 	"github.com/google/osv-scanner/internal/testutility"
+	"github.com/google/osv-scanner/pkg/models"
+	"github.com/google/osv-scanner/pkg/reporter"
 )
 
 func Test_extractRlibArchive(t *testing.T) {
@@ -62,3 +65,46 @@ func Test_functionsFromDWARF(t *testing.T) {
 		})
 	}
 }
+
+func Test_rustBuildSource(t *testing.T) {
+	t.Parallel()
+
+	workingDir, err := os.Getwd()
+	if err != nil {
+		t.Error(err)
+	}
+
+	type args struct {
+		r      reporter.Reporter
+		source models.SourceInfo
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    []string
+		wantErr bool
+	}{
+		{
+			args: args{
+				r: &reporter.VoidReporter{},
+				source: models.SourceInfo{
+					Path: "fixtures-rust/rust-project/Cargo.lock",
+					Type: "lockfile",
+				},
+			},
+			want: []string{
+				workingDir + "/fixtures-rust/rust-project/target/release/test-project",
+			},
+		},
+	}
+	for _, tt := range tests {
+		got, err := rustBuildSource(tt.args.r, tt.args.source)
+		if (err != nil) != tt.wantErr {
+			t.Errorf("rustBuildSource() error = %v, wantErr %v", err, tt.wantErr)
+			return
+		}
+		if !reflect.DeepEqual(got, tt.want) {
+			t.Errorf("rustBuildSource() = %v, want %v", got, tt.want)
+		}
+	}
+}

pkg/osvscanner/fixtures/example-git/a.txt

@@ -0,0 +1 @@
+test file

pkg/osvscanner/fixtures/example-git/git-hidden/COMMIT_EDITMSG

@@ -0,0 +1 @@
+Example commit

pkg/osvscanner/fixtures/example-git/git-hidden/HEAD

@@ -0,0 +1 @@
+ref: refs/heads/main

pkg/osvscanner/fixtures/example-git/git-hidden/config

@@ -0,0 +1,5 @@
+[core]
+	repositoryformatversion = 0
+	filemode = true
+	bare = false
+	logallrefupdates = true

pkg/osvscanner/fixtures/example-git/git-hidden/description

@@ -0,0 +1 @@
+Unnamed repository; edit this file 'description' to name the repository.

pkg/osvscanner/fixtures/example-git/git-hidden/info/exclude

@@ -0,0 +1,6 @@
+# git ls-files --others --exclude-from=.git/info/exclude
+# Lines that start with '#' are comments.
+# For a project mostly in C, the following would be a good set of
+# exclude patterns (uncomment them if you want to use them):
+# *.[oa]
+# *~

pkg/osvscanner/fixtures/example-git/git-hidden/logs/HEAD

@@ -0,0 +1 @@
+0000000000000000000000000000000000000000 862ac4bd2703b622e85f29f55a2fd8cd6caf8182 Rex P <[email protected]> 1696388400 +1100	commit (initial): Example commit

pkg/osvscanner/fixtures/example-git/git-hidden/logs/refs/heads/main

@@ -0,0 +1 @@
+0000000000000000000000000000000000000000 862ac4bd2703b622e85f29f55a2fd8cd6caf8182 Rex P <[email protected]> 1696388400 +1100	commit (initial): Example commit

pkg/osvscanner/fixtures/example-git/git-hidden/refs/heads/main

@@ -0,0 +1 @@
+862ac4bd2703b622e85f29f55a2fd8cd6caf8182

pkg/osvscanner/fixtures/git-scan-queries.txt

@@ -0,0 +1,8 @@
+{
+  "queries": [
+    {
+      "commit": "862ac4bd2703b622e85f29f55a2fd8cd6caf8182",
+      "package": {}
+    }
+  ]
+}

pkg/osvscanner/osvscanner_internal_test.go

@@ -1,13 +1,15 @@
 package osvscanner
 
 import (
+	"os"
 	"path/filepath"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/osv-scanner/internal/testutility"
 	"github.com/google/osv-scanner/pkg/config"
 	"github.com/google/osv-scanner/pkg/models"
+	"github.com/google/osv-scanner/pkg/osv"
 	"github.com/google/osv-scanner/pkg/reporter"
 )
 
@@ -72,3 +74,45 @@ func Test_filterResults(t *testing.T) {
 		})
 	}
 }
+
+func Test_scanGit(t *testing.T) {
+	t.Parallel()
+
+	type args struct {
+		r       reporter.Reporter
+		query   *osv.BatchedQuery
+		repoDir string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "Example Git repo",
+			args: args{
+				r:       &reporter.VoidReporter{},
+				query:   &osv.BatchedQuery{},
+				repoDir: "fixtures/example-git",
+			},
+			wantErr: false,
+		},
+	}
+
+	err := os.Rename("fixtures/example-git/git-hidden", "fixtures/example-git/.git")
+	if err != nil {
+		t.Errorf("can't find git-hidden folder")
+	}
+
+	for _, tt := range tests {
+		if err := scanGit(tt.args.r, tt.args.query, tt.args.repoDir); (err != nil) != tt.wantErr {
+			t.Errorf("scanGit() error = %v, wantErr %v", err, tt.wantErr)
+		}
+		testutility.CreateJSONFixture(t, "fixtures/git-scan-queries.txt", tt.args.query)
+	}
+
+	err = os.Rename("fixtures/example-git/.git", "fixtures/example-git/git-hidden")
+	if err != nil {
+		t.Errorf("can't find .git folder")
+	}
+}