mongodb-js
diff --git a/‎packages/sbom-tools/src/commands/fetch-codeql-results.spec.ts
Lines changed: 192 additions & 0 deletions b/‎packages/sbom-tools/src/commands/fetch-codeql-results.spec.ts
Lines changed: 192 additions & 0 deletions
diff --git a/‎packages/sbom-tools/src/commands/fetch-codeql-results.ts
Lines changed: 36 additions & 33 deletions b/‎packages/sbom-tools/src/commands/fetch-codeql-results.ts
Lines changed: 36 additions & 33 deletions
diff --git a/‎packages/sbom-tools/src/commands/sarif-to-markdown.spec.ts
Lines changed: 27 additions & 0 deletions b/‎packages/sbom-tools/src/commands/sarif-to-markdown.spec.ts
Lines changed: 27 additions & 0 deletions
@@ -0,0 +1,192 @@
+/* eslint-disable @typescript-eslint/restrict-template-expressions */
+import sinon from 'sinon';
+import path from 'path';
+import { expect } from 'chai';
+import { fetchCodeQLResults } from './fetch-codeql-results';
+
+describe('fetch-codeql-results', function () {
+  let octokit: any;
+
+  beforeEach(function () {
+    octokit = {
+      git: {
+        getRef: sinon
+          .stub()
+          .resolves({ data: { object: { type: 'tag', sha: '1'.repeat(40) } } }),
+        getTag: sinon
+          .stub()
+          .resolves({
+            data: { object: { type: 'commit', sha: '2'.repeat(40) } },
+          }),
+      },
+      codeScanning: {
+        listRecentAnalyses: sinon
+          .stub()
+          .callsFake(({ owner, repo, page }: any) => {
+            const key = `${owner}/${repo}#${page}`;
+            const data = {
+              'mongodb-js/mongodb-connection-string-url#0': [
+                { commit_sha: '2'.repeat(40), id: 1000 },
+              ],
+              'mongodb-js/mongodb-connection-string-url#1': [
+                { commit_sha: '2'.repeat(40), id: 1001 },
+              ],
+              'mongodb-js/example-repo#0': [
+                { commit_sha: '3'.repeat(40), id: 1002 },
+              ],
+              'mongodb-js/example-repo#1': [],
+            }[key];
+            if (!data)
+              throw new Error(`No analysis list entry for ${key} prepared`);
+            return { data };
+          }),
+        getAnalysis: sinon
+          .stub()
+          .callsFake(({ owner, repo, analysis_id }: any) => {
+            const key = `${owner}/${repo}#${analysis_id}`;
+            const data = {
+              'mongodb-js/mongodb-connection-string-url#1000': {
+                version: '1',
+                runs: [
+                  {
+                    results: [],
+                    tool: {
+                      driver: { name: 'toolname', semanticVersion: '1.2.3' },
+                    },
+                    versionControlProvenance: [{ revisionId: '2'.repeat(40) }],
+                  },
+                ],
+              },
+              'mongodb-js/mongodb-connection-string-url#1001': {
+                version: '1',
+                runs: [
+                  {
+                    results: [],
+                    tool: {
+                      driver: { name: 'toolname', semanticVersion: '1.2.3' },
+                    },
+                    versionControlProvenance: [{ revisionId: '2'.repeat(40) }],
+                  },
+                ],
+              },
+              'mongodb-js/example-repo#1002': {
+                version: '1',
+                runs: [
+                  {
+                    results: [
+                      {
+                        properties: {
+                          'github/alertUrl': 'https://example.com/alert1',
+                        },
+                      },
+                    ],
+                    tool: {
+                      driver: { name: 'toolname', semanticVersion: '1.2.3' },
+                    },
+                    versionControlProvenance: [
+                      {
+                        revisionId: '3'.repeat(40),
+                      },
+                    ],
+                  },
+                ],
+              },
+            }[key];
+            if (!data) throw new Error(`No analysis entry for ${key} prepared`);
+            return { data };
+          }),
+      },
+      request: sinon.stub().callsFake(({ url }) => {
+        const data = {
+          'https://example.com/alert1': {
+            state: 'dismissed',
+            dismissed_reason: 'false positive',
+            dismissed_comment: 'totally fine',
+            rule: {
+              id: 'rule1234',
+              description: 'foobar',
+              security_severity_level: 'high',
+            },
+          },
+        }[url];
+        if (!data) throw new Error(`No URL response for ${url} prepared`);
+        return { data };
+      }),
+    };
+  });
+
+  it('fetches CodeQL results for a repository', async function () {
+    const dir = path.resolve(__dirname, '../../test/fixtures/example-repo');
+    const result: any = await fetchCodeQLResults(octokit, {
+      dependencyFiles: [path.join(dir, 'dependencies.json')],
+      excludeRepos: [],
+      currentRepo: {
+        owner: 'mongodb-js',
+        repo: 'example-repo',
+        commit: '3'.repeat(40),
+      },
+    });
+    result.properties['mongodb/creationParams'].timestamp =
+      '2024-05-23T12:03:47.796Z';
+    expect(result).to.deep.equal({
+      runs: [
+        {
+          results: [],
+          versionControlProvenance: [
+            { revisionId: '2222222222222222222222222222222222222222' },
+          ],
+        },
+        {
+          results: [],
+          versionControlProvenance: [
+            { revisionId: '2222222222222222222222222222222222222222' },
+          ],
+        },
+        {
+          results: [
+            {
+              properties: {
+                'github/alertUrl': 'https://example.com/alert1',
+                'mongodb/alertState': {
+                  state: 'dismissed',
+                  dismissed_reason: 'false positive',
+                  dismissed_comment: 'totally fine',
+                  repos: {
+                    revisionId: '3333333333333333333333333333333333333333',
+                    repos: [
+                      {
+                        owner: 'mongodb-js',
+                        repo: 'example-repo',
+                        commit: '3333333333333333333333333333333333333333',
+                      },
+                    ],
+                  },
+                  rule: {
+                    id: 'rule1234',
+                    description: 'foobar',
+                    security_severity_level: 'high',
+                  },
+                },
+              },
+            },
+          ],
+          versionControlProvenance: [
+            { revisionId: '3333333333333333333333333333333333333333' },
+          ],
+        },
+      ],
+      version: '1',
+      properties: {
+        'mongodb/creationParams': {
+          fromRepo: {
+            owner: 'mongodb-js',
+            repo: 'example-repo',
+            commit: '3333333333333333333333333333333333333333',
+          },
+          excludeRepos: ['mongodb-js/example-repo'],
+          timestamp: '2024-05-23T12:03:47.796Z',
+        },
+      },
+    });
+  });
+});
@@ -22,17 +22,11 @@ type ResolvedCommitInformation = {
 type UnresolvedRepoInformation = Omit<ResolvedCommitInformation, 'commit'> &
   Partial<ResolvedCommitInformation> & { packageVersion?: string };
 
-const octokit = new Octokit({
-  auth: process.env.GITHUB_TOKEN,
-  request: { fetch },
-});
-
 // Get CodeQL SARIF reports for a single commit in a single repository
-async function getSingleCommitSarif({
-  owner,
-  repo,
-  commit,
-}: ResolvedCommitInformation): Promise<unknown[]> {
+async function getSingleCommitSarif(
+  octokit: Octokit,
+  { owner, repo, commit }: ResolvedCommitInformation
+): Promise<unknown[]> {
   const reportIds = new Set<number>();
   for (let page = 0; ; page++) {
     const { data } = await octokit.codeScanning.listRecentAnalyses({
@@ -76,14 +70,14 @@ function repoForPackageJSON(
       : packageJson.repository?.url;
   if (!repoUrl)
     throw new Error(
-      `Could not find repostiory information for package.json file at ${atPath}`
+      `Could not find repository information for package.json file at ${atPath}`
     );
   const { owner, repo } =
     repoUrl.match(/github\.com\/(?<owner>[^/]+)\/(?<repo>[^/.]+)(?:.git)?$/)
       ?.groups ?? {};
   if (!owner || !repo)
     throw new Error(
-      `Could not parse repostiory information for package.json file at ${atPath}`
+      `Could not parse repository information for package.json file at ${atPath}`
     );
   return { owner, repo };
 }
@@ -119,6 +113,7 @@ declare class AggregateError {
 
 // Look up the commit associated with a given tag
 async function resolveVersionSpecifier(
+  octokit: Octokit,
   repo: UnresolvedRepoInformation
 ): Promise<ResolvedCommitInformation> {
   if (repo.commit) {
@@ -195,57 +190,58 @@ async function getCurrentRepo(): Promise<ResolvedCommitInformation> {
   return { ...repo, commit };
 }
 
-async function fetchCodeQLResults({
-  dependencyFiles,
-  excludeRepos,
-  currentRepo,
-  sarifDest,
-}: {
-  dependencyFiles: string[];
-  excludeRepos: string[];
-  currentRepo?: Partial<ResolvedCommitInformation>;
-  sarifDest: string;
-}) {
+export async function fetchCodeQLResults(
+  octokit: Octokit,
+  {
+    dependencyFiles,
+    excludeRepos,
+    currentRepo,
+  }: {
+    dependencyFiles: string[];
+    excludeRepos: string[];
+    currentRepo?: Partial<ResolvedCommitInformation>;
+  }
+): Promise<unknown> {
   if (!dependencyFiles?.length) {
     throw new Error('Missing required argument: --dependencies');
   }
-  if (!sarifDest) {
-    throw new Error('Missing required argument: --sarif-dest');
-  }
 
+  // Add the current repository we're in to the list of repos to be scanned
   let resolvedCurrentRepo: ResolvedCommitInformation;
   if (!currentRepo?.owner || !currentRepo.repo || !currentRepo.commit) {
     resolvedCurrentRepo = { ...(await getCurrentRepo()), ...currentRepo };
   } else {
     resolvedCurrentRepo = currentRepo as ResolvedCommitInformation;
   }
   let repos = await listFirstPartyDependencies(dependencyFiles);
+  // Make sure the only entry for the current repo is the one we explicitly add
   excludeRepos.push(`${resolvedCurrentRepo.owner}/${resolvedCurrentRepo.repo}`);
   repos = repos.filter(
     (repo) => !excludeRepos.includes(`${repo.owner}/${repo.repo}`)
   );
   repos.push(resolvedCurrentRepo);
   repos = deduplicateArray(repos);
   let resolvedRepos = await Promise.all(
-    repos.map(async (repo) => await resolveVersionSpecifier(repo))
+    repos.map(async (repo) => await resolveVersionSpecifier(octokit, repo))
   );
+  // scan each [owner, repo, commit] triple only once, even if it appears for e.g. multiple packages
   resolvedRepos = deduplicateArray(resolvedRepos, ['owner', 'repo', 'commit']);
 
   const sarifs = (
     await Promise.all(
       resolvedRepos.map(async (repo) => {
         try {
-          const reports = await getSingleCommitSarif(repo);
+          const reports = await getSingleCommitSarif(octokit, repo);
           if (reports.length === 0) {
             throw new Error('Could not find any reports');
           }
           return reports;
         } catch (err: unknown) {
-          // @ts-expect-error 'cause' unsupported
           throw new Error(
             `Failed to get SARIF for repository ${JSON.stringify(
               repo
             )}: ${String(err)}`,
+            // @ts-expect-error 'cause' unsupported
             { cause: err }
           );
         }
@@ -316,7 +312,7 @@ async function fetchCodeQLResults({
       timestamp: new Date().toISOString(),
     },
   };
-  await fs.writeFile(sarifDest, JSON.stringify(finalReport, null, 2));
+  return finalReport;
 }
 
 function commaSeparatedList(value: string) {
@@ -348,10 +344,17 @@ export const command = new Command('fetch-codeql-results')
   )
   .option('--sarif-dest <file>', 'JSON SARIF file output')
   .action(async (options) => {
-    await fetchCodeQLResults({
-      dependencyFiles: options.dependencies,
+    const octokit = new Octokit({
+      auth: process.env.GITHUB_TOKEN,
+      request: { fetch },
+    });
+    if (!options.sarifDest) {
+      throw new Error('Missing required argument: --sarif-dest');
+    }
+    const finalReport = await fetchCodeQLResults(octokit, {
+      dependencyFiles: options.despendencies,
       excludeRepos: options.excludeRepos,
       currentRepo: options.currentRepo,
-      sarifDest: options.sarifDest,
     });
+    await fs.writeFile(options.sarifDest, JSON.stringify(finalReport, null, 2));
   });
@@ -0,0 +1,27 @@
+import path from 'path';
+import { expect } from 'chai';
+import { promises as fs } from 'fs';
+import { sarifToMarkdown } from './sarif-to-markdown';
+
+describe('sarif-to-markdown', function () {
+  it('converts a SARIF JSON file to a simplified markdown representation of that file', async function () {
+    const sarif = JSON.parse(
+      await fs.readFile(
+        path.resolve(
+          __dirname,
+          '..',
+          '..',
+          'test',
+          'fixtures',
+          'mock-sarif.json'
+        ),
+        'utf8'
+      )
+    );
+    const expectedMd = await fs.readFile(
+      path.resolve(__dirname, '..', '..', 'test', 'fixtures', 'mock-sarif.md'),
+      'utf8'
+    );
+    expect(sarifToMarkdown({ sarif })).to.equal(expectedMd);
+  });
+});