feat: fixed in key in binaries output #317
Conversation
karniwl
force-pushed
the
feat/support-docker-binaries
branch
from
b9f155e to
c2c43c8
Compare
src/cli/commands/test.js
Outdated
| function createFixedInText(versionRangeList, pkgVersion) { | ||
| let fixedVersion = ''; | ||
| if (!pkgVersion && versionRangeList && | ||
| versionRangeList.length && /^<\S+$/.test(versionRangeList[0])) { |
There was a problem hiding this comment.
This if clause is a bit difficult to read, how do you feel about extracting it to a function?
There was a problem hiding this comment.
I think it's a bit of an overkill to extract it to a function as the meaning (if you know it of course... :) ) is pretty straightforward. I'll change it up and extract to a variable instead and let me know what you think
src/cli/commands/test.js
Outdated
| @@ -314,7 +320,7 @@ function displayResult(res, options) { | |||
| remediationInfo: vuln.metadata.type !== 'license' | |||
| ? createRemediationText(vuln, packageManager) | |||
| : '', | |||
| fixedIn: options.docker ? createFixedInText(vuln) : '', | |||
| fixedIn: options.docker ? createFixedInText(vuln.list[0].semver.vulnerable, version) : '', | |||
There was a problem hiding this comment.
I understand there's special meaning to the first index of the vuln.list, perhaps we could store it in a variable? (same for versionRangeList[0] and versionList[1])
karniwl
force-pushed
the
feat/support-docker-binaries
branch
from
93bcb73 to
04338d3
Compare
src/cli/commands/test.js
Outdated
| if (!pkgVersion) { | ||
| if (versionRangeList && | ||
| versionRangeList.length && | ||
| (lesserThan.test(versionRangeList[0]))) { |
There was a problem hiding this comment.
Thanks for the changes! Can we also store versionRangeList[0] in a variable? I don't understand the significance of the first index (I guess it's ordered and we need the first item?) :)
There was a problem hiding this comment.
there isn't a special meaning, it's not ordered, we actually have only one item in the list in that case. I added a comment explaining it
There was a problem hiding this comment.
I don't think this warrants a comment, variable fits nice (alleviates us from the need to use the index twice and documents there's just a single item in the list)
src/cli/commands/test.js
Outdated
| } | ||
| } else { | ||
| for (const versionRange of versionRangeList) { | ||
| if (semver.valid(pkgVersion) && semver.satisfies(pkgVersion, versionRange)) { |
There was a problem hiding this comment.
| if (semver.valid(pkgVersion) && semver.satisfies(pkgVersion, versionRange)) { | |
| if (!semver.valid(pkgVersion) || !semver.satisfies(pkgVersion, versionRange)) { | |
| continue; | |
| } |
There was a problem hiding this comment.
I think this is much less readable than the current condition, we want to find the version range that matches our package version, imo it makes more sense to show what we are looking for, not what we're NOT looking for
There was a problem hiding this comment.
I guess it's a style opinion - you're choice :)
src/cli/commands/test.js
Outdated
| vulnOutput.fixedIn + | ||
| vulnOutput.extraInfo | ||
| ); | ||
| var nonBinariesSortedGroupedVulns = sortedGroupedVulns.filter(function (vuln) { |
There was a problem hiding this comment.
| var nonBinariesSortedGroupedVulns = sortedGroupedVulns.filter(function (vuln) { | |
| var sortedGroupedVulns = sortedGroupedVulns.filter(function (vuln) { |
There was a problem hiding this comment.
Let's not change the all code to be docker related :)
There was a problem hiding this comment.
that's the name I first gave and it caused a bug that wasted too much time because that's a variable name we already declared and changing it deletes all binaries vulns from it and then when filtering by upstream package manager we get an empty result...
I can change the order of the lines but that's too error-prone imo, I'll think of another solution but you're welcome to offer one as well.
There was a problem hiding this comment.
The problem I'm thinking about is a developer that has no idea about what's binary is, so nonBinariesSortedGroupedVulns might be a bit confusing for him
karniwl
force-pushed
the
feat/support-docker-binaries
branch
from
8f089b5 to
1984ea9
Compare
karniwl
force-pushed
the
feat/support-docker-binaries
branch
from
1984ea9 to
80daaf5
Compare
|
🎉 This PR is included in version 1.120.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
What does this PR do?
Adds a
Fixed inversion key in binaries/output, using npm semver rules.Refactors formatting issues logic.
How should this be manually tested?
Run
snyk test --docker node:5.10.1for example to see the fixed versions of found vulnerabilities.Screenshots