wip

Author: CalamarBicefalo

internal/remediation/model.go

@@ -2,26 +2,36 @@ package remediation
 
 // Input
 
+/**
+* Finding represents a vulnerability for a given package & version.
+*
+* If a finding is introduced through multiple paths, a single finding with several `DependencyPath` entries must be constructed.
+ */
 type Finding struct {
-	Package        Package
-	Severity       Severity
-	Title          string
-	DependencyPath DependencyPath
-
-	// Snyk vuln ID
-	VulnId string
+	Package         Package
+	Vulnerability   Vulnerability
+	DependencyPaths []DependencyPath
 
 	// All versions containing a fix for this problem
 	InitiallyFixedInVersions []string
 	Fix                      Fix
+	PackageManager           PackageManager
 }
+
+type PackageManager string
+
+type Outcome string
 type Fix interface {
 	Outcome() Outcome
 }
 
 type PinFix struct {
 	outcome   Outcome
-	pinAction PinAction
+	PinAction PinAction
+}
+
+type PinAction struct {
+	Package Package
 }
 
 func (pf PinFix) Outcome() Outcome {
@@ -31,22 +41,37 @@ func (pf PinFix) Outcome() Outcome {
 func NewPinFix(outcome Outcome, action PinAction) Fix {
 	return PinFix{
 		outcome:   outcome,
-		pinAction: action,
+		PinAction: action,
 	}
 }
 
-type Outcome string
+type UpgradeFix struct {
+	outcome       Outcome
+	UpgradeAction UpgradeAction
+}
+
+type UpgradeAction struct {
+	PackageName  string
+	UpgradePaths []DependencyPath
+}
+
+func (uf UpgradeFix) Outcome() Outcome {
+	return uf.outcome
+}
+
+func NewUpgradeFix(outcome Outcome, action UpgradeAction) Fix {
+	return UpgradeFix{
+		outcome:       outcome,
+		UpgradeAction: action,
+	}
+}
 
 const (
 	FullyResolved     Outcome = "fully-resolved"
 	PartiallyResolved Outcome = "partially-resolved"
 	Unresolved        Outcome = "unresolved"
 )
 
-type PinAction struct {
-	Package Package
-}
-
 // Output
 
 /*
@@ -75,7 +100,7 @@ type Upgrade struct {
 	From Package
 	To   Package
 
-	Fixes []*VulnerabilityInPackage
+	Fixes []VulnerabilityInPackage
 }
 
 type VulnerabilityInPackage struct {
@@ -89,6 +114,7 @@ type Package struct {
 	Name    string
 	Version string
 }
+
 type Vulnerability struct {
 	ID       string
 	Name     string

internal/remediation/remediation.go

@@ -0,0 +1,133 @@
+package remediation
+
+import (
+	"github.com/snyk/cli-extension-os-flows/internal/semver"
+)
+
+func FixesToRemediationSummary(findings []Finding) (Summary, error) {
+	pins, err := calculatePins(findings)
+	if err != nil {
+		return Summary{}, err
+	}
+	upgrades, err := calculateUpgrades(findings)
+	if err != nil {
+		return Summary{}, err
+	}
+	return Summary{Pins: pins, Upgrades: upgrades}, err
+}
+
+func calculateUpgrades(findings []Finding) ([]Upgrade, error) {
+	var output []Upgrade
+	for _, finding := range findings {
+		switch finding.Fix.(type) {
+		case UpgradeFix:
+			for _, depPath := range finding.DependencyPaths {
+				for _, upath := range finding.Fix.(UpgradeFix).UpgradeAction.UpgradePaths {
+					valid := true
+					for i, uDep := range upath {
+						if uDep.Name != depPath[i+1].Name {
+							valid = false
+						}
+					}
+					if valid {
+						output = append(output, Upgrade{
+							From: depPath[1],
+							To:   upath[0],
+							Fixes: []VulnerabilityInPackage{
+								{
+									VulnerablePackage: finding.Package,
+									Vulnerability:     finding.Vulnerability,
+									IntroducedThrough: finding.DependencyPaths,
+								},
+							},
+						})
+					}
+				}
+			}
+		default:
+			continue
+		}
+	}
+	return output, nil
+}
+
+func calculatePins(findings []Finding) ([]Upgrade, error) {
+	var output []Upgrade
+	var pinMap = make(map[string]*[]*Upgrade)
+	for _, finding := range findings {
+		switch finding.Fix.(type) {
+		case PinFix:
+			vulnerablePackage := finding.Package
+			key := finding.Package.Name
+
+			// We'll be grouping by package name
+			upgrade, upgradeExists := pinMap[key]
+
+			vulnerabilityInPackage := VulnerabilityInPackage{
+				VulnerablePackage: vulnerablePackage,
+				Vulnerability:     finding.Vulnerability,
+				IntroducedThrough: finding.DependencyPaths,
+			}
+
+			if upgradeExists {
+				highestVersion, err := getMaxVersion(finding.PackageManager, (*upgrade)[0].To.Version, finding.Fix.(PinFix).PinAction.Package.Version)
+				if err != nil {
+					return nil, err
+				}
+
+				// As we process individual pins, we'll get the highest version of a given package across vulns & package version
+				// Goal is to obtain a single pin that fixes as many problems as possible
+				versionAlreadyExists := false
+				for _, u := range *upgrade {
+					u.To.Version = highestVersion
+					if u.From.Version == finding.Package.Version {
+						u.Fixes = append(u.Fixes, vulnerabilityInPackage)
+						versionAlreadyExists = true
+						break
+					}
+				}
+				if !versionAlreadyExists {
+					*upgrade = append(*upgrade, &Upgrade{
+						From:  vulnerablePackage,
+						To:    finding.Fix.(PinFix).PinAction.Package,
+						Fixes: []VulnerabilityInPackage{vulnerabilityInPackage},
+					})
+				}
+			} else {
+				pinMap[key] = &[]*Upgrade{{
+					From:  vulnerablePackage,
+					To:    finding.Fix.(PinFix).PinAction.Package,
+					Fixes: []VulnerabilityInPackage{vulnerabilityInPackage},
+				}}
+			}
+
+		default:
+			continue
+		}
+	}
+
+	for _, versionGroupedPins := range pinMap {
+		for _, pin := range *versionGroupedPins {
+			output = append(output, *pin)
+		}
+	}
+	return output, nil
+}
+
+func getMaxVersion(packageManager PackageManager, v1 string, v2 string) (string, error) {
+	semverResolver, err := semver.GetSemver(string(packageManager))
+	if err != nil {
+		return "", err
+	}
+	var version string
+	compare, err := semverResolver.Compare(v1, v2)
+	if err != nil {
+		return "", err
+	}
+	if compare >= 0 {
+		version = v1
+	} else {
+		version = v2
+	}
+	return version, nil
+}