wip

Author: CalamarBicefalo

internal/remediation/model.go

@@ -2,26 +2,36 @@ package remediation
 
 // Input
 
+/**
+* Finding represents a vulnerability for a given package & version.
+*
+* If a finding is introduced through multiple paths, a single finding with several `DependencyPath` entries must be constructed.
+ */
 type Finding struct {
-	Package        Package
-	Severity       Severity
-	Title          string
-	DependencyPath DependencyPath
-
-	// Snyk vuln ID
-	VulnId string
+	Package         Package
+	Vulnerability   Vulnerability
+	DependencyPaths []DependencyPath
 
 	// All versions containing a fix for this problem
-	InitiallyFixedInVersions []string
-	Fix                      Fix
+	FixedInVersions []string
+	Fix             Fix
+	PackageManager  PackageManager
 }
+
+type PackageManager string
+
+type Outcome string
 type Fix interface {
 	Outcome() Outcome
 }
 
 type PinFix struct {
 	outcome   Outcome
-	pinAction PinAction
+	PinAction PinAction
+}
+
+type PinAction struct {
+	Package Package
 }
 
 func (pf PinFix) Outcome() Outcome {
@@ -31,22 +41,39 @@ func (pf PinFix) Outcome() Outcome {
 func NewPinFix(outcome Outcome, action PinAction) Fix {
 	return PinFix{
 		outcome:   outcome,
-		pinAction: action,
+		PinAction: action,
 	}
 }
 
-type Outcome string
+type UpgradeFix struct {
+	outcome       Outcome
+	UpgradeAction UpgradeAction
+}
+
+type UpgradeAction struct {
+	PackageName  string
+	UpgradePaths []DependencyPath
+}
+
+type VulnID string
+
+func (uf UpgradeFix) Outcome() Outcome {
+	return uf.outcome
+}
+
+func NewUpgradeFix(outcome Outcome, action UpgradeAction) Fix {
+	return UpgradeFix{
+		outcome:       outcome,
+		UpgradeAction: action,
+	}
+}
 
 const (
 	FullyResolved     Outcome = "fully-resolved"
 	PartiallyResolved Outcome = "partially-resolved"
 	Unresolved        Outcome = "unresolved"
 )
 
-type PinAction struct {
-	Package Package
-}
-
 // Output
 
 /*
@@ -69,18 +96,26 @@ type Summary struct {
 	a chain reaction that will bump it nevertheless.
 	*/
 	Upgrades []Upgrade
+
+	/**
+	Unresolved models all vulns that do not have a resolution known to Snyk. Either because
+	there is no known fix for the vulnerable package, or because there's no viable upgrade
+	through direct dependencies to bump it.
+	*/
+	Unresolved []VulnerabilityInPackage
 }
 
 type Upgrade struct {
 	From Package
 	To   Package
 
-	Fixes []*VulnerabilityInPackage
+	Fixes []VulnerabilityInPackage
 }
 
 type VulnerabilityInPackage struct {
 	VulnerablePackage Package
 	Vulnerability     Vulnerability
+	FixedInVersions   []string
 	IntroducedThrough []DependencyPath
 }
 
@@ -89,8 +124,9 @@ type Package struct {
 	Name    string
 	Version string
 }
+
 type Vulnerability struct {
-	ID       string
+	ID       VulnID
 	Name     string
 	Severity Severity
 }

internal/remediation/remediation.go

@@ -0,0 +1,188 @@
+package remediation
+
+import (
+	"github.com/snyk/cli-extension-os-flows/internal/semver"
+)
+
+func FixesToRemediationSummary(findings []Finding) (Summary, error) {
+	pins, err := calculatePins(findings)
+	if err != nil {
+		return Summary{}, err
+	}
+	upgrades, unresolved, err := calculateUpgrades(findings)
+	if err != nil {
+		return Summary{}, err
+	}
+	return Summary{Pins: pins, Upgrades: upgrades, Unresolved: unresolved}, err
+}
+
+func calculateUpgrades(findings []Finding) (upgrades []Upgrade, unresolved []VulnerabilityInPackage, err error) {
+	for _, finding := range findings {
+		switch fix := finding.Fix.(type) {
+		case UpgradeFix:
+			matchingPaths := getMatchingPaths(finding, fix)
+
+			upgradablePaths := matchingPaths.upgradablePaths
+			for i, _ := range upgradablePaths.upgradePath {
+				vulnerabilityInPackage := newVulnerabilityInPackage(finding)
+				vulnerabilityInPackage.IntroducedThrough = upgradablePaths.dependencyPath
+
+				upgrades = append(upgrades, Upgrade{
+					From:  upgradablePaths.dependencyPath[i][1],
+					To:    upgradablePaths.upgradePath[i][0],
+					Fixes: []VulnerabilityInPackage{vulnerabilityInPackage},
+				})
+			}
+
+			if len(matchingPaths.nonUpgradablePaths) > 0 {
+				vulnerabilityInPackage := newVulnerabilityInPackage(finding)
+				vulnerabilityInPackage.IntroducedThrough = matchingPaths.nonUpgradablePaths
+				unresolved = append(unresolved, vulnerabilityInPackage)
+			}
+		default:
+			continue
+		}
+	}
+	return upgrades, unresolved, nil
+}
+
+/*
+*
+Returns equally ordered arrays of original dependencyPaths and their upgrade counterparts.
+
+For those upgrades/dep paths that don't have a counterpart, no entries will be found.
+*/
+type paths struct {
+	upgradablePaths    upgradablePathss
+	nonUpgradablePaths []DependencyPath
+}
+
+type upgradablePathss struct {
+	dependencyPath []DependencyPath
+	upgradePath    []DependencyPath
+}
+
+func getMatchingPaths(finding Finding, fix UpgradeFix) paths {
+	var upgradePaths []DependencyPath
+	var dependencyPaths []DependencyPath
+	var nonUpgradablePaths []DependencyPath
+
+	for _, depPath := range finding.DependencyPaths {
+		var found = false
+		for _, upath := range fix.UpgradeAction.UpgradePaths {
+			if !isMatchingUpgradePath(upath, depPath) {
+				continue
+			}
+			found = true
+			upgradePaths = append(upgradePaths, upath)
+			dependencyPaths = append(dependencyPaths, depPath)
+			break
+		}
+		if !found {
+			nonUpgradablePaths = append(nonUpgradablePaths, depPath)
+		}
+	}
+	return paths{
+		upgradablePaths: upgradablePathss{
+			dependencyPath: dependencyPaths,
+			upgradePath:    upgradePaths,
+		},
+		nonUpgradablePaths: nonUpgradablePaths,
+	}
+}
+
+func calculatePins(findings []Finding) ([]Upgrade, error) {
+	var output []Upgrade
+	var pinMap = make(map[string]*[]*Upgrade)
+	for _, finding := range findings {
+		switch finding.Fix.(type) {
+		case PinFix:
+			vulnerablePackage := finding.Package
+			key := finding.Package.Name
+
+			// We'll be grouping by package name
+			upgrade, upgradeExists := pinMap[key]
+
+			if upgradeExists {
+				highestVersion, err := getMaxVersion(finding.PackageManager, (*upgrade)[0].To.Version, finding.Fix.(PinFix).PinAction.Package.Version)
+				if err != nil {
+					return nil, err
+				}
+
+				// As we process individual pins, we'll get the highest version of a given package across vulns & package version
+				// Goal is to obtain a single pin that fixes as many problems as possible
+				versionAlreadyExists := false
+				for _, u := range *upgrade {
+					u.To.Version = highestVersion
+					if u.From.Version == finding.Package.Version {
+						u.Fixes = append(u.Fixes, newVulnerabilityInPackage(finding))
+						versionAlreadyExists = true
+						break
+					}
+				}
+				if !versionAlreadyExists {
+					*upgrade = append(*upgrade, &Upgrade{
+						From:  vulnerablePackage,
+						To:    finding.Fix.(PinFix).PinAction.Package,
+						Fixes: []VulnerabilityInPackage{newVulnerabilityInPackage(finding)},
+					})
+				}
+			} else {
+				pinMap[key] = &[]*Upgrade{{
+					From:  vulnerablePackage,
+					To:    finding.Fix.(PinFix).PinAction.Package,
+					Fixes: []VulnerabilityInPackage{newVulnerabilityInPackage(finding)},
+				}}
+			}
+
+		default:
+			continue
+		}
+	}
+
+	for _, versionGroupedPins := range pinMap {
+		for _, pin := range *versionGroupedPins {
+			output = append(output, *pin)
+		}
+	}
+	return output, nil
+}
+
+func newVulnerabilityInPackage(finding Finding) VulnerabilityInPackage {
+	return VulnerabilityInPackage{
+		FixedInVersions:   finding.FixedInVersions,
+		VulnerablePackage: finding.Package,
+		Vulnerability:     finding.Vulnerability,
+		IntroducedThrough: finding.DependencyPaths,
+	}
+}
+
+func isMatchingUpgradePath(upath DependencyPath, depPath DependencyPath) bool {
+	if len(depPath) != len(upath)+1 {
+		return false
+	}
+	for i, uDep := range upath {
+		if uDep.Name != depPath[i+1].Name {
+			return false
+		}
+	}
+	return true
+}
+
+func getMaxVersion(packageManager PackageManager, v1 string, v2 string) (string, error) {
+	semverResolver, err := semver.GetSemver(string(packageManager))
+	if err != nil {
+		return "", err
+	}
+	var version string
+	compare, err := semverResolver.Compare(v1, v2)
+	if err != nil {
+		return "", err
+	}
+	if compare >= 0 {
+		version = v1
+	} else {
+		version = v2
+	}
+	return version, nil
+}