Merge pull request #182 from snyk/feat/accept-multiple-sha-results

feat: accept multiple sha1 search results
snyk · Feb 11, 2025 · 6199928 · 6199928
2 parents ff5562e + 74f2404
commit 6199928
Show file tree

Hide file tree

Showing 8 changed files with 123 additions and 25 deletions.
diff --git a/lib/archive.ts b/lib/archive.ts
@@ -16,10 +16,10 @@ function getSha1(buf: Buffer) {
   return crypto.createHash(ALGORITHM).update(buf).digest(DIGEST);
 }
 
-async function getMavenDependency(
+async function getMavenPackages(
   targetPath: string,
   snykHttpClient: SnykHttpClient,
-): Promise<MavenPackage> {
+): Promise<MavenPackage[]> {
   const contents = fs.readFileSync(targetPath);
   const sha1 = getSha1(contents);
   return getMavenPackageInfo(sha1, targetPath, snykHttpClient);
@@ -29,11 +29,11 @@ async function getDependencies(
   paths: string[],
   snykHttpClient: SnykHttpClient,
 ): Promise<MavenPackage[]> {
-  const dependencies: MavenPackage[] = [];
+  let dependencies: MavenPackage[] = [];
   for (const p of paths) {
     try {
-      const dependency = await getMavenDependency(p, snykHttpClient);
-      dependencies.push(dependency);
+      const mavenPackages = await getMavenPackages(p, snykHttpClient);
+      dependencies = dependencies.concat(mavenPackages);
     } catch (err) {
       // log error and continue with other paths
       if (err instanceof Error) {

diff --git a/lib/search.ts b/lib/search.ts
@@ -19,26 +19,34 @@ export async function getMavenPackageInfo(
   sha1: string,
   targetPath: string,
   snykHttpClient: SnykHttpClient,
-): Promise<MavenPackage> {
+): Promise<MavenPackage[]> {
   const searchResults = await searchMavenPackageByChecksum(
     sha1,
     targetPath,
     snykHttpClient,
   );
   if (searchResults.length == 0) {
-    return fallbackPackageInfo(sha1, targetPath);
+    return [fallbackPackageInfo(sha1, targetPath)];
   }
 
-  let foundPackage: MavenPackage | undefined;
+  // try to find a specific package based on file name
+  const matchingSearchResults: MavenPackage[] = [];
   if (searchResults.length > 1) {
     const sha1Target = path.parse(targetPath).base;
-    debug(`Got multiple results for ${sha1}, looking for ${sha1Target}`);
-    foundPackage = searchResults.find((result) =>
-      sha1Target.includes(result.groupId),
+    debug(
+      `Got multiple results for ${sha1}, looking for match on ${sha1Target}`,
     );
+    searchResults.forEach((result) => {
+      if (sha1Target.includes(result.groupId)) {
+        matchingSearchResults.push(result);
+      }
+    });
   }
 
-  return foundPackage || searchResults[0];
+  // if nothing matches found return all search results
+  return matchingSearchResults.length === 0
+    ? searchResults
+    : matchingSearchResults;
 }
 
 async function searchMavenPackageByChecksum(

diff --git a/tests/fixtures/jar-wrong-package-name/dep-graph.json b/tests/fixtures/jar-wrong-package-name/dep-graph.json
@@ -15,6 +15,13 @@
         "name": "org.netbeans.external:org-apache-commons-io",
         "version": "RELEASE113"
       }
+    },
+    {
+      "id": "commons-io:commons-io@2.6",
+      "info": {
+        "name": "commons-io:commons-io",
+        "version": "2.6"
+      }
     }
   ],
   "graph": {
@@ -26,13 +33,21 @@
         "deps": [
           {
             "nodeId": "org.netbeans.external:org-apache-commons-io@RELEASE113"
+          },
+          {
+            "nodeId": "commons-io:commons-io@2.6"
           }
         ]
       },
       {
         "nodeId": "org.netbeans.external:org-apache-commons-io@RELEASE113",
         "pkgId": "org.netbeans.external:org-apache-commons-io@RELEASE113",
         "deps": []
+      },
+      {
+        "nodeId": "commons-io:commons-io@2.6",
+        "pkgId": "commons-io:commons-io@2.6",
+        "deps": []
       }
     ]
   }

diff --git a/tests/fixtures/two-package-jar/dep-graph.json b/tests/fixtures/two-package-jar/dep-graph.json
@@ -0,0 +1,56 @@
+{
+  "schemaVersion": "1.2.0",
+  "pkgManager": {
+    "name": "maven"
+  },
+  "pkgs": [
+    {
+      "id": "fixtures:two-package-jar@1.0.0",
+      "info": {
+        "name": "fixtures:two-package-jar",
+        "version": "1.0.0"
+      }
+    },
+    {
+      "id": "one.gfw:jakarta.annotation-api@1.3.5",
+      "info": {
+        "name": "one.gfw:jakarta.annotation-api",
+        "version": "1.3.5"
+      }
+    },
+    {
+      "id": "jakarta.annotation:jakarta.annotation-api@1.3.5",
+      "info": {
+        "name": "jakarta.annotation:jakarta.annotation-api",
+        "version": "1.3.5"
+      }
+    }
+  ],
+  "graph": {
+    "rootNodeId": "root-node",
+    "nodes": [
+      {
+        "nodeId": "root-node",
+        "pkgId": "fixtures:two-package-jar@1.0.0",
+        "deps": [
+          {
+            "nodeId": "one.gfw:jakarta.annotation-api@1.3.5"
+          },
+          {
+            "nodeId": "jakarta.annotation:jakarta.annotation-api@1.3.5"
+          }
+        ]
+      },
+      {
+        "nodeId": "one.gfw:jakarta.annotation-api@1.3.5",
+        "pkgId": "one.gfw:jakarta.annotation-api@1.3.5",
+        "deps": []
+      },
+      {
+        "nodeId": "jakarta.annotation:jakarta.annotation-api@1.3.5",
+        "pkgId": "jakarta.annotation:jakarta.annotation-api@1.3.5",
+        "deps": []
+      }
+    ]
+  }
+}
diff --git a/...s/fixtures/two-package-jar/jakarta.annotation-or-one.gfw-jakarta-annotation-api-1.3.5.jar b/...s/fixtures/two-package-jar/jakarta.annotation-or-one.gfw-jakarta-annotation-api-1.3.5.jar
diff --git a/tests/helpers/mock-search.ts b/tests/helpers/mock-search.ts
@@ -72,6 +72,25 @@ const FIXTURES: Map<
         ],
       },
     },
+    '59eb84ee0d616332ff44aba065f3888cf002cd2d': {
+      res: { statusCode: 200 },
+      body: {
+        data: [
+          {
+            id: 'pkg:maven/one.gfw/jakarta.annotation-api@1.3.5',
+            type: 'package',
+          },
+          {
+            id: 'pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5',
+            type: 'package',
+          },
+          {
+            id: 'pkg:maven/unrelated.name/jakarta.annotation-api@1.3.5',
+            type: 'package',
+          },
+        ],
+      },
+    },
   }),
 );
 

diff --git a/tests/tap/functional/archive.test.ts → tests/jest/functional/archive.spec.ts b/tests/tap/functional/archive.test.ts → tests/jest/functional/archive.spec.ts
@@ -1,16 +1,15 @@
-import * as test from 'tap-only';
 import * as path from 'path';
 import { findArchives, isArchive } from '../../../lib/archive';
 
-test('isArchive', async (t) => {
+test('isArchive', async () => {
   [
     'mvn-app-1.0-SNAPSHOT.jar',
     'mvn-app-1.0-SNAPSHOT.war',
     'mvn-app-1.0-SNAPSHOT.zip',
     'path/to/mvn-app-1.0-SNAPSHOT.jar',
     'path/to/mvn-app-1.0-SNAPSHOT.war',
     'path/to/mvn-app-1.0-SNAPSHOT.zip',
-  ].forEach((i) => t.ok(isArchive(i), 'should be true for ' + i));
+  ].forEach((i) => expect(isArchive(i)).toBeTruthy());
 
   [
     'mvn-app-1.0-SNAPSHOTjar',
@@ -19,7 +18,7 @@ test('isArchive', async (t) => {
     'path/to/jar/mvn-app-1.0-SNAPSHOTjar',
     'path/to/war/mvn-app-1.0-SNAPSHOTwar',
     'path/to/zip/mvn-app-1.0-SNAPSHOTzip',
-  ].forEach((i) => t.notOk(isArchive(i), 'should be false for ' + i));
+  ].forEach((i) => expect(isArchive(i)).toBeFalsy());
 });
 
 const fixturesPath = path.join(__dirname, '../..', 'fixtures');
@@ -29,19 +28,14 @@ const dummyPath = path.join(fixturesPath, 'dummy');
 const nestedJarsPath = path.join(fixturesPath, 'nested-jars');
 const nestedWarsAarsPath = path.join(fixturesPath, 'nested-wars-aars');
 
-test('findArchives', async (t) => {
+test('findArchives', async () => {
   [
     { dir: springCorePath, expectedNumOfJars: 1 },
     { dir: badPath, expectedNumOfJars: 2 },
-    { dir: fixturesPath, expectedNumOfJars: 13 },
+    { dir: fixturesPath, expectedNumOfJars: 14 },
     { dir: dummyPath, expectedNumOfJars: 0 },
     { dir: nestedJarsPath, expectedNumOfJars: 2 },
     { dir: nestedWarsAarsPath, expectedNumOfJars: 2 },
   ].forEach(({ dir, expectedNumOfJars }) =>
-    t.same(
-      findArchives(dir).length,
-      expectedNumOfJars,
-      `should find ${expectedNumOfJars} jars for "${path.basename(dir)}"`,
-    ),
-  );
+    expect(findArchives(dir).length).toEqual(expectedNumOfJars));
 });
diff --git a/tests/jest/system/plugin-jar.spec.ts b/tests/jest/system/plugin-jar.spec.ts
@@ -82,6 +82,12 @@ test('inspect in directory with jars no target file and --scan-all-unmanaged arg
     options: { scanAllUnmanaged: true },
   }));
 
+test('inspect in directory with jar that resolves to three packages with only two matching no target file and --scan-all-unmanaged arg', async () =>
+  assertFixture({
+    fixtureDirectory: 'two-package-jar',
+    options: { scanAllUnmanaged: true },
+  }));
+
 test('inspect on target pom file in directory with jars and --scan-all-unmanaged arg', async () =>
   assertFixture({
     fixtureDirectory: 'jars',
@@ -136,7 +142,7 @@ test('inspect in directory with good and bad jars and --scan-all-unmanaged arg',
   expect(doesNotExist?.version).toEqual('unknown');
 });
 
-test('inspect in directory with jar with wrong package name and --scan-all-unmanaged arg', async () =>
+test('inspect in directory with jar with mismatched package name and --scan-all-unmanaged arg', async () =>
   assertFixture({
     fixtureDirectory: 'jar-wrong-package-name',
     options: { scanAllUnmanaged: true },