fix: properly check for malicious data

stacklok · Apr 25, 2024 · 5738516 · 5738516
1 parent 98099e7
commit 5738516
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 6 deletions.
diff --git a/pkg/trustyapi/trusty_structs.go b/pkg/trustyapi/trusty_structs.go
@@ -95,7 +95,6 @@ type Package struct {
 		Score       float64 `json:"score"`
 		Description struct {
 			Activity      float64 `json:"activity"`
-			Malicious     bool    `json:"malicious"`
 			Provenance    float64 `json:"provenance"`
 			Typosquatting float64 `json:"typosquatting"`
 			ActivityUser  float64 `json:"activity_user"`

diff --git a/pkg/trustyapi/trustyapi.go b/pkg/trustyapi/trustyapi.go
@@ -148,7 +148,7 @@ func ProcessDependency(dep string, ecosystem string, scoreThreshold float64) (st
 	// Format the report using Markdown
 	reportBuilder.WriteString(fmt.Sprintf("### :package: Dependency: [`%s`](https://www.trustypkg.dev/%s/%s)\n", dep, ecosystem, dep))
 	// Highlight if the package is malicious, deprecated or archived
-	if result.Summary.Description.Malicious {
+	if result.PackageData.Origin == "malicious" {
 		reportBuilder.WriteString("### **⚠️ Malicious** (This package is marked as Malicious. Proceed with extreme caution!)\n\n")
 	}
 	if result.PackageData.IsDeprecated {
@@ -178,7 +178,7 @@ func ProcessDependency(dep string, ecosystem string, scoreThreshold float64) (st
 
 	// Check if the Trusty score is below the scoreThreshold, if IsDeprecated, isMalicious, Archived, if so shouldFail is set to true
 	if result.PackageData.IsDeprecated ||
-		result.Summary.Description.Malicious ||
+		result.PackageData.Origin == "malicious" ||
 		result.PackageData.Archived ||
 		result.Summary.Score < scoreThreshold {
 		shouldFail = true

diff --git a/pkg/trustyapi/trustyapi_test.go b/pkg/trustyapi/trustyapi_test.go
@@ -1,14 +1,12 @@
 package trustyapi
 
 import (
-	"fmt"
 	"log"
 	"strings"
 	"testing"
 )
 
-func TestProcessDependencies(t *testing.T) {
-	fmt.Println("in test processing")
+func TestProcessGoDependencies(t *testing.T) {
 	ecosystem := "go"
 	scoreThreshold := 5.0
 
@@ -29,5 +27,37 @@ func TestProcessDependencies(t *testing.T) {
 			}
 		}
 	}
+}
+
+func TestProcessDeprecatedDependencies(t *testing.T) {
+	ecosystem := "npm"
+	scoreThreshold := 10.0
+
+	dependencies := []string{"@types/google-cloud__storage", "cutjs", "scriptoni", "stryker-mocha-framework", "grunt-html-smoosher", "moesif-express", "swagger-methods",
+		"@syncfusion/ej2-heatmap", "@cnbritain/wc-buttons", "gulp-google-cdn"}
+
+	for _, dep := range dependencies {
+		log.Printf("Analyzing dependency: %s\n", dep)
+		report, _ := ProcessDependency(dep, ecosystem, scoreThreshold)
+		if !strings.Contains(report, "Deprecated") {
+			t.Errorf("Expected report to contain 'Deprecated' for %s", dep)
+		}
+	}
+
+}
+
+func TestProcessMaliciousDependencies(t *testing.T) {
+	ecosystem := "pypi"
+	scoreThreshold := 10.0
+
+	dependencies := []string{"lyft-service", "types-for-adobe", "booto3", "google-requests", "reqargs"}
+
+	for _, dep := range dependencies {
+		log.Printf("Analyzing dependency: %s\n", dep)
+		report, _ := ProcessDependency(dep, ecosystem, scoreThreshold)
+		if !strings.Contains(report, "Malicious") {
+			t.Errorf("Expected report to contain 'Malicious' for %s", dep)
+		}
+	}
 
 }