chore: fix transitive dependencies being marked as directly upgradable (#582)

Author: CatalinSnyk

internal/presenters/funcs.go

@@ -287,6 +287,7 @@ func getCliTemplateFuncMap(tmpl *template.Template) template.FuncMap {
 	fnMap["colorBySeverity"] = renderInSeverityColor // 2-arg version from styles.go
 	fnMap["renderGreen"] = renderGreen
 	fnMap["renderGray"] = renderGray
+	fnMap["renderCyan"] = renderCyan
 	fnMap["bold"] = renderBold
 	fnMap["tip"] = func(s string) string {
 		return RenderTip(s + "\n")

internal/presenters/presenter_ufm_test.go

@@ -1167,6 +1167,13 @@ func Test_UfmPresenter_HumanReadable(t *testing.T) {
 	}{
 		{
 			name:              "cli",
+			expectedPath:      "testdata/ufm/cli.human.readable",
+			testResultPath:    "testdata/ufm/testresult_cli.json",
+			includeIgnores:    false,
+			severityThreshold: "",
+		},
+		{
+			name:              "webgoat",
 			expectedPath:      "testdata/ufm/webgoat.ignore.human.readable",
 			testResultPath:    "testdata/ufm/webgoat.ignore.testresult.json",
 			includeIgnores:    true,

internal/presenters/styles.go

@@ -35,3 +35,8 @@ func renderGray(str string) string {
 	style := lipgloss.NewStyle().Foreground(lipgloss.Color("8"))
 	return style.Render(str)
 }
+
+func renderCyan(str string) string {
+	style := lipgloss.NewStyle().Foreground(lipgloss.Color("6"))
+	return style.Render(str)
+}

internal/presenters/templates/ufm.human.tmpl

@@ -183,11 +183,12 @@ Tested {{ int $dependencyCount }} dependencies for known issues, found {{ len $o
 {{- define "issueRemediationDetails" }}
     {{- $issue := . }}
     {{- $componentName := getIssueMetadata $issue "component-name" }}
+    {{- $componentVersion := getIssueMetadata $issue "component-version" }}
     {{- $severity := $issue.GetEffectiveSeverity }}
     {{- $title := colorBySeverity $severity ($issue.GetTitle | bold) }}
     {{- $severityBadge := colorBySeverity $severity (printf "[%s]" ($severity | toUpperCase)) }}
     {{- $url := printf "[https://security.snyk.io/vuln/%s]" $issue.GetID }}
-    {{- $pkgDisplay := $componentName | bold }}
+    {{- $pkgDisplay := printf "%s@%s" $componentName $componentVersion | bold }}
     {{- printf "  ✗ %s %s %s in %s" $title $severityBadge $url $pkgDisplay }}
     {{- "\n" }}
 
@@ -221,9 +222,9 @@ Tested {{ int $dependencyCount }} dependencies for known issues, found {{ len $o
                 {{- end }}
                 {{- if gt $pathCount 1 }}
                     {{- if eq (sub $pathCount 1) 1 }}
-                        {{- printf "    introduced by %s and %d other path\n" $pathStr (sub $pathCount 1) }}
+                        {{- printf "    introduced by %s and %s other path\n" $pathStr (print (sub $pathCount 1) | renderCyan) }}
                     {{- else }}
-                        {{- printf "    introduced by %s and %d other paths\n" $pathStr (sub $pathCount 1) }}
+                        {{- printf "    introduced by %s and %s other paths\n" $pathStr (print (sub $pathCount 1) | renderCyan) }}
                     {{- end }}
                 {{- else }}
                     {{- printf "    introduced by %s\n" $pathStr }}

internal/presenters/testdata/ufm/cli.human.readable

@@ -0,0 +1,131 @@
+Testing  (package.json) ...
+
+Tested 552 dependencies for known issues, found 9 issues, 111 vulnerable paths.
+
+Open Security issues: 9
+
+ ✗ [LOW] Regular Expression Denial of Service (ReDoS)
+   Finding ID: SNYK-JS-BRACEEXPANSION-9789073
+   Info: https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
+   Introduced by: brace-expansion
+   Introduced through: snyk@1.0.0-monorepo > glob@7.2.3 > minimatch@3.1.2 > brace-expansion@1.1.11
+   Reachability: No Path Found
+
+ ✗ [MEDIUM] Arbitrary Code Injection
+   Finding ID: SNYK-JS-COOKIE-13271683
+   Info: https://snyk.io/vuln/SNYK-JS-COOKIE-13271683
+   Introduced by: cookie
+   Introduced through: snyk@1.0.0-monorepo > @sentry/node@7.34.0 > cookie@0.4.2
+   Reachability: No Path Found
+
+ ✗ [MEDIUM] Regular Expression Denial of Service (ReDoS)
+   Finding ID: SNYK-JS-DEBUG-13283909
+   Info: https://snyk.io/vuln/SNYK-JS-DEBUG-13283909
+   Introduced by: debug
+   Introduced through: snyk@1.0.0-monorepo > debug@4.3.4
+   Reachability: No Path Found
+
+ ✗ [MEDIUM] Alternate solution to CWE-1333 | Inefficient Regular Expression Complexity
+   Finding ID: SNYK-JS-DEBUG-14214893
+   Info: https://snyk.io/vuln/SNYK-JS-DEBUG-14214893
+   Introduced by: debug
+   Introduced through: snyk@1.0.0-monorepo > debug@4.3.4
+   Reachability: No Path Found
+
+ ✗ [MEDIUM] Open Redirect
+   Finding ID: SNYK-JS-GOT-2932019
+   Info: https://snyk.io/vuln/SNYK-JS-GOT-2932019
+   Introduced by: got
+   Introduced through: snyk@1.0.0-monorepo > snyk-nodejs-lockfile-parser@2.3.1 > @yarnpkg/core@4.4.1 > got@11.8.2
+   Reachability: No Path Found
+
+ ✗ [MEDIUM] Regular Expression Denial of Service (ReDoS)
+   Finding ID: SNYK-JS-MARKED-2342073
+   Info: https://snyk.io/vuln/SNYK-JS-MARKED-2342073
+   Introduced by: marked
+   Introduced through: snyk@1.0.0-monorepo > marked@4.0.1
+   Reachability: Reachable
+
+ ✗ [MEDIUM] Regular Expression Denial of Service (ReDoS)
+   Finding ID: SNYK-JS-MARKED-2342082
+   Info: https://snyk.io/vuln/SNYK-JS-MARKED-2342082
+   Introduced by: marked
+   Introduced through: snyk@1.0.0-monorepo > marked@4.0.1
+   Reachability: Reachable
+
+ ✗ [HIGH] Directory Traversal
+   Finding ID: SNYK-JS-ASYNC-12239908
+   Info: https://snyk.io/vuln/SNYK-JS-ASYNC-12239908
+   Introduced by: async
+   Introduced through: snyk@1.0.0-monorepo > snyk-config@5.2.0 > async@3.2.4
+   Reachability: No Path Found
+
+ ✗ [HIGH] Denial of Service (DoS)
+   Finding ID: SNYK-JS-LODASH-12239302
+   Info: https://snyk.io/vuln/SNYK-JS-LODASH-12239302
+   Introduced by: lodash
+   Introduced through: snyk@1.0.0-monorepo > snyk-nodejs-plugin@1.4.4 > lodash@4.17.21
+   Reachability: No Path Found
+
+Issues to fix by upgrading:
+
+  Upgrade @sentry/node@7.34.0 to @sentry/node@7.94.1 to fix
+  ✗ Arbitrary Code Injection [MEDIUM] [https://security.snyk.io/vuln/SNYK-JS-COOKIE-13271683] in cookie@0.4.2
+    introduced by snyk@1.0.0-monorepo > @sentry/node@7.34.0 > cookie@0.4.2
+  ✗ Regular Expression Denial of Service (ReDoS) [MEDIUM] [https://security.snyk.io/vuln/SNYK-JS-DEBUG-13283909] in debug@4.3.4
+    introduced by snyk@1.0.0-monorepo > debug@4.3.4 and 40 other paths
+  ✗ Alternate solution to CWE-1333 | Inefficient Regular Expression Complexity [MEDIUM] [https://security.snyk.io/vuln/SNYK-JS-DEBUG-14214893] in debug@4.3.4
+    introduced by snyk@1.0.0-monorepo > debug@4.3.4 and 40 other paths
+
+  Upgrade @snyk/fix@1.0.0-monorepo to @snyk/fix@1.471.0 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [MEDIUM] [https://security.snyk.io/vuln/SNYK-JS-DEBUG-13283909] in debug@4.3.4
+    introduced by snyk@1.0.0-monorepo > debug@4.3.4 and 40 other paths
+  ✗ Alternate solution to CWE-1333 | Inefficient Regular Expression Complexity [MEDIUM] [https://security.snyk.io/vuln/SNYK-JS-DEBUG-14214893] in debug@4.3.4
+    introduced by snyk@1.0.0-monorepo > debug@4.3.4 and 40 other paths
+
+  Upgrade glob@7.2.3 to glob@9.0.0 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [LOW] [https://security.snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073] in brace-expansion@1.1.11
+    introduced by snyk@1.0.0-monorepo > glob@7.2.3 > minimatch@3.1.2 > brace-expansion@1.1.11 and 7 other paths
+
+  Upgrade marked@4.0.1 to marked@4.0.10 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [MEDIUM] [https://security.snyk.io/vuln/SNYK-JS-MARKED-2342073] in marked@4.0.1
+    introduced by snyk@1.0.0-monorepo > marked@4.0.1
+  ✗ Regular Expression Denial of Service (ReDoS) [MEDIUM] [https://security.snyk.io/vuln/SNYK-JS-MARKED-2342082] in marked@4.0.1
+    introduced by snyk@1.0.0-monorepo > marked@4.0.1
+
+  Upgrade rimraf@2.7.1 to rimraf@4.3.1 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [LOW] [https://security.snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073] in brace-expansion@1.1.11
+    introduced by snyk@1.0.0-monorepo > glob@7.2.3 > minimatch@3.1.2 > brace-expansion@1.1.11 and 7 other paths
+
+  Upgrade snyk-go-plugin@1.23.0 to snyk-go-plugin@1.24.0 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [LOW] [https://security.snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073] in brace-expansion@1.1.11
+    introduced by snyk@1.0.0-monorepo > glob@7.2.3 > minimatch@3.1.2 > brace-expansion@1.1.11 and 7 other paths
+
+  Upgrade snyk-resolve-deps@4.8.0 to snyk-resolve-deps@4.9.1 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [MEDIUM] [https://security.snyk.io/vuln/SNYK-JS-DEBUG-13283909] in debug@4.3.4
+    introduced by snyk@1.0.0-monorepo > debug@4.3.4 and 40 other paths
+  ✗ Alternate solution to CWE-1333 | Inefficient Regular Expression Complexity [MEDIUM] [https://security.snyk.io/vuln/SNYK-JS-DEBUG-14214893] in debug@4.3.4
+    introduced by snyk@1.0.0-monorepo > debug@4.3.4 and 40 other paths
+
+Issues with no direct upgrade or patch:
+  ✗ Regular Expression Denial of Service (ReDoS) [LOW] [https://security.snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073] in brace-expansion@1.1.11
+    introduced by snyk@1.0.0-monorepo > glob@7.2.3 > minimatch@3.1.2 > brace-expansion@1.1.11 and 7 other paths
+  This issue was fixed in: 1.1.12, 2.0.2, 3.0.1, 4.0.1
+
+╭─────────────────────────────────────────────────────────╮
+│ Test Summary                                            │
+│                                                         │
+│   Organization:      My Org                             │
+│   Test type:         Software Composition Analysis      │
+│   Project path:      test-project                       │
+│                                                         │
+│   Total security issues: 9                              │
+│   Ignored: 0 [ 0 CRITICAL  0 HIGH  0 MEDIUM  0 LOW ]    │
+│   Open   : 9 [ 0 CRITICAL  2 HIGH  6 MEDIUM  1 LOW ]    │
+╰─────────────────────────────────────────────────────────╯
+
+
+💡 Tip
+
+   To view ignored issues, use the --include-ignores option.
+