131 lines
5.2 KiB
JavaScript
131 lines
5.2 KiB
JavaScript
// dep.test.mjs — Integration tests for the dep-auditor
|
|
// Uses tests/fixtures/dep-test/package.json which contains 3 typosquat deps:
|
|
// - expresss (edit distance 1 from express)
|
|
// - lodsah (edit distance 1 from lodash)
|
|
// - node-fethc (edit distance 1 from node-fetch)
|
|
//
|
|
// The evil-project-health fixture uses package.fixture.json (not package.json),
|
|
// so we use the dedicated dep-test fixture as targetPath instead.
|
|
|
|
import { describe, it, beforeEach } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import { resolve } from 'node:path';
|
|
import { fileURLToPath } from 'node:url';
|
|
import { resetCounter } from '../../scanners/lib/output.mjs';
|
|
import { scan } from '../../scanners/dep-auditor.mjs';
|
|
|
|
const __dirname = fileURLToPath(new URL('.', import.meta.url));
|
|
const DEP_FIXTURE = resolve(__dirname, '../fixtures/dep-test');
|
|
|
|
describe('dep-auditor integration', () => {
|
|
beforeEach(() => {
|
|
resetCounter();
|
|
});
|
|
|
|
it('returns status ok when package.json is present', async () => {
|
|
const result = await scan(DEP_FIXTURE, { files: [] });
|
|
assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`);
|
|
});
|
|
|
|
it('detects at least 2 typosquatting findings', async () => {
|
|
const result = await scan(DEP_FIXTURE, { files: [] });
|
|
const typosquatFindings = result.findings.filter(
|
|
f => f.title.toLowerCase().includes('typosquat')
|
|
);
|
|
assert.ok(
|
|
typosquatFindings.length >= 2,
|
|
`Expected >= 2 typosquatting findings, got ${typosquatFindings.length}. ` +
|
|
`All findings: ${result.findings.map(f => f.title).join('; ')}`
|
|
);
|
|
});
|
|
|
|
it('typosquatting findings have HIGH or MEDIUM severity', async () => {
|
|
// Distance-1 matches → HIGH; distance-2 matches against top-200 → MEDIUM.
|
|
// expresss/node-fethc are distance-1 from express/node-fetch → HIGH.
|
|
// lodsah is distance-2 from lodash → MEDIUM (if lodash is in top-200).
|
|
const result = await scan(DEP_FIXTURE, { files: [] });
|
|
const typosquatFindings = result.findings.filter(
|
|
f => f.title.toLowerCase().includes('typosquat')
|
|
);
|
|
for (const f of typosquatFindings) {
|
|
assert.ok(
|
|
f.severity === 'high' || f.severity === 'medium',
|
|
`Typosquat finding "${f.title}" should be HIGH or MEDIUM, got ${f.severity}`
|
|
);
|
|
}
|
|
});
|
|
|
|
it('at least one distance-1 typosquat is HIGH severity', async () => {
|
|
const result = await scan(DEP_FIXTURE, { files: [] });
|
|
const highFindings = result.findings.filter(
|
|
f => f.title.toLowerCase().includes('typosquat') && f.severity === 'high'
|
|
);
|
|
assert.ok(
|
|
highFindings.length >= 1,
|
|
`Expected at least 1 HIGH typosquat (distance-1), got ${highFindings.length}. ` +
|
|
`Findings: ${result.findings.map(f => `${f.severity}: ${f.title}`).join('; ')}`
|
|
);
|
|
});
|
|
|
|
it('detects expresss as typosquat of express', async () => {
|
|
const result = await scan(DEP_FIXTURE, { files: [] });
|
|
const expFinding = result.findings.find(
|
|
f => f.title.toLowerCase().includes('expresss') ||
|
|
(f.evidence && f.evidence.includes('expresss'))
|
|
);
|
|
assert.ok(expFinding, 'Should detect "expresss" as typosquat of "express"');
|
|
});
|
|
|
|
it('detects lodsah as typosquat of lodash', async () => {
|
|
const result = await scan(DEP_FIXTURE, { files: [] });
|
|
const lodashFinding = result.findings.find(
|
|
f => f.title.toLowerCase().includes('lodsah') ||
|
|
(f.evidence && f.evidence.includes('lodsah'))
|
|
);
|
|
assert.ok(lodashFinding, 'Should detect "lodsah" as typosquat of "lodash"');
|
|
});
|
|
|
|
it('all findings have DS-DEP- prefix', async () => {
|
|
const result = await scan(DEP_FIXTURE, { files: [] });
|
|
const wrongPrefix = result.findings.filter(f => !f.id.startsWith('DS-DEP-'));
|
|
assert.equal(
|
|
wrongPrefix.length, 0,
|
|
`All dep findings should have DS-DEP- prefix. Wrong: ${wrongPrefix.map(f => f.id).join(', ')}`
|
|
);
|
|
});
|
|
|
|
it('typosquat findings reference package.json as the file', async () => {
|
|
const result = await scan(DEP_FIXTURE, { files: [] });
|
|
const typosquatFindings = result.findings.filter(
|
|
f => f.title.toLowerCase().includes('typosquat')
|
|
);
|
|
for (const f of typosquatFindings) {
|
|
assert.equal(f.file, 'package.json', `Expected file 'package.json', got '${f.file}'`);
|
|
}
|
|
});
|
|
|
|
it('all typosquat findings reference owasp LLM03', async () => {
|
|
const result = await scan(DEP_FIXTURE, { files: [] });
|
|
const typosquatFindings = result.findings.filter(
|
|
f => f.title.toLowerCase().includes('typosquat')
|
|
);
|
|
for (const f of typosquatFindings) {
|
|
assert.equal(f.owasp, 'LLM03', `Expected owasp LLM03, got ${f.owasp}`);
|
|
}
|
|
});
|
|
|
|
it('non-package directory returns skipped', async () => {
|
|
// Use a directory with no package.json or requirements.txt
|
|
const emptyDir = resolve(__dirname, '../../scanners/lib');
|
|
resetCounter();
|
|
const result = await scan(emptyDir, { files: [] });
|
|
assert.equal(result.status, 'skipped', `Expected skipped, got '${result.status}'`);
|
|
assert.equal(result.findings.length, 0);
|
|
});
|
|
|
|
it('finding IDs start from DS-DEP-001 after reset', async () => {
|
|
const result = await scan(DEP_FIXTURE, { files: [] });
|
|
if (result.findings.length === 0) return;
|
|
assert.equal(result.findings[0].id, 'DS-DEP-001');
|
|
});
|
|
});
|