@fabasoad/sarif-to-slack 1.3.5 → 1.4.0

package/src/utils/SarifUtils.ts

@@ -1,4 +1,4 @@
-import type { Result, Run, ToolComponent } from 'sarif'
+import type { Result, Run, ToolComponent } from 'sarif';
 
 /**
  * Returns {@link ToolComponent} instance for the given {@link Run}. It does not
@@ -7,7 +7,7 @@ import type { Result, Run, ToolComponent } from 'sarif'
  * @internal
  */
 export function findToolComponentDriver(run: Run): ToolComponent {
-  return run.tool.driver
+  return run.tool.driver;
 }
 
 /**
@@ -17,11 +17,11 @@ export function findToolComponentDriver(run: Run): ToolComponent {
  * @internal
  */
 export function tryFindToolComponentExtension(run: Run, result: Result): ToolComponent | undefined {
-  let tool: ToolComponent | undefined
+  let tool: ToolComponent | undefined;
   if (result.rule?.toolComponent?.index != null) {
-    tool = run.tool.extensions?.[result.rule.toolComponent.index]
+    tool = run.tool.extensions?.[result.rule.toolComponent.index];
   }
-  return tool
+  return tool;
 }
 
 /**
@@ -31,5 +31,5 @@ export function tryFindToolComponentExtension(run: Run, result: Result): ToolCom
  * @internal
  */
 export function findToolComponent(run: Run, result: Result): ToolComponent {
-  return tryFindToolComponentExtension(run, result) ?? findToolComponentDriver(run)
+  return tryFindToolComponentExtension(run, result) ?? findToolComponentDriver(run);
 }

package/src/utils/StringUtils.ts

@@ -1,7 +1,7 @@
 export function randomAlphabetic(length: number): string {
-  const alphabet = 'abcdefghijklmnopqrstuvwxyz'
+  const alphabet = 'abcdefghijklmnopqrstuvwxyz';
   return Array.from(
     { length },
-    (): string => alphabet[Math.floor(Math.random() * alphabet.length)]
-  ).join('')
+    (): string => alphabet[Math.floor(Math.random() * alphabet.length)],
+  ).join('');
 }

package/tests/integration/SendSarifToSlack.spec.ts

@@ -1,105 +1,103 @@
 import { z, ZodSafeParseResult } from 'zod';
 import {
   Color,
-  RepresentationType, SarifFileExtension,
+  LogLevel,
+  LogLevelItems,
+  RepresentationType,
+  SarifFileExtensionItems,
   SarifToSlackClient,
-  SendIf
+  SendIf,
 } from '../../src';
 
 describe('(integration): SendSarifToSlack', (): void => {
-  function processSarifExtension(extension: string): SarifFileExtension {
-    const allowed: string[] = ['sarif', 'json']
-    if (allowed.includes(extension)) {
-      return extension as SarifFileExtension
-    }
-
-    throw new Error(`Unknown extension: ${extension}`)
-  }
-
   function processRepresentationType(representation?: string): RepresentationType | undefined {
     if (representation == null) {
-      return undefined
+      return undefined;
     }
 
     switch (representation.toLowerCase()) {
       case 'compact-group-by-run-per-level':
-        return RepresentationType.CompactGroupByRunPerLevel
+        return RepresentationType.CompactGroupByRunPerLevel;
       case 'compact-group-by-run-per-severity':
-        return RepresentationType.CompactGroupByRunPerSeverity
+        return RepresentationType.CompactGroupByRunPerSeverity;
       case 'compact-group-by-tool-name-per-level':
-        return RepresentationType.CompactGroupByToolNamePerLevel
+        return RepresentationType.CompactGroupByToolNamePerLevel;
       case 'compact-group-by-tool-name-per-severity':
-        return RepresentationType.CompactGroupByToolNamePerSeverity
+        return RepresentationType.CompactGroupByToolNamePerSeverity;
       case 'compact-group-by-sarif-per-level':
-        return RepresentationType.CompactGroupBySarifPerLevel
+        return RepresentationType.CompactGroupBySarifPerLevel;
       case 'compact-group-by-sarif-per-severity':
-        return RepresentationType.CompactGroupBySarifPerSeverity
+        return RepresentationType.CompactGroupBySarifPerSeverity;
       case 'compact-total-per-level':
-        return RepresentationType.CompactTotalPerLevel
+        return RepresentationType.CompactTotalPerLevel;
       case 'compact-total-per-severity':
-        return RepresentationType.CompactTotalPerSeverity
+        return RepresentationType.CompactTotalPerSeverity;
       case 'table-group-by-run-per-level':
-        return RepresentationType.TableGroupByRunPerLevel
+        return RepresentationType.TableGroupByRunPerLevel;
       case 'table-group-by-run-per-severity':
-        return RepresentationType.TableGroupByRunPerSeverity
+        return RepresentationType.TableGroupByRunPerSeverity;
       case 'table-group-by-tool-name-per-level':
-        return RepresentationType.TableGroupByToolNamePerLevel
+        return RepresentationType.TableGroupByToolNamePerLevel;
       case 'table-group-by-tool-name-per-severity':
-        return RepresentationType.TableGroupByToolNamePerSeverity
+        return RepresentationType.TableGroupByToolNamePerSeverity;
       case 'table-group-by-sarif-per-level':
-        return RepresentationType.TableGroupBySarifPerLevel
+        return RepresentationType.TableGroupBySarifPerLevel;
       case 'table-group-by-sarif-per-severity':
-        return RepresentationType.TableGroupBySarifPerSeverity
+        return RepresentationType.TableGroupBySarifPerSeverity;
       default:
-        return undefined
+        return undefined;
     }
   }
 
   function processSendIf(sendIf?: string): SendIf | undefined {
     if (sendIf == null) {
-      return undefined
+      return undefined;
     }
 
     switch (sendIf.toLowerCase()) {
-      case 'severity-critical': return SendIf.SeverityCritical
-      case 'severity-high': return SendIf.SeverityHigh
-      case 'severity-high-or-higher': return SendIf.SeverityHighOrHigher
-      case 'severity-medium': return SendIf.SeverityMedium
-      case 'severity-medium-or-higher': return SendIf.SeverityMediumOrHigher
-      case 'severity-low': return SendIf.SeverityLow
-      case 'severity-low-or-higher': return SendIf.SeverityLowOrHigher
-      case 'severity-none': return SendIf.SeverityNone
-      case 'severity-none-or-higher': return SendIf.SeverityNoneOrHigher
-      case 'severity-unknown': return SendIf.SeverityUnknown
-      case 'severity-unknown-or-higher': return SendIf.SeverityUnknownOrHigher
-      case 'level-error': return SendIf.LevelError
-      case 'level-warning': return SendIf.LevelWarning
-      case 'level-warning-or-higher': return SendIf.LevelWarningOrHigher
-      case 'level-note': return SendIf.LevelNote
-      case 'level-note-or-higher': return SendIf.LevelNoteOrHigher
-      case 'level-none': return SendIf.LevelNone
-      case 'level-none-or-higher': return SendIf.LevelNoneOrHigher
-      case 'level-unknown': return SendIf.LevelUnknown
-      case 'level-unknown-or-higher': return SendIf.LevelUnknownOrHigher
-      case 'always': return SendIf.Always
-      case 'some': return SendIf.Some
-      case 'empty': return SendIf.Empty
-      case 'never': return SendIf.Never
-      default: return undefined
+      case 'severity-critical': return SendIf.SeverityCritical;
+      case 'severity-high': return SendIf.SeverityHigh;
+      case 'severity-high-or-higher': return SendIf.SeverityHighOrHigher;
+      case 'severity-medium': return SendIf.SeverityMedium;
+      case 'severity-medium-or-higher': return SendIf.SeverityMediumOrHigher;
+      case 'severity-low': return SendIf.SeverityLow;
+      case 'severity-low-or-higher': return SendIf.SeverityLowOrHigher;
+      case 'severity-none': return SendIf.SeverityNone;
+      case 'severity-none-or-higher': return SendIf.SeverityNoneOrHigher;
+      case 'severity-unknown': return SendIf.SeverityUnknown;
+      case 'severity-unknown-or-higher': return SendIf.SeverityUnknownOrHigher;
+      case 'level-error': return SendIf.LevelError;
+      case 'level-warning': return SendIf.LevelWarning;
+      case 'level-warning-or-higher': return SendIf.LevelWarningOrHigher;
+      case 'level-note': return SendIf.LevelNote;
+      case 'level-note-or-higher': return SendIf.LevelNoteOrHigher;
+      case 'level-none': return SendIf.LevelNone;
+      case 'level-none-or-higher': return SendIf.LevelNoneOrHigher;
+      case 'level-unknown': return SendIf.LevelUnknown;
+      case 'level-unknown-or-higher': return SendIf.LevelUnknownOrHigher;
+      case 'always': return SendIf.Always;
+      case 'some': return SendIf.Some;
+      case 'empty': return SendIf.Empty;
+      case 'never': return SendIf.Never;
+      default: return undefined;
     }
   }
 
   test('should send Sarif to Slack', async () => {
-    const recursiveParseResult: ZodSafeParseResult<boolean> = z
-      .stringbool()
-      .safeParse(process.env.SARIF_TO_SLACK_SARIF_PATH_RECURSIVE);
-    const sarifExtensionParseResult: ZodSafeParseResult<SarifFileExtension> = z
-      .string()
-      .transform(processSarifExtension)
-      .safeParse(process.env.SARIF_TO_SLACK_SARIF_FILE_EXTENSION);
-    const includeRunParseResult: ZodSafeParseResult<boolean> = z
-      .stringbool()
-      .safeParse(process.env.SARIF_TO_SLACK_INCLUDE_RUN);
+    const parseBoolean = <T>(envVar: string | undefined, defaultVal: T): boolean | T => {
+      const parseResult: ZodSafeParseResult<boolean> = z
+        .string()
+        .transform((val: string): string => val.toLowerCase())
+        .refine((val: string): val is "true" | "false" => val === "true" || val === "false")
+        .transform((val: "true" | "false"): val is "true" => val === "true")
+        .safeParse(envVar);
+      return parseResult.success ? parseResult.data : defaultVal;
+    }
+
+    const logLevelParseResult: ZodSafeParseResult<LogLevel> =
+      z.enum(LogLevelItems).safeParse(process.env.SARIF_TO_SLACK_LOG_LEVEL);
+    const logFunctionNameOnPositionParseResult: ZodSafeParseResult<number> =
+      z.coerce.number().safeParse(process.env.SARIF_TO_SLACK_LOG_FUNCTION_NAME_ON_POSITION);
 
     const client: SarifToSlackClient = await SarifToSlackClient.create(
       process.env.SARIF_TO_SLACK_WEBHOOK_URL as string,
@@ -127,8 +125,8 @@ describe('(integration): SendSarifToSlack', (): void => {
         },
         sarif: {
           path: process.env.SARIF_TO_SLACK_SARIF_PATH as string,
-          recursive: recursiveParseResult.success ? recursiveParseResult.data : false,
-          extension: sarifExtensionParseResult.success ? sarifExtensionParseResult.data : 'sarif',
+          recursive: parseBoolean(process.env.SARIF_TO_SLACK_SARIF_PATH_RECURSIVE, false),
+          extension: z.enum(SarifFileExtensionItems).parse(process.env.SARIF_TO_SLACK_SARIF_FILE_EXTENSION),
         },
         header: {
           include: process.env.SARIF_TO_SLACK_HEADER !== 'skip',
@@ -143,11 +141,19 @@ describe('(integration): SendSarifToSlack', (): void => {
           value: process.env.SARIF_TO_SLACK_ACTOR,
         },
         run: {
-          include: includeRunParseResult.success ? includeRunParseResult.data : false,
+          include: parseBoolean(process.env.SARIF_TO_SLACK_INCLUDE_RUN, false),
         },
         representation: processRepresentationType(process.env.SARIF_TO_SLACK_REPRESENTATION),
         sendIf: processSendIf(process.env.SARIF_TO_SLACK_SEND_IF),
-      }
+        loggerOptions: {
+          logFunctionName: parseBoolean(process.env.SARIF_TO_SLACK_LOG_FUNCTION_NAME, undefined),
+          logFunctionNameOnPosition: logFunctionNameOnPositionParseResult.success ? logFunctionNameOnPositionParseResult.data : undefined,
+          minLevel: logLevelParseResult.success ? logLevelParseResult.data : undefined,
+          name: 'integration-test',
+          stylePrettyLogs: parseBoolean(process.env.SARIF_TO_SLACK_STYLE_PRETTY_LOGS, undefined),
+          prettyLogTemplate: process.env.SARIF_TO_SLACK_LOG_TEMPLATE,
+        },
+      },
     );
     await client.send();
   })

package/tests/representations/CompactGroupByRunPerLevelRepresentation.spec.ts

@@ -0,0 +1,121 @@
+import CompactGroupByRunPerLevelRepresentation from '../../src/representations/CompactGroupByRunPerLevelRepresentation';
+import FindingArray from '../../src/model/FindingArray';
+import type Finding from '../../src/model/Finding';
+import { SecurityLevel, SecuritySeverity } from '../../src/types';
+import type { RunData, SarifModel } from '../../src/types';
+
+function mockFinding(opts: {
+  sarifPath?: string,
+  runId?: number,
+  toolName?: string,
+  level?: SecurityLevel,
+  severity?: SecuritySeverity,
+}): Finding {
+  const finding: Finding = {
+    get sarifPath() { return opts.sarifPath ?? '/default.sarif' },
+    get runId() { return opts.runId ?? 1 },
+    get toolName() { return opts.toolName ?? 'Tool' },
+    get cvssScore() { return undefined },
+    get level() { return opts.level ?? SecurityLevel.Unknown },
+    get severity() { return opts.severity ?? SecuritySeverity.Unknown },
+    clone() { return mockFinding(opts) },
+  };
+  return finding;
+}
+
+function buildModel(
+  runs: Array<{ id: number; toolName: string }>,
+  findings: Finding[],
+): SarifModel {
+  const arr = new FindingArray();
+  findings.forEach(f => arr.push(f));
+  return {
+    sarifFiles: [],
+    runs: runs.map(r => ({ id: r.id, toolName: r.toolName, run: {} as RunData['run'] })),
+    findings: arr,
+  };
+}
+
+describe('(unit): CompactGroupByRunPerLevelRepresentation', (): void => {
+  describe('compose()', (): void => {
+    test('should return "No vulnerabilities found" when there are no runs', (): void => {
+      const repr = new CompactGroupByRunPerLevelRepresentation(buildModel([], []));
+      expect(repr.compose()).toBe('No vulnerabilities found');
+    })
+
+    test('should return group header with "No vulnerabilities found" when run has no findings', (): void => {
+      const repr = new CompactGroupByRunPerLevelRepresentation(
+        buildModel([{ id: 1, toolName: 'Grype' }], []),
+      );
+      expect(repr.compose()).toBe('_[Run 1]_ *Grype*\nNo vulnerabilities found');
+    })
+
+    test('should compose single finding with correct level label', (): void => {
+      const repr = new CompactGroupByRunPerLevelRepresentation(
+        buildModel(
+          [{ id: 1, toolName: 'Grype' }],
+          [mockFinding({ runId: 1, level: SecurityLevel.Error })],
+        ),
+      );
+      expect(repr.compose()).toBe('_[Run 1]_ *Grype*\n*Error*: 1');
+    })
+
+    test('should group and sort findings by level descending', (): void => {
+      const findings = [
+        mockFinding({ runId: 1, level: SecurityLevel.Note }),
+        mockFinding({ runId: 1, level: SecurityLevel.Error }),
+        mockFinding({ runId: 1, level: SecurityLevel.Warning }),
+        mockFinding({ runId: 1, level: SecurityLevel.Warning }),
+      ];
+      const repr = new CompactGroupByRunPerLevelRepresentation(
+        buildModel([{ id: 1, toolName: 'Trivy' }], findings),
+      );
+      expect(repr.compose()).toBe('_[Run 1]_ *Trivy*\n*Error*: 1, *Warning*: 2, *Note*: 1');
+    })
+
+    test('should compose multiple runs each with their own findings', (): void => {
+      const findings = [
+        mockFinding({ runId: 1, level: SecurityLevel.Error }),
+        mockFinding({ runId: 2, level: SecurityLevel.Warning }),
+      ];
+      const repr = new CompactGroupByRunPerLevelRepresentation(
+        buildModel(
+          [{ id: 1, toolName: 'Grype' }, { id: 2, toolName: 'Trivy' }],
+          findings,
+        ),
+      );
+      expect(repr.compose()).toBe(
+        '_[Run 1]_ *Grype*\n*Error*: 1\n\n_[Run 2]_ *Trivy*\n*Warning*: 1',
+      )
+    })
+
+    test('should show "No vulnerabilities found" for a run that has no matching findings', (): void => {
+      const findings = [mockFinding({ runId: 1, level: SecurityLevel.Error })];
+      const repr = new CompactGroupByRunPerLevelRepresentation(
+        buildModel(
+          [{ id: 1, toolName: 'Grype' }, { id: 2, toolName: 'Trivy' }],
+          findings,
+        ),
+      );
+      expect(repr.compose()).toBe(
+        '_[Run 1]_ *Grype*\n*Error*: 1\n\n_[Run 2]_ *Trivy*\nNo vulnerabilities found',
+      )
+    })
+
+    test('should handle all level variants correctly', (): void => {
+      const findings = [
+        mockFinding({ runId: 1, level: SecurityLevel.Error }),
+        mockFinding({ runId: 1, level: SecurityLevel.Warning }),
+        mockFinding({ runId: 1, level: SecurityLevel.Note }),
+        mockFinding({ runId: 1, level: SecurityLevel.None }),
+        mockFinding({ runId: 1, level: SecurityLevel.Unknown }),
+      ];
+      const repr = new CompactGroupByRunPerLevelRepresentation(
+        buildModel([{ id: 1, toolName: 'Scanner' }], findings),
+      );
+      expect(repr.compose()).toBe(
+        '_[Run 1]_ *Scanner*\n*Error*: 1, *Warning*: 1, *Note*: 1, *None*: 1, *Unknown*: 1',
+      );
+    })
+  })
+})

package/tests/representations/CompactGroupByRunPerSeverityRepresentation.spec.ts

@@ -0,0 +1,122 @@
+import CompactGroupByRunPerSeverityRepresentation from '../../src/representations/CompactGroupByRunPerSeverityRepresentation';
+import FindingArray from '../../src/model/FindingArray';
+import type Finding from '../../src/model/Finding';
+import { SecurityLevel, SecuritySeverity } from '../../src/types';
+import type { RunData, SarifModel } from '../../src/types';
+
+function mockFinding(opts: {
+  sarifPath?: string,
+  runId?: number,
+  toolName?: string,
+  level?: SecurityLevel,
+  severity?: SecuritySeverity,
+}): Finding {
+  const finding: Finding = {
+    get sarifPath() { return opts.sarifPath ?? '/default.sarif' },
+    get runId() { return opts.runId ?? 1 },
+    get toolName() { return opts.toolName ?? 'Tool' },
+    get cvssScore() { return undefined },
+    get level() { return opts.level ?? SecurityLevel.Unknown },
+    get severity() { return opts.severity ?? SecuritySeverity.Unknown },
+    clone() { return mockFinding(opts) },
+  };
+  return finding;
+}
+
+function buildModel(
+  runs: Array<{ id: number; toolName: string }>,
+  findings: Finding[],
+): SarifModel {
+  const arr = new FindingArray();
+  findings.forEach(f => arr.push(f));
+  return {
+    sarifFiles: [],
+    runs: runs.map(r => ({ id: r.id, toolName: r.toolName, run: {} as RunData['run'] })),
+    findings: arr,
+  };
+}
+
+describe('(unit): CompactGroupByRunPerSeverityRepresentation', (): void => {
+  describe('compose()', (): void => {
+    test('should return "No vulnerabilities found" when there are no runs', (): void => {
+      const repr = new CompactGroupByRunPerSeverityRepresentation(buildModel([], []));
+      expect(repr.compose()).toBe('No vulnerabilities found');
+    })
+
+    test('should return group header with "No vulnerabilities found" when run has no findings', (): void => {
+      const repr = new CompactGroupByRunPerSeverityRepresentation(
+        buildModel([{ id: 1, toolName: 'Grype' }], []),
+      );
+      expect(repr.compose()).toBe('_[Run 1]_ *Grype*\nNo vulnerabilities found');
+    })
+
+    test('should compose single finding with correct severity label', (): void => {
+      const repr = new CompactGroupByRunPerSeverityRepresentation(
+        buildModel(
+          [{ id: 1, toolName: 'Grype' }],
+          [mockFinding({ runId: 1, severity: SecuritySeverity.Critical })],
+        ),
+      );
+      expect(repr.compose()).toBe('_[Run 1]_ *Grype*\n*Critical*: 1');
+    })
+
+    test('should group and sort findings by severity descending', (): void => {
+      const findings = [
+        mockFinding({ runId: 1, severity: SecuritySeverity.Low }),
+        mockFinding({ runId: 1, severity: SecuritySeverity.Critical }),
+        mockFinding({ runId: 1, severity: SecuritySeverity.High }),
+        mockFinding({ runId: 1, severity: SecuritySeverity.High }),
+      ];
+      const repr = new CompactGroupByRunPerSeverityRepresentation(
+        buildModel([{ id: 1, toolName: 'Trivy' }], findings),
+      );
+      expect(repr.compose()).toBe('_[Run 1]_ *Trivy*\n*Critical*: 1, *High*: 2, *Low*: 1');
+    })
+
+    test('should compose multiple runs each with their own findings', (): void => {
+      const findings = [
+        mockFinding({ runId: 1, severity: SecuritySeverity.High }),
+        mockFinding({ runId: 2, severity: SecuritySeverity.Medium }),
+      ];
+      const repr = new CompactGroupByRunPerSeverityRepresentation(
+        buildModel(
+          [{ id: 1, toolName: 'Grype' }, { id: 2, toolName: 'Trivy' }],
+          findings,
+        ),
+      );
+      expect(repr.compose()).toBe(
+        '_[Run 1]_ *Grype*\n*High*: 1\n\n_[Run 2]_ *Trivy*\n*Medium*: 1',
+      );
+    })
+
+    test('should show "No vulnerabilities found" for a run that has no matching findings', (): void => {
+      const findings = [mockFinding({ runId: 1, severity: SecuritySeverity.Critical })];
+      const repr = new CompactGroupByRunPerSeverityRepresentation(
+        buildModel(
+          [{ id: 1, toolName: 'Grype' }, { id: 2, toolName: 'Trivy' }],
+          findings,
+        ),
+      );
+      expect(repr.compose()).toBe(
+        '_[Run 1]_ *Grype*\n*Critical*: 1\n\n_[Run 2]_ *Trivy*\nNo vulnerabilities found',
+      );
+    })
+
+    test('should handle all severity variants correctly', (): void => {
+      const findings = [
+        mockFinding({ runId: 1, severity: SecuritySeverity.Critical }),
+        mockFinding({ runId: 1, severity: SecuritySeverity.High }),
+        mockFinding({ runId: 1, severity: SecuritySeverity.Medium }),
+        mockFinding({ runId: 1, severity: SecuritySeverity.Low }),
+        mockFinding({ runId: 1, severity: SecuritySeverity.None }),
+        mockFinding({ runId: 1, severity: SecuritySeverity.Unknown }),
+      ];
+      const repr = new CompactGroupByRunPerSeverityRepresentation(
+        buildModel([{ id: 1, toolName: 'Scanner' }], findings),
+      );
+      expect(repr.compose()).toBe(
+        '_[Run 1]_ *Scanner*\n*Critical*: 1, *High*: 1, *Medium*: 1, *Low*: 1, *None*: 1, *Unknown*: 1',
+      );
+    })
+  })
+})

package/tests/representations/CompactGroupBySarifPerLevelRepresentation.spec.ts

@@ -0,0 +1,132 @@
+import CompactGroupBySarifPerLevelRepresentation from '../../src/representations/CompactGroupBySarifPerLevelRepresentation';
+import FindingArray from '../../src/model/FindingArray';
+import type Finding from '../../src/model/Finding';
+import { SecurityLevel, SecuritySeverity } from '../../src/types';
+import type { RunData, SarifModel } from '../../src/types';
+
+function mockFinding(opts: {
+  sarifPath?: string,
+  runId?: number,
+  toolName?: string,
+  level?: SecurityLevel,
+  severity?: SecuritySeverity,
+}): Finding {
+  const finding: Finding = {
+    get sarifPath() { return opts.sarifPath ?? '/default.sarif' },
+    get runId() { return opts.runId ?? 1 },
+    get toolName() { return opts.toolName ?? 'Tool' },
+    get cvssScore() { return undefined },
+    get level() { return opts.level ?? SecurityLevel.Unknown },
+    get severity() { return opts.severity ?? SecuritySeverity.Unknown },
+    clone() { return mockFinding(opts) },
+  };
+  return finding;
+}
+
+function buildModel(
+  sarifFiles: string[],
+  findings: Finding[],
+): SarifModel {
+  const arr = new FindingArray();
+  findings.forEach(f => arr.push(f));
+  return {
+    sarifFiles,
+    runs: [{ id: 1, toolName: 'Tool', run: {} as RunData['run'] }],
+    findings: arr,
+  };
+}
+
+describe('(unit): CompactGroupBySarifPerLevelRepresentation', (): void => {
+  describe('compose()', (): void => {
+    test('should return "No vulnerabilities found" when there are no sarif files', (): void => {
+      const repr = new CompactGroupBySarifPerLevelRepresentation(buildModel([], []));
+      expect(repr.compose()).toBe('No vulnerabilities found');
+    })
+
+    test('should return group header with "No vulnerabilities found" when file has no findings', (): void => {
+      const repr = new CompactGroupBySarifPerLevelRepresentation(
+        buildModel(['/path/to/results.sarif'], []),
+      );
+      expect(repr.compose()).toBe('_[File 1]_ *results.sarif*\nNo vulnerabilities found');
+    })
+
+    test('should compose single finding with correct level label', (): void => {
+      const repr = new CompactGroupBySarifPerLevelRepresentation(
+        buildModel(
+          ['/path/to/grype.sarif'],
+          [mockFinding({ sarifPath: '/path/to/grype.sarif', level: SecurityLevel.Error })],
+        ),
+      );
+      expect(repr.compose()).toBe('_[File 1]_ *grype.sarif*\n*Error*: 1');
+    })
+
+    test('should group and sort findings by level descending', (): void => {
+      const sarifPath = '/scans/results.sarif';
+      const findings = [
+        mockFinding({ sarifPath, level: SecurityLevel.Note }),
+        mockFinding({ sarifPath, level: SecurityLevel.Error }),
+        mockFinding({ sarifPath, level: SecurityLevel.Warning }),
+        mockFinding({ sarifPath, level: SecurityLevel.Warning }),
+      ];
+      const repr = new CompactGroupBySarifPerLevelRepresentation(
+        buildModel([sarifPath], findings),
+      );
+      expect(repr.compose()).toBe('_[File 1]_ *results.sarif*\n*Error*: 1, *Warning*: 2, *Note*: 1');
+    })
+
+    test('should compose multiple sarif files with incrementing indices', (): void => {
+      const file1 = '/scans/grype-01.sarif';
+      const file2 = '/scans/grype-02.sarif';
+      const findings = [
+        mockFinding({ sarifPath: file1, level: SecurityLevel.Error }),
+        mockFinding({ sarifPath: file2, level: SecurityLevel.Warning }),
+      ];
+      const repr = new CompactGroupBySarifPerLevelRepresentation(
+        buildModel([file1, file2], findings),
+      );
+      expect(repr.compose()).toBe(
+        '_[File 1]_ *grype-01.sarif*\n*Error*: 1\n\n_[File 2]_ *grype-02.sarif*\n*Warning*: 1',
+      );
+    })
+
+    test('should show "No vulnerabilities found" for a file that has no matching findings', (): void => {
+      const file1 = '/scans/grype-01.sarif';
+      const file2 = '/scans/grype-02.sarif';
+      const findings = [mockFinding({ sarifPath: file1, level: SecurityLevel.Error })];
+      const repr = new CompactGroupBySarifPerLevelRepresentation(
+        buildModel([file1, file2], findings),
+      );
+      expect(repr.compose()).toBe(
+        '_[File 1]_ *grype-01.sarif*\n*Error*: 1\n\n_[File 2]_ *grype-02.sarif*\nNo vulnerabilities found',
+      );
+    })
+
+    test('should use only basename for the group title', (): void => {
+      const sarifPath = '/very/long/path/to/nested/scan-results.sarif';
+      const repr = new CompactGroupBySarifPerLevelRepresentation(
+        buildModel(
+          [sarifPath],
+          [mockFinding({ sarifPath, level: SecurityLevel.Note })],
+        ),
+      );
+      expect(repr.compose()).toBe('_[File 1]_ *scan-results.sarif*\n*Note*: 1');
+    })
+
+    test('should handle all level variants correctly', (): void => {
+      const sarifPath = '/scans/all-levels.sarif';
+      const findings = [
+        mockFinding({ sarifPath, level: SecurityLevel.Error }),
+        mockFinding({ sarifPath, level: SecurityLevel.Warning }),
+        mockFinding({ sarifPath, level: SecurityLevel.Note }),
+        mockFinding({ sarifPath, level: SecurityLevel.None }),
+        mockFinding({ sarifPath, level: SecurityLevel.Unknown }),
+      ];
+      const repr = new CompactGroupBySarifPerLevelRepresentation(
+        buildModel([sarifPath], findings),
+      );
+      expect(repr.compose()).toBe(
+        '_[File 1]_ *all-levels.sarif*\n*Error*: 1, *Warning*: 1, *Note*: 1, *None*: 1, *Unknown*: 1',
+      );
+    })
+  })
+})