@ktpartners/dgs-platform 3.0.4 → 3.3.0

package/deliver-great-systems/bin/lib/package-adapters.test.cjs

@@ -0,0 +1,618 @@
+/**
+ * package-adapters.test.cjs -- Unit tests for per-tool JSON->canonical-finding adapters
+ *
+ * Covers PKG-11 (canonical shape), PKG-12 (direct/transitive), PKG-13 (chain),
+ * PKG-14 (fix recommendation), and the adapter half of PKG-31 (manifest_path).
+ *
+ * Fixtures live in ./fixtures/package-scan/ -- hand-authored, public-data-only,
+ * pinned so assertions are deterministic.
+ */
+'use strict';
+const { test, describe } = require('node:test');
+const assert = require('node:assert');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const {
+  adapterSnyk,
+  adapterOsv,
+  adapterNpmAudit,
+  adapterPipAudit,
+  adapterGovulncheck,
+  adapterBundlerAudit,
+} = require('./package-adapters.cjs');
+const { detectEcosystems } = require('./package-ecosystems.cjs');
+const { runTool } = require('./package-runner.cjs');
+
+const SNYK_LODASH = require('./fixtures/package-scan/snyk-lodash.json');
+const SNYK_WORKSPACES = require('./fixtures/package-scan/snyk-workspaces.json');
+const OSV_CLEAN = require('./fixtures/package-scan/osv-clean.json');
+const OSV_VULNS = require('./fixtures/package-scan/osv-vulns.json');
+const NPM_AUDIT = require('./fixtures/package-scan/npm-audit-v10.json');
+const PIP_AUDIT = require('./fixtures/package-scan/pip-audit-requirements.json');
+const GOVULNCHECK = fs.readFileSync(
+  path.join(__dirname, 'fixtures/package-scan/govulncheck-import.json'),
+  'utf-8'
+);
+const BUNDLER_AUDIT = require('./fixtures/package-scan/bundler-audit-gemfile.json');
+
+const ALLOWED_TOOLS = new Set([
+  'snyk', 'osv', 'npm-audit', 'pip-audit', 'govulncheck', 'bundler-audit',
+]);
+
+describe('adapterSnyk', () => {
+  test('parses snyk-lodash.json -- 1 finding with canonical shape', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const findings = adapterSnyk(SNYK_LODASH, ctx);
+    assert.strictEqual(findings.length, 1);
+    const f = findings[0];
+    assert.strictEqual(f.tool, 'snyk');
+    assert.strictEqual(f.package_name, 'lodash');
+    assert.strictEqual(f.installed_version, '4.17.20');
+    assert.strictEqual(f.severity, 'critical');
+    assert.strictEqual(f.cvss_score, 9.8);
+    assert.ok(Array.isArray(f.dependency_chain));
+    assert.strictEqual(f.dependency_chain.length, 3);
+    assert.strictEqual(f.chain_available, true);
+    assert.strictEqual(f.direct_or_transitive, 'transitive');
+    assert.strictEqual(f.fix_version, '4.17.21');
+    assert.ok(typeof f.remediation === 'string' && f.remediation.length > 0);
+    assert.strictEqual(f.id, null);
+    assert.strictEqual(f.vulnerability.cve, 'CVE-2020-8203');
+  });
+
+  test('passes through licence field when present', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const [f] = adapterSnyk(SNYK_LODASH, ctx);
+    assert.strictEqual(f.licence, 'MIT');
+  });
+
+  test('parses snyk-workspaces.json (projects[] form) -- 3 findings across two manifest_paths', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const findings = adapterSnyk(SNYK_WORKSPACES, ctx);
+    assert.strictEqual(findings.length, 3);
+    const paths = new Set(findings.map(f => f.manifest_path));
+    assert.ok(paths.has('packages/api/package.json'));
+    assert.ok(paths.has('packages/web/package.json'));
+  });
+
+  test('ctx.manifest_path overrides Snyk targetFile on every returned finding', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo', manifest_path: 'packages/api/package.json' };
+    const findings = adapterSnyk(SNYK_WORKSPACES, ctx);
+    for (const f of findings) {
+      assert.strictEqual(f.manifest_path, 'packages/api/package.json');
+    }
+  });
+
+  test('normalises absolute Snyk targetFile paths to repo-relative POSIX when ctx.cwd is set', () => {
+    const absoluteTargetFile = '/tmp/demo/packages/api/package.json';
+    const fake = {
+      vulnerabilities: SNYK_LODASH.vulnerabilities,
+      targetFile: absoluteTargetFile,
+    };
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const [f] = adapterSnyk(fake, ctx);
+    assert.strictEqual(f.manifest_path, 'packages/api/package.json');
+  });
+});
+
+describe('adapterOsv', () => {
+  test('parses osv-clean.json -- returns []', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    assert.deepStrictEqual(adapterOsv(OSV_CLEAN, ctx), []);
+  });
+
+  test('parses osv-vulns.json -- N findings with canonical shape', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const findings = adapterOsv(OSV_VULNS, ctx);
+    assert.ok(findings.length >= 2);
+    for (const f of findings) {
+      assert.strictEqual(f.tool, 'osv');
+      assert.ok(typeof f.package_name === 'string' && f.package_name.length > 0);
+      assert.ok(f.vulnerability);
+      assert.ok(typeof f.vulnerability.reference_url === 'string');
+    }
+  });
+
+  test('osv findings without dependency chain get dependency_chain:null + chain_available:false', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const findings = adapterOsv(OSV_VULNS, ctx);
+    for (const f of findings) {
+      assert.strictEqual(f.dependency_chain, null);
+      assert.strictEqual(f.chain_available, false);
+    }
+  });
+
+  test('osv findings with chain-length <=2 get direct_or_transitive:null (OSV has no chains)', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const findings = adapterOsv(OSV_VULNS, ctx);
+    for (const f of findings) {
+      assert.strictEqual(f.direct_or_transitive, null);
+    }
+  });
+
+  test('ctx.manifest_path overrides source.path when provided', () => {
+    const ctx = {
+      repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo',
+      manifest_path: 'packages/web/package.json',
+    };
+    const findings = adapterOsv(OSV_VULNS, ctx);
+    for (const f of findings) {
+      assert.strictEqual(f.manifest_path, 'packages/web/package.json');
+    }
+  });
+});
+
+describe('adapterNpmAudit', () => {
+  test('parses npm-audit-v10.json -- canonical fields', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const [f] = adapterNpmAudit(NPM_AUDIT, ctx);
+    assert.strictEqual(f.tool, 'npm-audit');
+    assert.strictEqual(f.package_name, 'lodash');
+    assert.strictEqual(f.severity, 'high');
+    assert.strictEqual(f.cvss_score, 7.4);
+    assert.ok(f.cvss_vector && f.cvss_vector.startsWith('CVSS:3.1'));
+    assert.strictEqual(f.direct_or_transitive, 'transitive');
+  });
+
+  test('dependency_chain:null + chain_available:false (npm audit does not emit chains)', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const [f] = adapterNpmAudit(NPM_AUDIT, ctx);
+    assert.strictEqual(f.dependency_chain, null);
+    assert.strictEqual(f.chain_available, false);
+  });
+
+  test('fix_version from fixAvailable.version, remediation templated', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const [f] = adapterNpmAudit(NPM_AUDIT, ctx);
+    assert.strictEqual(f.fix_version, '4.17.21');
+    assert.strictEqual(f.remediation, 'npm install lodash@4.17.21 --save');
+  });
+});
+
+describe('adapterPipAudit', () => {
+  test('parses pip-audit-requirements.json -- severity:null', () => {
+    const ctx = { repo: 'demo', ecosystem: 'python', cwd: '/tmp/demo' };
+    const findings = adapterPipAudit(PIP_AUDIT, ctx);
+    assert.ok(findings.length >= 1);
+    for (const f of findings) {
+      assert.strictEqual(f.tool, 'pip-audit');
+      assert.strictEqual(f.severity, null);
+    }
+  });
+
+  test('fix_version from vulns[0].fix_versions[0] (lowest), remediation templated', () => {
+    const ctx = { repo: 'demo', ecosystem: 'python', cwd: '/tmp/demo' };
+    const findings = adapterPipAudit(PIP_AUDIT, ctx);
+    const requestsFinding = findings.find(f => f.package_name === 'requests');
+    assert.ok(requestsFinding);
+    assert.strictEqual(requestsFinding.fix_version, '2.20.1');
+    assert.strictEqual(requestsFinding.remediation, 'pip install requests==2.20.1');
+  });
+
+  test('dependency_chain:null + chain_available:false', () => {
+    const ctx = { repo: 'demo', ecosystem: 'python', cwd: '/tmp/demo' };
+    const findings = adapterPipAudit(PIP_AUDIT, ctx);
+    for (const f of findings) {
+      assert.strictEqual(f.dependency_chain, null);
+      assert.strictEqual(f.chain_available, false);
+    }
+  });
+});
+
+describe('adapterGovulncheck', () => {
+  test('parses govulncheck-import.json NDJSON stream', () => {
+    const ctx = { repo: 'demo', ecosystem: 'go', cwd: '/tmp/demo' };
+    const findings = adapterGovulncheck(GOVULNCHECK, ctx);
+    assert.ok(findings.length >= 2);
+    for (const f of findings) {
+      assert.strictEqual(f.tool, 'govulncheck');
+    }
+  });
+
+  test('returns finding with tool:"govulncheck", severity:null, reference_url from OSV entry', () => {
+    const ctx = { repo: 'demo', ecosystem: 'go', cwd: '/tmp/demo' };
+    const [f] = adapterGovulncheck(GOVULNCHECK, ctx);
+    assert.strictEqual(f.tool, 'govulncheck');
+    assert.strictEqual(f.severity, null);
+    assert.ok(f.vulnerability.reference_url && f.vulnerability.reference_url.includes('pkg.go.dev'));
+    assert.strictEqual(f.vulnerability.cve, 'CVE-2023-3978');
+  });
+
+  test('direct_or_transitive inferred from finding.trace[] length', () => {
+    const ctx = { repo: 'demo', ecosystem: 'go', cwd: '/tmp/demo' };
+    const findings = adapterGovulncheck(GOVULNCHECK, ctx);
+    // First finding has trace length 2 -> direct; second has length 1 -> direct
+    const traces = findings.map(f => f.dependency_chain.length);
+    assert.ok(traces.includes(2));
+    assert.ok(traces.includes(1));
+    for (const f of findings) {
+      assert.ok(f.direct_or_transitive === 'direct' || f.direct_or_transitive === 'transitive');
+    }
+  });
+});
+
+describe('adapterBundlerAudit', () => {
+  test('parses bundler-audit-gemfile.json -- canonical fields', () => {
+    const ctx = { repo: 'demo', ecosystem: 'ruby', cwd: '/tmp/demo' };
+    const [f] = adapterBundlerAudit(BUNDLER_AUDIT, ctx);
+    assert.strictEqual(f.tool, 'bundler-audit');
+    assert.strictEqual(f.package_name, 'activerecord');
+    assert.strictEqual(f.severity, 'high');
+    assert.strictEqual(f.cvss_score, 7.5);
+    assert.strictEqual(f.vulnerability.cve, 'CVE-2020-8164');
+    assert.ok(f.remediation && f.remediation.includes('5.2.4.3'));
+  });
+
+  test('dependency_chain:null + chain_available:false', () => {
+    const ctx = { repo: 'demo', ecosystem: 'ruby', cwd: '/tmp/demo' };
+    const [f] = adapterBundlerAudit(BUNDLER_AUDIT, ctx);
+    assert.strictEqual(f.dependency_chain, null);
+    assert.strictEqual(f.chain_available, false);
+  });
+});
+
+describe('adapter invariants (all six)', () => {
+  function allFindings() {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    return [
+      ...adapterSnyk(SNYK_LODASH, ctx).map(f => [f, 'snyk']),
+      ...adapterSnyk(SNYK_WORKSPACES, ctx).map(f => [f, 'snyk']),
+      ...adapterOsv(OSV_VULNS, ctx).map(f => [f, 'osv']),
+      ...adapterNpmAudit(NPM_AUDIT, ctx).map(f => [f, 'npm-audit']),
+      ...adapterPipAudit(PIP_AUDIT, { ...ctx, ecosystem: 'python' }).map(f => [f, 'pip-audit']),
+      ...adapterGovulncheck(GOVULNCHECK, { ...ctx, ecosystem: 'go' }).map(f => [f, 'govulncheck']),
+      ...adapterBundlerAudit(BUNDLER_AUDIT, { ...ctx, ecosystem: 'ruby' }).map(f => [f, 'bundler-audit']),
+    ];
+  }
+
+  test('no finding has a populated `id` field', () => {
+    for (const [f] of allFindings()) {
+      assert.ok(f.id === null || f.id === undefined, `id should be null, got ${f.id}`);
+    }
+  });
+
+  test('every finding has a `tool` field matching the adapter name', () => {
+    for (const [f, expected] of allFindings()) {
+      assert.strictEqual(f.tool, expected);
+      assert.ok(ALLOWED_TOOLS.has(f.tool), `unexpected tool: ${f.tool}`);
+    }
+  });
+
+  test('every finding has chain_available boolean AND dependency_chain (null or array)', () => {
+    for (const [f] of allFindings()) {
+      assert.strictEqual(typeof f.chain_available, 'boolean');
+      assert.ok(f.dependency_chain === null || Array.isArray(f.dependency_chain));
+      // Invariant: chain_available === (dependency_chain !== null)
+      assert.strictEqual(f.chain_available, f.dependency_chain !== null);
+    }
+  });
+
+  test('malformed entries in JSON are skipped without throwing', () => {
+    const malformedSnyk = {
+      vulnerabilities: [
+        { packageName: 'ok', version: '1.0.0', title: 't' }, // valid
+        { version: '1.0.0' },                                  // missing packageName -> skip
+        null,                                                  // null -> skip
+      ],
+      targetFile: 'package.json',
+    };
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const out = adapterSnyk(malformedSnyk, ctx);
+    assert.strictEqual(out.length, 1);
+    assert.strictEqual(out[0].package_name, 'ok');
+
+    const malformedBundler = {
+      results: [
+        { gem: { name: 'rails', version: '1.0.0' }, advisory: { id: 'X', title: 't' } },
+        { gem: null, advisory: {} }, // malformed -> skip
+        null,
+      ],
+    };
+    const outB = adapterBundlerAudit(malformedBundler, { repo: 'demo', ecosystem: 'ruby', cwd: '/tmp/demo' });
+    assert.strictEqual(outB.length, 1);
+  });
+});
+
+describe('manifest_path handling (PKG-31 adapter half)', () => {
+  test('simple repo (ctx.manifest_path absent, no tool-emitted paths) -> manifest_path: null', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const [f] = adapterNpmAudit(NPM_AUDIT, ctx);
+    assert.strictEqual(f.manifest_path, null);
+  });
+
+  test('workspace invocation (ctx.manifest_path populated) -> adapter stamps that value', () => {
+    const ctx = {
+      repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo',
+      manifest_path: 'packages/api/package.json',
+    };
+    const [f] = adapterNpmAudit(NPM_AUDIT, ctx);
+    assert.strictEqual(f.manifest_path, 'packages/api/package.json');
+  });
+
+  test('whole-repo Snyk scan with ctx.manifest_path absent -> extracts from Snyk targetFile', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const findings = adapterSnyk(SNYK_WORKSPACES, ctx);
+    const paths = new Set(findings.map(f => f.manifest_path));
+    assert.ok(paths.has('packages/api/package.json'));
+    assert.ok(paths.has('packages/web/package.json'));
+  });
+
+  test('whole-repo OSV scan with ctx.manifest_path absent -> extracts from OSV source.path', () => {
+    const ctx = { repo: 'demo', ecosystem: 'node', cwd: '/tmp/demo' };
+    const findings = adapterOsv(OSV_VULNS, ctx);
+    for (const f of findings) {
+      // OSV source.path was packages/api/package-lock.json -> packages/api/package.json
+      assert.strictEqual(f.manifest_path, 'packages/api/package.json');
+    }
+  });
+});
+
+// ─── Cross-module integration smoke ──────────────────────────────────────────
+
+const NODE = process.execPath;
+const fakeExitCode = (code, stdout = '', stderr = '') =>
+  [NODE, '-e', `process.stdout.write(${JSON.stringify(stdout)}); process.stderr.write(${JSON.stringify(stderr)}); process.exit(${code})`];
+const fakeMissingBinary = () => ['definitely-not-a-binary-xxx-' + Date.now()];
+
+function mkTmp() {
+  return fs.mkdtempSync(path.join(os.tmpdir(), 'dgs-smoke-'));
+}
+
+function writeFile(dir, rel, content) {
+  const abs = path.join(dir, rel);
+  fs.mkdirSync(path.dirname(abs), { recursive: true });
+  fs.writeFileSync(abs, content);
+}
+
+describe('integration smoke', () => {
+  test('ecosystems -> runner -> adapter (simple node repo)', () => {
+    const tmp = mkTmp();
+    try {
+      writeFile(tmp, 'package.json', JSON.stringify({ name: 'smoke', version: '1.0.0' }));
+      writeFile(tmp, 'package-lock.json', '{}');
+      const detected = detectEcosystems(tmp);
+      assert.deepStrictEqual(detected, [{ ecosystem: 'node', manifest_path: null }]);
+
+      const fakeStdout = JSON.stringify({ vulnerabilities: [], targetFile: 'package.json' });
+      const r = runTool(tmp, 'snyk', fakeExitCode(1, fakeStdout), { expectJson: true });
+      assert.strictEqual(r.outcome, 'ok');
+      assert.ok(r.parsed);
+
+      const findings = adapterSnyk(r.parsed, { repo: 'smoke', ecosystem: 'node', cwd: tmp });
+      assert.deepStrictEqual(findings, []);
+    } finally {
+      fs.rmSync(tmp, { recursive: true, force: true });
+    }
+  });
+
+  test('workspace manifest_path flows end-to-end', () => {
+    const tmp = mkTmp();
+    try {
+      writeFile(tmp, 'package.json', JSON.stringify({
+        name: 'monorepo', private: true, workspaces: ['packages/*'],
+      }));
+      writeFile(tmp, 'packages/api/package.json', JSON.stringify({ name: 'api' }));
+      writeFile(tmp, 'packages/web/package.json', JSON.stringify({ name: 'web' }));
+
+      const detected = detectEcosystems(tmp);
+      const manifestPaths = detected.map(e => e.manifest_path).filter(Boolean).sort();
+      assert.deepStrictEqual(manifestPaths, ['packages/api/package.json', 'packages/web/package.json']);
+
+      const npmAuditPayload = {
+        vulnerabilities: {
+          lodash: {
+            name: 'lodash',
+            severity: 'high',
+            isDirect: false,
+            via: [{
+              title: 't', url: '',
+              severity: 'high',
+              cvss: { score: 7.4, vectorString: 'CVSS:3.1/AV:N/AC:L' },
+              range: '<4.17.21',
+            }],
+            effects: [],
+            range: '<4.17.21',
+            nodes: ['node_modules/lodash'],
+            fixAvailable: { name: 'lodash', version: '4.17.21', isSemVerMajor: false },
+          },
+        },
+      };
+
+      for (const entry of detected) {
+        const wsAbs = path.join(tmp, path.dirname(entry.manifest_path));
+        const r = runTool(wsAbs, 'npm-audit', fakeExitCode(1, JSON.stringify(npmAuditPayload)), { expectJson: true });
+        assert.strictEqual(r.outcome, 'ok');
+        const findings = adapterNpmAudit(r.parsed, {
+          repo: 'smoke', ecosystem: 'node', cwd: tmp,
+          manifest_path: entry.manifest_path,
+        });
+        for (const f of findings) {
+          assert.strictEqual(f.manifest_path, entry.manifest_path);
+        }
+      }
+    } finally {
+      fs.rmSync(tmp, { recursive: true, force: true });
+    }
+  });
+
+  test('runner missing-tool -> adapter never invoked', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeMissingBinary(), { expectJson: true });
+    assert.strictEqual(r.outcome, 'missing');
+    // By contract, orchestrator does not invoke the adapter when outcome != 'ok'.
+    // We simulate that branch locally and assert the adapter was never called.
+    let adapterInvoked = false;
+    if (r.outcome === 'ok') {
+      adapterInvoked = true;
+      adapterSnyk(r.parsed, { repo: 'smoke', ecosystem: 'node', cwd: process.cwd() });
+    }
+    assert.strictEqual(adapterInvoked, false);
+  });
+
+  test('govulncheck NDJSON flow: runner -> adapter', () => {
+    const ndjson = [
+      JSON.stringify({
+        message: {
+          type: 'osv',
+          osv: {
+            id: 'GO-2023-1',
+            summary: 'test vuln',
+            aliases: ['CVE-2023-1234'],
+            references: [{ type: 'WEB', url: 'https://example.com/go' }],
+          },
+        },
+      }),
+      JSON.stringify({
+        message: {
+          type: 'finding',
+          finding: {
+            osv: 'GO-2023-1',
+            fixed_version: 'v1.2.3',
+            trace: [{ module: 'golang.org/x/net', version: 'v1.2.0' }],
+          },
+        },
+      }),
+    ].join('\n');
+
+    const r = runTool(process.cwd(), 'govulncheck', fakeExitCode(0, ndjson), { expectJson: false });
+    assert.strictEqual(r.outcome, 'ok');
+    assert.strictEqual(r.stdout, ndjson);
+
+    const findings = adapterGovulncheck(r.stdout, { repo: 'smoke', ecosystem: 'go', cwd: process.cwd() });
+    assert.strictEqual(findings.length, 1);
+    const [f] = findings;
+    assert.strictEqual(f.vulnerability.cve, 'CVE-2023-1234');
+    assert.strictEqual(f.fix_version, 'v1.2.3');
+    assert.ok(Array.isArray(f.dependency_chain));
+    assert.strictEqual(f.dependency_chain.length, 1);
+  });
+});
+
+// ─── Phase 153 Plan 02: adapterSnyk — .snyk policy suppressions (PKG-32) ─────
+
+describe('adapterSnyk — .snyk policy suppressions (PKG-32)', () => {
+  function makeCtx() {
+    const calls = [];
+    const ctx = {
+      repo: 'api',
+      ecosystem: 'node',
+      manifest_path: 'package.json',
+      cwd: '/tmp/api',
+      recordSuppressions: (n) => calls.push(n),
+    };
+    return { ctx, calls };
+  }
+
+  test('payload with empty filtered.ignore => recordSuppressions(0)', () => {
+    const { ctx, calls } = makeCtx();
+    adapterSnyk({ vulnerabilities: [], filtered: { ignore: [] } }, ctx);
+    assert.deepStrictEqual(calls, [0]);
+  });
+
+  test('payload with 2 ignored => recordSuppressions(2)', () => {
+    const { ctx, calls } = makeCtx();
+    adapterSnyk({ vulnerabilities: [], filtered: { ignore: [{ id: 'SNYK-JS-LODASH-123' }, { id: 'SNYK-JS-AXIOS-456' }] } }, ctx);
+    assert.deepStrictEqual(calls, [2]);
+  });
+
+  test('payload with 1 vuln + 1 ignored => returns 1 finding + recordSuppressions(1)', () => {
+    const { ctx, calls } = makeCtx();
+    const findings = adapterSnyk({
+      vulnerabilities: [{ packageName: 'lodash', version: '1.0', severity: 'high', title: 't', identifiers: { CVE: [] }, from: ['x@1', 'lodash@1'] }],
+      filtered: { ignore: [{ id: 'S-1' }] },
+    }, ctx);
+    assert.strictEqual(findings.length, 1);
+    assert.deepStrictEqual(calls, [1]);
+  });
+
+  test('payload with no filtered key => recordSuppressions(0)', () => {
+    const { ctx, calls } = makeCtx();
+    adapterSnyk({ vulnerabilities: [] }, ctx);
+    assert.deepStrictEqual(calls, [0]);
+  });
+
+  test('filtered.ignore undefined => recordSuppressions(0)', () => {
+    const { ctx, calls } = makeCtx();
+    adapterSnyk({ vulnerabilities: [], filtered: {} }, ctx);
+    assert.deepStrictEqual(calls, [0]);
+  });
+
+  test('filtered.ignore non-array (malformed) => recordSuppressions(0), no throw', () => {
+    const { ctx, calls } = makeCtx();
+    assert.doesNotThrow(() => adapterSnyk({ vulnerabilities: [], filtered: { ignore: 'oops' } }, ctx));
+    assert.deepStrictEqual(calls, [0]);
+  });
+});
+
+// ─── Phase 153 Plan 03: adapterSnyk — licence roster (PKG-30, PKG-34) ────────
+
+describe('adapterSnyk — licence roster (PKG-30, PKG-34)', () => {
+  function makeCtx() {
+    const calls = [];
+    const ctx = {
+      repo: 'api',
+      ecosystem: 'node',
+      manifest_path: 'package.json',
+      cwd: '/tmp/api',
+      recordLicenceRoster: (entries) => calls.push(entries),
+    };
+    return { ctx, calls };
+  }
+
+  test('dependencyPackages with multiple deps yields roster entries', () => {
+    const { ctx, calls } = makeCtx();
+    adapterSnyk({
+      vulnerabilities: [],
+      dependencyPackages: {
+        'lodash@4.17.21': { name: 'lodash', version: '4.17.21', license: 'MIT' },
+        'gpl-pkg@1.0.0': { name: 'gpl-pkg', version: '1.0.0', license: 'GPL-3.0' },
+      },
+    }, ctx);
+    assert.strictEqual(calls.length, 1);
+    const sorted = calls[0].slice().sort((a, b) => a.package_name.localeCompare(b.package_name));
+    assert.deepStrictEqual(sorted, [
+      { package_name: 'gpl-pkg', installed_version: '1.0.0', licence: 'GPL-3.0' },
+      { package_name: 'lodash', installed_version: '4.17.21', licence: 'MIT' },
+    ]);
+  });
+
+  test('no dependencyPackages key => recordLicenceRoster called with []', () => {
+    const { ctx, calls } = makeCtx();
+    adapterSnyk({ vulnerabilities: [] }, ctx);
+    assert.deepStrictEqual(calls, [[]]);
+  });
+
+  test('dependencyPackages: null => recordLicenceRoster called with []', () => {
+    const { ctx, calls } = makeCtx();
+    adapterSnyk({ vulnerabilities: [], dependencyPackages: null }, ctx);
+    assert.deepStrictEqual(calls, [[]]);
+  });
+
+  test('entry missing license => roster entry has licence:null', () => {
+    const { ctx, calls } = makeCtx();
+    adapterSnyk({
+      vulnerabilities: [],
+      dependencyPackages: { 'pkg@1.0': { name: 'pkg', version: '1.0' } },
+    }, ctx);
+    assert.strictEqual(calls[0][0].licence, null);
+  });
+
+  test('entry license as array => joined with " OR "', () => {
+    const { ctx, calls } = makeCtx();
+    adapterSnyk({
+      vulnerabilities: [],
+      dependencyPackages: { 'pkg@1.0': { name: 'pkg', version: '1.0', license: ['MIT', 'Apache-2.0'] } },
+    }, ctx);
+    assert.strictEqual(calls[0][0].licence, 'MIT OR Apache-2.0');
+  });
+
+  test('ctx without recordLicenceRoster => adapter does not throw', () => {
+    const ctxNoCallback = { repo: 'api', ecosystem: 'node', manifest_path: 'p.json', cwd: '/tmp/api' };
+    assert.doesNotThrow(() => adapterSnyk({
+      vulnerabilities: [],
+      dependencyPackages: { 'lodash@1.0': { name: 'lodash', version: '1.0', license: 'MIT' } },
+    }, ctxNoCallback));
+  });
+});
+
+