dependencyiq 2.0.0 → 2.2.0

package/src/fleetAggregator.js

@@ -1,155 +1,155 @@
-/**
- * Fleet Aggregator: cross-project rollup for the Fleet Dashboard.
- *
- * A static page can't query live across projects it doesn't own, so
- * this builds a build-time snapshot of the whole group instead: list
- * every project in the group, then fetch each one's latest
- * `dependencyiq-report.json` CI artifact (written by `analyze_vulnerabilities`
- * — see fleetSnapshot.js) via GitLab's Job Artifacts API. A project that
- * has never produced that artifact is reported as NOT ONBOARDED, never
- * silently merged into "zero findings" — those are different facts and
- * this rollup keeps them visibly different.
- *
- * Requires GITLAB_TOKEN specifically (not the job-scoped CI_JOB_TOKEN):
- * listing every project in a group and reading another project's
- * artifacts both need broader-than-one-project scope.
- */
-
-const axios = require('axios');
-const { withRetry } = require('./httpRetry');
-const { parseFleetSnapshot } = require('./fleetSnapshot');
-
-const GITLAB_API = process.env.GITLAB_API_URL
-  || (process.env.GITLAB_BASE_URL ? `${process.env.GITLAB_BASE_URL}/api/v4` : 'https://gitlab.com/api/v4');
-
-const ANALYZE_JOB_NAME = 'analyze_vulnerabilities';
-const SNAPSHOT_ARTIFACT_PATH = 'dependencyiq-report.json';
-
-function authHeaders() {
-  return { 'PRIVATE-TOKEN': process.env.GITLAB_TOKEN };
-}
-
-/**
- * @param {string} groupId
- * @returns {Promise<Array>} [{ id, pathWithNamespace, defaultBranch }]
- */
-async function listGroupProjects(groupId) {
-  const projects = [];
-  let page = 1;
-  // GitLab paginates at up to 100/page; loop until a response's
-  // x-next-page header is empty, capped generously so a misbehaving API
-  // response can't spin this forever.
-  for (let guard = 0; guard < 50; guard += 1) {
-    const currentPage = page;
-    const response = await withRetry(() => axios.get(`${GITLAB_API}/groups/${groupId}/projects`, {
-      headers: authHeaders(),
-      params: { include_subgroups: true, per_page: 100, page: currentPage, archived: false },
-      timeout: 15000,
-    }));
-    for (const p of response.data) {
-      projects.push({ id: p.id, pathWithNamespace: p.path_with_namespace, defaultBranch: p.default_branch });
-    }
-    const nextPage = response.headers['x-next-page'];
-    if (!nextPage) break;
-    page = Number(nextPage);
-  }
-  return projects;
-}
-
-/**
- * @param {number} projectId
- * @param {string} ref - default branch
- * @returns {Promise<Object>} the parsed snapshot, or { available: false, reason }
- */
-async function fetchLatestSnapshot(projectId, ref) {
-  if (!ref) return { available: false, reason: 'project has no default branch (empty repository?)' };
-  const url = `${GITLAB_API}/projects/${projectId}/jobs/artifacts/${encodeURIComponent(ref)}/raw/${SNAPSHOT_ARTIFACT_PATH}`;
-  try {
-    const response = await withRetry(() => axios.get(url, {
-      headers: authHeaders(),
-      params: { job: ANALYZE_JOB_NAME },
-      timeout: 15000,
-      responseType: 'text',
-      transformResponse: [(data) => data], // keep raw text; we parse it ourselves
-    }));
-    const snapshot = parseFleetSnapshot(response.data);
-    if (!snapshot) return { available: false, reason: 'artifact found but not a recognized snapshot schema' };
-    return { available: true, snapshot };
-  } catch (error) {
-    if (error.response?.status === 404) {
-      return { available: false, reason: `not onboarded — no ${ANALYZE_JOB_NAME} artifact found on ${ref}` };
-    }
-    return { available: false, reason: `artifact fetch failed: ${error.message}` };
-  }
-}
-
-/**
- * Pure rollup: turns a list of { project, snapshotResult } pairs into the
- * fleet-level totals and sort order the dashboard renders. No network
- * calls here — fully unit-testable.
- * @param {Array} entries - [{ project: {id, pathWithNamespace}, snapshotResult }]
- */
-function buildFleetRollup(entries) {
-  const onboarded = [];
-  const notOnboarded = [];
-
-  for (const { project, snapshotResult } of entries) {
-    if (snapshotResult.available) {
-      onboarded.push({ project, snapshot: snapshotResult.snapshot });
-    } else {
-      notOnboarded.push({ project, reason: snapshotResult.reason });
-    }
-  }
-
-  onboarded.sort((a, b) => (b.snapshot.topRiskScore || 0) - (a.snapshot.topRiskScore || 0));
-
-  const totals = onboarded.reduce((acc, { snapshot }) => ({
-    totalFindings: acc.totalFindings + (snapshot.totalFindings || 0),
-    urgentCount: acc.urgentCount + (snapshot.urgentCount || 0),
-    highCount: acc.highCount + (snapshot.highCount || 0),
-    unusedCount: acc.unusedCount + (snapshot.unusedCount || 0),
-  }), { totalFindings: 0, urgentCount: 0, highCount: 0, unusedCount: 0 });
-
-  return {
-    generatedAt: new Date().toISOString(),
-    totalProjects: entries.length,
-    onboardedCount: onboarded.length,
-    notOnboardedCount: notOnboarded.length,
-    ...totals,
-    onboarded,
-    notOnboarded,
-  };
-}
-
-/**
- * @param {string} groupId
- * @returns {Promise<Object>} { available: true, rollup } or { available: false, reason }
- */
-async function buildFleetReport(groupId) {
-  if (!process.env.GITLAB_TOKEN) {
-    return { available: false, reason: 'GITLAB_TOKEN is required (CI_JOB_TOKEN is scoped to one project and cannot list/read other projects in the group)' };
-  }
-
-  let projects;
-  try {
-    projects = await listGroupProjects(groupId);
-  } catch (error) {
-    return { available: false, reason: `Could not list group projects: ${error.message}` };
-  }
-
-  const entries = await Promise.all(projects.map(async (project) => ({
-    project,
-    snapshotResult: await fetchLatestSnapshot(project.id, project.defaultBranch),
-  })));
-
-  return { available: true, rollup: buildFleetRollup(entries) };
-}
-
-module.exports = {
-  listGroupProjects,
-  fetchLatestSnapshot,
-  buildFleetRollup,
-  buildFleetReport,
-  ANALYZE_JOB_NAME,
-  SNAPSHOT_ARTIFACT_PATH,
-};
+/**
+ * Fleet Aggregator: cross-project rollup for the Fleet Dashboard.
+ *
+ * A static page can't query live across projects it doesn't own, so
+ * this builds a build-time snapshot of the whole group instead: list
+ * every project in the group, then fetch each one's latest
+ * `dependencyiq-report.json` CI artifact (written by `analyze_vulnerabilities`
+ * — see fleetSnapshot.js) via GitLab's Job Artifacts API. A project that
+ * has never produced that artifact is reported as NOT ONBOARDED, never
+ * silently merged into "zero findings" — those are different facts and
+ * this rollup keeps them visibly different.
+ *
+ * Requires GITLAB_TOKEN specifically (not the job-scoped CI_JOB_TOKEN):
+ * listing every project in a group and reading another project's
+ * artifacts both need broader-than-one-project scope.
+ */
+
+const axios = require('axios');
+const { withRetry } = require('./httpRetry');
+const { parseFleetSnapshot } = require('./fleetSnapshot');
+
+const GITLAB_API = process.env.GITLAB_API_URL
+  || (process.env.GITLAB_BASE_URL ? `${process.env.GITLAB_BASE_URL}/api/v4` : 'https://gitlab.com/api/v4');
+
+const ANALYZE_JOB_NAME = 'analyze_vulnerabilities';
+const SNAPSHOT_ARTIFACT_PATH = 'dependencyiq-report.json';
+
+function authHeaders() {
+  return { 'PRIVATE-TOKEN': process.env.GITLAB_TOKEN };
+}
+
+/**
+ * @param {string} groupId
+ * @returns {Promise<Array>} [{ id, pathWithNamespace, defaultBranch }]
+ */
+async function listGroupProjects(groupId) {
+  const projects = [];
+  let page = 1;
+  // GitLab paginates at up to 100/page; loop until a response's
+  // x-next-page header is empty, capped generously so a misbehaving API
+  // response can't spin this forever.
+  for (let guard = 0; guard < 50; guard += 1) {
+    const currentPage = page;
+    const response = await withRetry(() => axios.get(`${GITLAB_API}/groups/${groupId}/projects`, {
+      headers: authHeaders(),
+      params: { include_subgroups: true, per_page: 100, page: currentPage, archived: false },
+      timeout: 15000,
+    }));
+    for (const p of response.data) {
+      projects.push({ id: p.id, pathWithNamespace: p.path_with_namespace, defaultBranch: p.default_branch });
+    }
+    const nextPage = response.headers['x-next-page'];
+    if (!nextPage) break;
+    page = Number(nextPage);
+  }
+  return projects;
+}
+
+/**
+ * @param {number} projectId
+ * @param {string} ref - default branch
+ * @returns {Promise<Object>} the parsed snapshot, or { available: false, reason }
+ */
+async function fetchLatestSnapshot(projectId, ref) {
+  if (!ref) return { available: false, reason: 'project has no default branch (empty repository?)' };
+  const url = `${GITLAB_API}/projects/${projectId}/jobs/artifacts/${encodeURIComponent(ref)}/raw/${SNAPSHOT_ARTIFACT_PATH}`;
+  try {
+    const response = await withRetry(() => axios.get(url, {
+      headers: authHeaders(),
+      params: { job: ANALYZE_JOB_NAME },
+      timeout: 15000,
+      responseType: 'text',
+      transformResponse: [(data) => data], // keep raw text; we parse it ourselves
+    }));
+    const snapshot = parseFleetSnapshot(response.data);
+    if (!snapshot) return { available: false, reason: 'artifact found but not a recognized snapshot schema' };
+    return { available: true, snapshot };
+  } catch (error) {
+    if (error.response?.status === 404) {
+      return { available: false, reason: `not onboarded — no ${ANALYZE_JOB_NAME} artifact found on ${ref}` };
+    }
+    return { available: false, reason: `artifact fetch failed: ${error.message}` };
+  }
+}
+
+/**
+ * Pure rollup: turns a list of { project, snapshotResult } pairs into the
+ * fleet-level totals and sort order the dashboard renders. No network
+ * calls here — fully unit-testable.
+ * @param {Array} entries - [{ project: {id, pathWithNamespace}, snapshotResult }]
+ */
+function buildFleetRollup(entries) {
+  const onboarded = [];
+  const notOnboarded = [];
+
+  for (const { project, snapshotResult } of entries) {
+    if (snapshotResult.available) {
+      onboarded.push({ project, snapshot: snapshotResult.snapshot });
+    } else {
+      notOnboarded.push({ project, reason: snapshotResult.reason });
+    }
+  }
+
+  onboarded.sort((a, b) => (b.snapshot.topRiskScore || 0) - (a.snapshot.topRiskScore || 0));
+
+  const totals = onboarded.reduce((acc, { snapshot }) => ({
+    totalFindings: acc.totalFindings + (snapshot.totalFindings || 0),
+    urgentCount: acc.urgentCount + (snapshot.urgentCount || 0),
+    highCount: acc.highCount + (snapshot.highCount || 0),
+    unusedCount: acc.unusedCount + (snapshot.unusedCount || 0),
+  }), { totalFindings: 0, urgentCount: 0, highCount: 0, unusedCount: 0 });
+
+  return {
+    generatedAt: new Date().toISOString(),
+    totalProjects: entries.length,
+    onboardedCount: onboarded.length,
+    notOnboardedCount: notOnboarded.length,
+    ...totals,
+    onboarded,
+    notOnboarded,
+  };
+}
+
+/**
+ * @param {string} groupId
+ * @returns {Promise<Object>} { available: true, rollup } or { available: false, reason }
+ */
+async function buildFleetReport(groupId) {
+  if (!process.env.GITLAB_TOKEN) {
+    return { available: false, reason: 'GITLAB_TOKEN is required (CI_JOB_TOKEN is scoped to one project and cannot list/read other projects in the group)' };
+  }
+
+  let projects;
+  try {
+    projects = await listGroupProjects(groupId);
+  } catch (error) {
+    return { available: false, reason: `Could not list group projects: ${error.message}` };
+  }
+
+  const entries = await Promise.all(projects.map(async (project) => ({
+    project,
+    snapshotResult: await fetchLatestSnapshot(project.id, project.defaultBranch),
+  })));
+
+  return { available: true, rollup: buildFleetRollup(entries) };
+}
+
+module.exports = {
+  listGroupProjects,
+  fetchLatestSnapshot,
+  buildFleetRollup,
+  buildFleetReport,
+  ANALYZE_JOB_NAME,
+  SNAPSHOT_ARTIFACT_PATH,
+};