onbuzz 3.6.1 → 3.6.3

package/src/analyzers/__tests__/PythonAnalyzer.test.js

@@ -0,0 +1,208 @@
+import { jest, describe, test, expect, beforeEach } from '@jest/globals';
+import { createMockLogger } from '../../__test-utils__/mockFactories.js';
+
+// Mock child_process spawn
+const mockSpawn = jest.fn();
+jest.unstable_mockModule('child_process', () => ({
+  spawn: mockSpawn
+}));
+
+// Mock fs/promises
+const mockWriteFile = jest.fn().mockResolvedValue(undefined);
+const mockUnlink = jest.fn().mockResolvedValue(undefined);
+jest.unstable_mockModule('fs/promises', () => ({
+  default: { writeFile: mockWriteFile, unlink: mockUnlink },
+  writeFile: mockWriteFile,
+  unlink: mockUnlink
+}));
+
+const { default: PythonAnalyzer } = await import('../PythonAnalyzer.js');
+
+// Helper to create a mock process
+function createMockProcess(stdout = '', stderr = '', exitCode = 0, error = null) {
+  const stdoutStream = {
+    on: jest.fn((event, cb) => {
+      if (event === 'data' && stdout) {
+        setTimeout(() => cb(Buffer.from(stdout)), 5);
+      }
+    })
+  };
+  const stderrStream = {
+    on: jest.fn((event, cb) => {
+      if (event === 'data' && stderr) {
+        setTimeout(() => cb(Buffer.from(stderr)), 5);
+      }
+    })
+  };
+
+  const proc = {
+    stdout: stdoutStream,
+    stderr: stderrStream,
+    on: jest.fn((event, cb) => {
+      if (event === 'close') {
+        setTimeout(() => cb(exitCode), 10);
+      }
+      if (event === 'error' && error) {
+        setTimeout(() => cb(error), 5);
+      }
+    }),
+    kill: jest.fn()
+  };
+
+  return proc;
+}
+
+describe('PythonAnalyzer', () => {
+  let analyzer;
+  let logger;
+
+  beforeEach(() => {
+    logger = createMockLogger();
+    analyzer = new PythonAnalyzer(logger);
+    analyzer.pythonCommand = null;
+    jest.clearAllMocks();
+  });
+
+  // ── Constructor ──
+  test('constructor initializes with defaults', () => {
+    expect(analyzer.logger).toBe(logger);
+    expect(analyzer.pythonCommand).toBeNull();
+  });
+
+  test('constructor works without logger', () => {
+    const a = new PythonAnalyzer();
+    expect(a.logger).toBeNull();
+  });
+
+  // ── getSupportedExtensions ──
+  test('getSupportedExtensions returns .py', () => {
+    expect(analyzer.getSupportedExtensions()).toEqual(['.py']);
+  });
+
+  // ── supportsAutoFix ──
+  test('supportsAutoFix returns false', () => {
+    expect(analyzer.supportsAutoFix()).toBe(false);
+  });
+
+  // ── getPythonCommand ──
+  test('getPythonCommand returns cached command on second call', async () => {
+    analyzer.pythonCommand = 'python3';
+    const result = await analyzer.getPythonCommand();
+    expect(result).toBe('python3');
+    expect(mockSpawn).not.toHaveBeenCalled();
+  });
+
+  test('getPythonCommand finds python3 via spawn', async () => {
+    mockSpawn.mockImplementation((cmd, args) => {
+      if (args.includes('--version')) {
+        return createMockProcess('Python 3.11.0', '', 0);
+      }
+      return createMockProcess('', '', 1);
+    });
+
+    const result = await analyzer.getPythonCommand();
+    // Should find one of the python commands
+    if (result) {
+      expect(typeof result).toBe('string');
+      expect(analyzer.pythonCommand).toBe(result);
+    }
+  });
+
+  test('getPythonCommand returns null when python not available', async () => {
+    mockSpawn.mockImplementation(() => {
+      return createMockProcess('', '', 1);
+    });
+
+    const result = await analyzer.getPythonCommand();
+    expect(result).toBeNull();
+  });
+
+  // ── analyze ──
+  test('analyze returns empty when python not available', async () => {
+    mockSpawn.mockImplementation(() => {
+      return createMockProcess('', '', 1);
+    });
+
+    const result = await analyzer.analyze('test.py', 'print("hello")');
+    expect(result).toEqual([]);
+  });
+
+  test('analyze returns diagnostics for syntax errors', async () => {
+    // First call for getPythonCommand
+    let callCount = 0;
+    mockSpawn.mockImplementation((cmd, args) => {
+      callCount++;
+      if (args.includes('--version')) {
+        return createMockProcess('Python 3.11.0', '', 0);
+      }
+      // Syntax check script
+      const jsonResult = JSON.stringify({
+        success: false,
+        errors: [{ file: 'test.py', line: 1, column: 5, message: 'invalid syntax', text: 'def(' }]
+      });
+      return createMockProcess(jsonResult, '', 0);
+    });
+
+    const result = await analyzer.analyze('test.py', 'def(');
+    expect(Array.isArray(result)).toBe(true);
+    if (result.length > 0) {
+      expect(result[0].severity).toBe('error');
+      expect(result[0].rule).toBe('SyntaxError');
+    }
+  });
+
+  test('analyze returns empty on exception', async () => {
+    mockSpawn.mockImplementation(() => {
+      throw new Error('spawn failed');
+    });
+
+    const result = await analyzer.analyze('test.py', 'print("hello")');
+    expect(result).toEqual([]);
+  });
+
+  // ── checkSyntax ──
+  test('checkSyntax handles successful parse', async () => {
+    mockSpawn.mockImplementation(() => {
+      return createMockProcess(JSON.stringify({ success: true, errors: [] }), '', 0);
+    });
+
+    const result = await analyzer.checkSyntax('test.py', 'x = 1', 'python3');
+    expect(result).toEqual([]);
+  });
+
+  test('checkSyntax handles unparseable output', async () => {
+    mockSpawn.mockImplementation(() => {
+      return createMockProcess('not json at all', '', 0);
+    });
+
+    const result = await analyzer.checkSyntax('test.py', 'x = 1', 'python3');
+    expect(result).toEqual([]);
+  });
+
+  // ── runCommand ──
+  test('runCommand resolves with success for exit code 0', async () => {
+    mockSpawn.mockReturnValue(createMockProcess('output', '', 0));
+
+    const result = await analyzer.runCommand('echo', ['hello']);
+    expect(result.success).toBe(true);
+    expect(result.code).toBe(0);
+  });
+
+  test('runCommand resolves with failure for non-zero exit code', async () => {
+    mockSpawn.mockReturnValue(createMockProcess('', 'error', 1));
+
+    const result = await analyzer.runCommand('bad', []);
+    expect(result.success).toBe(false);
+    expect(result.code).toBe(1);
+  });
+
+  test('runCommand rejects on spawn error', async () => {
+    const errorProc = createMockProcess('', '', 0);
+    errorProc.on = jest.fn((event, cb) => {
+      if (event === 'error') setTimeout(() => cb(new Error('spawn ENOENT')), 5);
+    });
+    mockSpawn.mockReturnValue(errorProc);
+
+    await expect(analyzer.runCommand('nonexistent', [])).rejects.toThrow();
+  });
+});

package/src/analyzers/__tests__/SecurityAnalyzer.test.js

@@ -0,0 +1,303 @@
+import { jest, describe, test, expect, beforeEach } from '@jest/globals';
+import { createMockLogger } from '../../__test-utils__/mockFactories.js';
+
+// Mock child_process
+const mockExecAsync = jest.fn();
+jest.unstable_mockModule('child_process', () => ({
+  exec: jest.fn((cmd, opts, cb) => {
+    if (typeof opts === 'function') { cb = opts; opts = {}; }
+    const err = new Error('not found');
+    err.code = 'ENOENT';
+    cb(err);
+  })
+}));
+
+jest.unstable_mockModule('util', () => ({
+  promisify: jest.fn(() => mockExecAsync)
+}));
+
+// Mock fs/promises
+jest.unstable_mockModule('fs/promises', () => ({
+  default: {
+    access: jest.fn().mockRejectedValue(new Error('ENOENT'))
+  },
+  access: jest.fn().mockRejectedValue(new Error('ENOENT'))
+}));
+
+// Mock constants
+jest.unstable_mockModule('../../utilities/constants.js', () => ({
+  STATIC_ANALYSIS: {
+    SEVERITY: {
+      CRITICAL: 'critical',
+      ERROR: 'error',
+      WARNING: 'warning',
+      INFO: 'info',
+      SUGGESTION: 'suggestion'
+    }
+  }
+}));
+
+const { default: SecurityAnalyzer } = await import('../SecurityAnalyzer.js');
+
+describe('SecurityAnalyzer', () => {
+  let analyzer;
+  let logger;
+
+  beforeEach(() => {
+    logger = createMockLogger();
+    analyzer = new SecurityAnalyzer(logger);
+    // Reset scanner cache so each test gets fresh detection
+    analyzer.availableScanners = null;
+    mockExecAsync.mockReset();
+    mockExecAsync.mockRejectedValue(new Error('not found'));
+  });
+
+  // --- constructor ---
+
+  test('constructor creates instance with logger', () => {
+    expect(analyzer).toBeInstanceOf(SecurityAnalyzer);
+    expect(analyzer.logger).toBe(logger);
+  });
+
+  test('constructor creates instance without logger', () => {
+    const a = new SecurityAnalyzer();
+    expect(a).toBeInstanceOf(SecurityAnalyzer);
+    expect(a.logger).toBeNull();
+  });
+
+  // --- detectAvailableScanners ---
+
+  test('detectAvailableScanners returns all false when no scanners are installed', async () => {
+    const scanners = await analyzer.detectAvailableScanners();
+    expect(scanners.semgrep).toBe(false);
+    expect(scanners.bandit).toBe(false);
+    expect(scanners.npmAudit).toBe(false);
+    expect(scanners.pipAudit).toBe(false);
+    expect(scanners.eslintSecurity).toBe(false);
+  });
+
+  test('detectAvailableScanners caches result on second call', async () => {
+    await analyzer.detectAvailableScanners();
+    const callCount = mockExecAsync.mock.calls.length;
+    await analyzer.detectAvailableScanners();
+    // Should not have made additional calls
+    expect(mockExecAsync.mock.calls.length).toBe(callCount);
+  });
+
+  test('detectAvailableScanners detects npm when available', async () => {
+    // Make npm --version succeed
+    mockExecAsync.mockImplementation((cmd) => {
+      if (cmd === 'npm --version') return Promise.resolve({ stdout: '10.0.0' });
+      return Promise.reject(new Error('not found'));
+    });
+    analyzer.availableScanners = null;
+    const scanners = await analyzer.detectAvailableScanners();
+    expect(scanners.npmAudit).toBe(true);
+  });
+
+  test('detectAvailableScanners detects bandit when available', async () => {
+    mockExecAsync.mockImplementation((cmd) => {
+      if (cmd === 'bandit --version') return Promise.resolve({ stdout: '1.7.0' });
+      return Promise.reject(new Error('not found'));
+    });
+    analyzer.availableScanners = null;
+    const scanners = await analyzer.detectAvailableScanners();
+    expect(scanners.bandit).toBe(true);
+  });
+
+  // --- analyze ---
+
+  test('analyze returns empty array for benign content with no scanners', async () => {
+    const result = await analyzer.analyze('app.js', 'const x = 1 + 2;');
+    expect(Array.isArray(result)).toBe(true);
+    expect(result.length).toBe(0);
+  });
+
+  test('analyze skips test files by default', async () => {
+    const result = await analyzer.analyze('app.test.js', 'const password = "secret123";');
+    expect(result).toEqual([]);
+  });
+
+  test('analyze scans test files when skipTestFiles is false', async () => {
+    const result = await analyzer.analyze('app.test.js', 'const x = 1;', { skipTestFiles: false });
+    expect(Array.isArray(result)).toBe(true);
+  });
+
+  // --- detectLanguage ---
+
+  test('detectLanguage returns javascript for .js files', () => {
+    expect(analyzer.detectLanguage('app.js')).toBe('javascript');
+    expect(analyzer.detectLanguage('component.jsx')).toBe('javascript');
+    expect(analyzer.detectLanguage('module.mjs')).toBe('javascript');
+  });
+
+  test('detectLanguage returns typescript for .ts files', () => {
+    expect(analyzer.detectLanguage('app.ts')).toBe('typescript');
+    expect(analyzer.detectLanguage('component.tsx')).toBe('typescript');
+  });
+
+  test('detectLanguage returns python for .py files', () => {
+    expect(analyzer.detectLanguage('script.py')).toBe('python');
+  });
+
+  test('detectLanguage returns null for unsupported extensions', () => {
+    expect(analyzer.detectLanguage('style.css')).toBeNull();
+    expect(analyzer.detectLanguage('data.json')).toBeNull();
+  });
+
+  // --- isTestFile ---
+
+  test('isTestFile detects various test file patterns', () => {
+    expect(analyzer.isTestFile('app.test.js')).toBe(true);
+    expect(analyzer.isTestFile('app.spec.ts')).toBe(true);
+    expect(analyzer.isTestFile('__tests__/foo.js')).toBe(true);
+    expect(analyzer.isTestFile('src/app.js')).toBe(false);
+  });
+
+  // --- parseSemgrepResults ---
+
+  test('parseSemgrepResults parses valid semgrep output', () => {
+    const output = {
+      results: [{
+        path: 'app.js',
+        start: { line: 10, col: 5 },
+        check_id: 'security.hardcoded-password',
+        extra: {
+          severity: 'ERROR',
+          message: 'Hardcoded password detected',
+          metadata: { cwe: 'CWE-798', owasp: 'A2', confidence: 'HIGH' }
+        }
+      }]
+    };
+    const issues = analyzer.parseSemgrepResults(output);
+    expect(issues.length).toBe(1);
+    expect(issues[0].file).toBe('app.js');
+    expect(issues[0].line).toBe(10);
+    expect(issues[0].severity).toBe('critical');
+    expect(issues[0].scanner).toBe('semgrep');
+    expect(issues[0].cwe).toBe('CWE-798');
+  });
+
+  test('parseSemgrepResults returns empty array for no results', () => {
+    expect(analyzer.parseSemgrepResults({})).toEqual([]);
+    expect(analyzer.parseSemgrepResults({ results: [] })).toEqual([]);
+  });
+
+  // --- parseBanditResults ---
+
+  test('parseBanditResults parses valid bandit output', () => {
+    const output = {
+      results: [{
+        filename: 'app.py',
+        line_number: 42,
+        test_id: 'B101',
+        issue_severity: 'HIGH',
+        issue_text: 'Use of assert detected',
+        issue_confidence: 'HIGH',
+        issue_cwe: { id: 703 }
+      }]
+    };
+    const issues = analyzer.parseBanditResults(output);
+    expect(issues.length).toBe(1);
+    expect(issues[0].file).toBe('app.py');
+    expect(issues[0].line).toBe(42);
+    expect(issues[0].severity).toBe('critical');
+    expect(issues[0].scanner).toBe('bandit');
+    expect(issues[0].cwe).toBe('CWE-703');
+  });
+
+  test('parseBanditResults returns empty array for no results', () => {
+    expect(analyzer.parseBanditResults({})).toEqual([]);
+  });
+
+  // --- parseNpmAuditResults ---
+
+  test('parseNpmAuditResults parses npm audit v7+ format', () => {
+    const output = {
+      vulnerabilities: {
+        'lodash': {
+          severity: 'critical',
+          via: [{ source: 12345, title: 'Prototype Pollution', cve: 'CVE-2021-23337', url: 'https://example.com' }],
+          range: '<4.17.21',
+          fixAvailable: true
+        }
+      }
+    };
+    const issues = analyzer.parseNpmAuditResults(output);
+    expect(issues.length).toBe(1);
+    expect(issues[0].package).toBe('lodash');
+    expect(issues[0].severity).toBe('critical');
+    expect(issues[0].scanner).toBe('npm-audit');
+  });
+
+  test('parseNpmAuditResults returns empty array when no vulnerabilities', () => {
+    expect(analyzer.parseNpmAuditResults({})).toEqual([]);
+  });
+
+  // --- getScannerStatus ---
+
+  test('getScannerStatus returns scanners and recommendations', async () => {
+    const status = await analyzer.getScannerStatus();
+    expect(status).toHaveProperty('scanners');
+    expect(status).toHaveProperty('recommendations');
+    expect(Array.isArray(status.recommendations)).toBe(true);
+    // With no scanners available, we should get recommendations
+    expect(status.recommendations.length).toBeGreaterThan(0);
+  });
+
+  // --- severity mapping ---
+
+  test('mapSemgrepSeverity maps correctly', () => {
+    expect(analyzer.mapSemgrepSeverity('ERROR')).toBe('critical');
+    expect(analyzer.mapSemgrepSeverity('WARNING')).toBe('error');
+    expect(analyzer.mapSemgrepSeverity('INFO')).toBe('warning');
+    expect(analyzer.mapSemgrepSeverity('UNKNOWN')).toBe('warning');
+  });
+
+  test('mapBanditSeverity maps correctly', () => {
+    expect(analyzer.mapBanditSeverity('HIGH')).toBe('critical');
+    expect(analyzer.mapBanditSeverity('MEDIUM')).toBe('error');
+    expect(analyzer.mapBanditSeverity('LOW')).toBe('warning');
+  });
+
+  test('mapNpmSeverity maps correctly', () => {
+    expect(analyzer.mapNpmSeverity('critical')).toBe('critical');
+    expect(analyzer.mapNpmSeverity('high')).toBe('critical');
+    expect(analyzer.mapNpmSeverity('moderate')).toBe('error');
+    expect(analyzer.mapNpmSeverity('low')).toBe('warning');
+    expect(analyzer.mapNpmSeverity('info')).toBe('info');
+  });
+
+  test('mapESLintSeverity maps 2 to error, 1 to warning', () => {
+    expect(analyzer.mapESLintSeverity(2)).toBe('error');
+    expect(analyzer.mapESLintSeverity(1)).toBe('warning');
+  });
+
+  // --- normalizeResults ---
+
+  test('normalizeResults maps all fields to common format', () => {
+    const raw = [{
+      file: 'x.js', line: 5, column: 3, severity: 'critical',
+      rule: 'test-rule', message: 'Bad thing', scanner: 'test',
+      cwe: 'CWE-1', fixable: true
+    }];
+    const normalized = analyzer.normalizeResults(raw);
+    expect(normalized.length).toBe(1);
+    expect(normalized[0].category).toBe('security');
+    expect(normalized[0].fixable).toBe(true);
+    expect(normalized[0].cwe).toBe('CWE-1');
+  });
+
+  // --- hasScannersForLanguage ---
+
+  test('hasScannersForLanguage returns false when no scanners available', () => {
+    const available = { semgrep: false, bandit: false, eslintSecurity: false };
+    expect(analyzer.hasScannersForLanguage(available, 'javascript')).toBe(false);
+    expect(analyzer.hasScannersForLanguage(available, 'python')).toBe(false);
+    expect(analyzer.hasScannersForLanguage(available, 'ruby')).toBe(false);
+  });
+
+  test('hasScannersForLanguage returns true when semgrep available for JS', () => {
+    expect(analyzer.hasScannersForLanguage({ semgrep: true, eslintSecurity: false }, 'javascript')).toBe(true);
+  });
+});