Merge pull request #52 from sonukapoor/codex/issue-50-add-scanner-cache-tests

sonukapoor · web-flow · commit a3d782e26806 · 2026-04-02T18:01:33.000-04:00
test: add scanner and cache unit tests
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -22,5 +22,8 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Test
+        run: npm test
+
       - name: Build
-        run: npm run build
+        run: npm run build
diff --git a/tests/osv-cache.test.ts b/tests/osv-cache.test.ts
@@ -0,0 +1,80 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { loadCache, saveCache } from "../src/osv/cache.js";
+import type { CacheFile } from "../src/types.js";
+
+function createTempCacheDir(): string {
+  return fs.mkdtempSync(path.join(os.tmpdir(), "cve-lite-cache-test-"));
+}
+
+function removeDir(dirPath: string) {
+  fs.rmSync(dirPath, { recursive: true, force: true });
+}
+
+describe("OSV cache", () => {
+  it("returns an empty version 2 cache when the file does not exist", () => {
+    const cacheDir = createTempCacheDir();
+
+    try {
+      const cache = loadCache(cacheDir);
+
+      expect(cache.version).toBe(2);
+      expect(cache.entries).toEqual({});
+      expect(cache.queryEntries).toEqual({});
+    } finally {
+      removeDir(cacheDir);
+    }
+  });
+
+  it("upgrades an older cache file by defaulting queryEntries", () => {
+    const cacheDir = createTempCacheDir();
+    const cacheFile = path.join(cacheDir, "osv-vulns.json");
+
+    fs.writeFileSync(
+      cacheFile,
+      JSON.stringify({
+        version: 1,
+        createdAt: "2026-01-01T00:00:00.000Z",
+        entries: {
+          "OSV-123": { id: "OSV-123", aliases: ["CVE-2026-0001"] },
+        },
+      }),
+      "utf8",
+    );
+
+    try {
+      const cache = loadCache(cacheDir);
+
+      expect(cache.version).toBe(2);
+      expect(cache.entries["OSV-123"]).toMatchObject({ id: "OSV-123" });
+      expect(cache.queryEntries).toEqual({});
+    } finally {
+      removeDir(cacheDir);
+    }
+  });
+
+  it("persists queryEntries and advisory entries to the JSON cache file", () => {
+    const cacheDir = createTempCacheDir();
+    const cache: CacheFile = {
+      version: 2,
+      createdAt: "2026-01-01T00:00:00.000Z",
+      entries: {
+        "OSV-123": { id: "OSV-123", aliases: ["CVE-2026-0001"] },
+      },
+      queryEntries: {
+        "npm:left-pad@1.0.0": ["OSV-123"],
+      },
+    };
+
+    try {
+      saveCache(cache, cacheDir);
+
+      const reloaded = loadCache(cacheDir);
+      expect(reloaded.entries["OSV-123"]).toMatchObject({ id: "OSV-123" });
+      expect(reloaded.queryEntries["npm:left-pad@1.0.0"]).toEqual(["OSV-123"]);
+    } finally {
+      removeDir(cacheDir);
+    }
+  });
+});
diff --git a/tests/scanner-cache.test.ts b/tests/scanner-cache.test.ts
@@ -0,0 +1,146 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { jest } from "@jest/globals";
+import type { OsvVuln, PackageRef, ParsedOptions } from "../src/types.js";
+
+const queryBatchMock = jest.fn();
+const getVulnMock = jest.fn();
+
+jest.unstable_mockModule("../src/advisory/osv-advisory-source.js", () => ({
+  OsvAdvisorySource: jest.fn().mockImplementation(() => ({
+    queryBatch: queryBatchMock,
+    getVuln: getVulnMock,
+  })),
+}));
+
+const { scanPackages } = await import("../src/scanner.js");
+const { loadCache } = await import("../src/osv/cache.js");
+
+function createTempCacheDir(): string {
+  return fs.mkdtempSync(path.join(os.tmpdir(), "cve-lite-scanner-test-"));
+}
+
+function removeDir(dirPath: string) {
+  fs.rmSync(dirPath, { recursive: true, force: true });
+}
+
+function createOptions(cacheDir: string): ParsedOptions {
+  return {
+    batchSize: "100",
+    failOn: "critical",
+    cacheDir,
+    json: true,
+  };
+}
+
+function createPackage(name: string, version: string): PackageRef {
+  return {
+    name,
+    version,
+    ecosystem: "npm",
+    paths: [["root", name]],
+  };
+}
+
+describe("scanPackages cache behavior", () => {
+  beforeEach(() => {
+    queryBatchMock.mockReset();
+    getVulnMock.mockReset();
+  });
+
+  it("uses cached package matches and advisory details on repeat scans", async () => {
+    const cacheDir = createTempCacheDir();
+    const pkg = createPackage("left-pad", "1.0.0");
+    const detail: OsvVuln = {
+      id: "OSV-123",
+      aliases: ["CVE-2026-0001"],
+      affected: [{ ranges: [{ events: [{ fixed: "1.0.1" }] }] }],
+    };
+
+    queryBatchMock.mockResolvedValue([
+      {
+        package: pkg.name,
+        version: pkg.version,
+        vulnerabilities: [{ id: "OSV-123" }],
+      },
+    ]);
+    getVulnMock.mockResolvedValue(detail);
+
+    try {
+      const firstFindings = await scanPackages([pkg], 100, createOptions(cacheDir));
+      expect(firstFindings).toHaveLength(1);
+      expect(firstFindings[0]?.vulnerabilities).toEqual([detail]);
+      expect(queryBatchMock).toHaveBeenCalledTimes(1);
+      expect(getVulnMock).toHaveBeenCalledTimes(1);
+
+      queryBatchMock.mockClear();
+      getVulnMock.mockClear();
+
+      const secondFindings = await scanPackages([pkg], 100, createOptions(cacheDir));
+      expect(secondFindings).toHaveLength(1);
+      expect(secondFindings[0]?.vulnerabilities).toEqual([detail]);
+      expect(queryBatchMock).not.toHaveBeenCalled();
+      expect(getVulnMock).not.toHaveBeenCalled();
+    } finally {
+      removeDir(cacheDir);
+    }
+  });
+
+  it("does not retry advisory detail fetches for cached null entries", async () => {
+    const cacheDir = createTempCacheDir();
+    const pkg = createPackage("minimist", "0.0.8");
+    const cacheFile = path.join(cacheDir, "osv-vulns.json");
+
+    fs.writeFileSync(
+      cacheFile,
+      JSON.stringify({
+        version: 2,
+        createdAt: "2026-01-01T00:00:00.000Z",
+        entries: {
+          "OSV-NULL": null,
+        },
+        queryEntries: {
+          "npm:minimist@0.0.8": ["OSV-NULL"],
+        },
+      }),
+      "utf8",
+    );
+
+    try {
+      const findings = await scanPackages([pkg], 100, createOptions(cacheDir));
+
+      expect(findings).toHaveLength(1);
+      expect(findings[0]?.vulnerabilities).toEqual([]);
+      expect(queryBatchMock).not.toHaveBeenCalled();
+      expect(getVulnMock).not.toHaveBeenCalled();
+    } finally {
+      removeDir(cacheDir);
+    }
+  });
+
+  it("stores package match results in the JSON cache after an uncached scan", async () => {
+    const cacheDir = createTempCacheDir();
+    const pkg = createPackage("debug", "4.0.0");
+    const detail: OsvVuln = { id: "OSV-999" };
+
+    queryBatchMock.mockResolvedValue([
+      {
+        package: pkg.name,
+        version: pkg.version,
+        vulnerabilities: [{ id: "OSV-999" }],
+      },
+    ]);
+    getVulnMock.mockResolvedValue(detail);
+
+    try {
+      await scanPackages([pkg], 100, createOptions(cacheDir));
+
+      const cache = loadCache(cacheDir);
+      expect(cache.queryEntries["npm:debug@4.0.0"]).toEqual(["OSV-999"]);
+      expect(cache.entries["OSV-999"]).toMatchObject({ id: "OSV-999" });
+    } finally {
+      removeDir(cacheDir);
+    }
+  });
+});
