socket-cli/test/utils.mts at d15aa535b4d5826ffeb35c8e65c539a3803e903f · SocketDev/socket-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
import { readFileSync } from 'node:fs'
import path from 'node:path'
import { fileURLToPath } from 'node:url'

import { it } from 'vitest'

import { SpawnOptions, spawn } from '@socketsecurity/registry/lib/spawn'
import { stripAnsi } from '@socketsecurity/registry/lib/strings'

import constants, { FLAG_HELP, FLAG_VERSION } from '../src/constants.mts'

const __filename = fileURLToPath(import.meta.url)
const __dirname = path.dirname(__filename)

// Read Coana version from package.json for test normalization.
// This is needed because constants.ENV.INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION
// is a compile-time value that's empty in the test environment.
const rootPackageJson = JSON.parse(
  readFileSync(path.join(__dirname, '..', 'package.json'), 'utf8'),
) as { devDependencies: Record<string, string> }
const coanaVersion = rootPackageJson.devDependencies['@coana-tech/cli'] ?? ''

// The asciiUnsafeRegexp match characters that are:
//   * Control characters in the Unicode range:
//     - \u0000 to \u0007 (e.g., NUL, BEL)
//     - \u0009 (Tab, but note: not \u0008 Backspace or \u000A Newline)
//     - \u000B to \u001F (other non-printable control characters)
//   * All non-ASCII characters:
//     - \u0080 to \uFFFF (extended Unicode)
// eslint-disable-next-line no-control-regex
const asciiUnsafeRegexp = /[\u0000-\u0007\u0009\u000b-\u001f\u0080-\uffff]/g

// Note: The fixture directory is in the same directory as this utils file.
export const testPath = __dirname

function normalizeLogSymbols(str: string): string {
  return str
    .replaceAll('✖', '×')
    .replaceAll('ℹ', 'i')
    .replaceAll('✔', '√')
    .replaceAll('⚠', '‼')
}

function normalizeNewlines(str: string): string {
  return (
    str
      // Replace all literal \r\n.
      .replaceAll('\r\n', '\n')
      // Replace all escaped \\r\\n.
      .replaceAll('\\r\\n', '\\n')
  )
}

function stripZeroWidthSpace(str: string): string {
  return str.replaceAll('\u200b', '')
}

// Normalize Coana version to a placeholder for stable snapshots.
function normalizeCoanaVersion(str: string): string {
  if (!coanaVersion) {
    return str
  }
  return str.replaceAll(coanaVersion, '<coana-version>')
}

// Normalize CLI banner output for stable snapshots.
// The banner contains environment-specific values (version, token, org, cwd)
// that differ across machines and CI environments.
function normalizeBanner(str: string): string {
  return (
    str
      // Replace CLI version like "v1.1.67" with "<redacted>".
      .replace(/\| CLI: v[\d.]+/g, '| CLI: <redacted>')
      // Replace token and org info with "<redacted>".
      .replace(
        /\| (?:Node: [^,]+, )?token: [^,]+, (?:org: [^\n"]+)/g,
        '| token: <redacted>, org: <redacted>',
      )
      // Replace cwd path with "<redacted>".
      .replace(/cwd: [^\n"]+/g, 'cwd: <redacted>')
  )
}

function toAsciiSafeString(str: string): string {
  return str.replace(asciiUnsafeRegexp, m => {
    const code = m.charCodeAt(0)
    return code < 255
      ? `\\x${code.toString(16).padStart(2, '0')}`
      : `\\u${code.toString(16).padStart(4, '0')}`
  })
}

export function cleanOutput(output: string): string {
  return toAsciiSafeString(
    normalizeBanner(
      normalizeCoanaVersion(
        normalizeLogSymbols(
          normalizeNewlines(stripZeroWidthSpace(stripAnsi(output.trim()))),
        ),
      ),
    ),
  )
}

/**
 * Check if output contains cdxgen help content.
 * Used to verify cdxgen command executed with help flag.
 */
export function hasCdxgenHelpContent(output: string): boolean {
  // Check for various cdxgen help indicators.
  // Must have cdxgen or CycloneDX AND at least one help flag indicator.
  const hasCdxgenMention =
    output.includes('CycloneDX') || output.includes('cdxgen')
  const hasHelpFlags =
    output.includes(FLAG_HELP) ||
    output.includes(FLAG_VERSION) ||
    // cdxgen-specific flags.
    output.includes('--output') ||
    output.includes('--type')

  return hasCdxgenMention && hasHelpFlags
}

/**
 * Check if output contains the Socket CLI banner.
 * The banner appears as ASCII art in the stderr output.
 * Note: The banner contains either '*' (when --config is used) or '.' (when no config is used).
 */
export function hasSocketBanner(output: string): boolean {
  // Check for Socket banner ASCII art lines.
  // The banner is always printed as a complete block, never partial.
  // Just check for the most distinctive first line.
  return output.includes('_____         _       _')
}

export type TestCollectorOptions = Exclude<Parameters<typeof it>[1], undefined>

/**
 * This is a simple template wrapper for this pattern:
 * `it('should do: socket scan', (['socket', 'scan']) => {})`
 */
export function cmdit(
  cmd: string[],
  title: string,
  cb: (cmd: string[]) => Promise<void>,
  options?: TestCollectorOptions | undefined,
) {
  it(
    `${title}: \`${cmd.join(' ')}\``,
    {
      timeout: 30_000,
      ...options,
    },
    cb.bind(null, cmd),
  )
}

export async function spawnSocketCli(
  entryPath: string,
  args: string[],
  options?: SpawnOptions | undefined,
): Promise<{
  code: number
  error?: {
    message: string
    stack: string
  }
  status: boolean
  stdout: string
  stderr: string
}> {
  const { cwd = process.cwd(), env: spawnEnv } = {
    __proto__: null,
    ...options,
  } as SpawnOptions
  try {
    // Exclude Socket auth credentials to ensure tests run unauthenticated.
    const {
      SOCKET_CLI_API_BASE_URL: unusedApiBaseUrl,
      SOCKET_CLI_API_KEY: unusedCliApiKey,
      SOCKET_CLI_API_TOKEN: unusedCliApiToken,
      SOCKET_CLI_ORG_SLUG: unusedOrgSlug,
      SOCKET_SECURITY_API_KEY: unusedApiKey,
      SOCKET_SECURITY_API_TOKEN: unusedSecurityApiToken,
      ...cleanEnv
    } = process.env
    const {
      SOCKET_CLI_API_BASE_URL: unusedProcessApiBaseUrl,
      SOCKET_CLI_API_KEY: unusedProcessCliApiKey,
      SOCKET_CLI_API_TOKEN: unusedProcessCliApiToken,
      SOCKET_CLI_ORG_SLUG: unusedProcessOrgSlug,
      SOCKET_SECURITY_API_KEY: unusedProcessApiKey,
      SOCKET_SECURITY_API_TOKEN: unusedProcessSecurityApiToken,
      ...cleanProcessEnv
    } = constants.processEnv
    const output = await spawn(constants.execPath, [entryPath, ...args], {
      cwd,
      env: {
        ...cleanEnv,
        ...cleanProcessEnv,
        ...spawnEnv,
      },
    })
    return {
      status: true,
      code: 0,
      stdout: cleanOutput(output.stdout),
      stderr: cleanOutput(output.stderr),
    }
  } catch (e: unknown) {
    return {
      status: false,
      code: e?.['code'] || 1,
      error: {
        message: e?.['message'] || '',
        stack: e?.['stack'] || '',
      },
      stdout: cleanOutput(e?.['stdout'] ?? ''),
      stderr: cleanOutput(e?.['stderr'] ?? ''),
    }
  }
}