feat: make reachability human friendly

At the moment, the output shows reachability as function or package or with no info. This change makes this to more friendly / easier to understand: reachable/ potentially-reachable / no-info

src/cli/commands/test/formatters/format-reachability.ts

@@ -15,23 +15,27 @@ import {
 } from '../../constants';
 
 const reachabilityLevels: {
-  [key in REACHABILITY]: { color: Function; text: string };
+  [key in REACHABILITY]: { color: Function; text: string; json: string };
 } = {
   [REACHABILITY.FUNCTION]: {
     color: chalk.redBright,
     text: 'Reachable',
+    json: 'reachable',
   },
   [REACHABILITY.PACKAGE]: {
     color: chalk.yellow,
     text: 'Potentially reachable',
+    json: 'potentially-reachable',
   },
   [REACHABILITY.NOT_REACHABLE]: {
     color: chalk.blueBright,
     text: 'Not reachable',
+    json: 'not-reachable',
   },
   [REACHABILITY.NO_INFO]: {
     color: (str) => str,
     text: '',
+    json: 'no-info',
   },
 };
 
@@ -55,6 +59,14 @@ export function getReachabilityText(reachability?: REACHABILITY): string {
   return reachableInfo ? reachableInfo.text : '';
 }
 
+export function getReachabilityJson(reachability?: REACHABILITY): string {
+  if (!reachability) {
+    return '';
+  }
+  const reachableInfo = reachabilityLevels[reachability];
+  return reachableInfo ? reachableInfo.json : '';
+}
+
 export function summariseReachableVulns(
   vulnerabilities: AnnotatedIssue[],
 ): string {

src/cli/commands/test/index.ts

@@ -62,6 +62,7 @@ import {
   IacProjectTypes,
   TEST_SUPPORTED_IAC_PROJECTS,
 } from '../../../lib/iac/constants';
+import { getReachabilityJson } from './formatters/format-reachability';
 
 const debug = Debug('snyk-test');
 const SEPARATOR = '\n-------------------------------------------------------\n';
@@ -446,6 +447,19 @@ function isVulnFixable(vuln) {
   return isVulnUpgradable(vuln) || isVulnPatchable(vuln);
 }
 
+function formatJsonOutput(jsonData) {
+  const jsonDataClone = _.cloneDeep(jsonData);
+
+  if (jsonDataClone.vulnerabilities) {
+    jsonDataClone.vulnerabilities.forEach((vuln) => {
+      if (vuln.reachability) {
+        vuln.reachability = getReachabilityJson(vuln.reachability);
+      }
+    });
+  }
+  return jsonDataClone;
+}
+
 function displayResult(
   res: TestResult,
   options: Options & TestOptions,
@@ -801,7 +815,11 @@ function extractDataToSendFromResults(
       : createSarifOutputForIac(results);
   }
 
-  const stringifiedJsonData = JSON.stringify(jsonData, null, 2);
+  const stringifiedJsonData = JSON.stringify(
+    formatJsonOutput(jsonData),
+    null,
+    2,
+  );
   const stringifiedSarifData = JSON.stringify(sarifData, null, 2);
 
   const dataToSend = options.sarif ? sarifData : jsonData;

test/acceptance/display-test-results.test.ts

@@ -117,6 +117,42 @@ test('test reachability info is displayed', async (t) => {
   t.end();
 });
 
+test('test info is displayed when reachability with json flag', async (t) => {
+  chdirWorkspaces();
+  const stubbedResponse = JSON.parse(
+    fs.readFileSync(
+      __dirname +
+      '/workspaces/reachable-vulns/maven/test-dep-graph-response-reachable.json',
+      'utf8',
+    ),
+  );
+  const snykTestStub = sinon.stub(snyk, 'test').returns(stubbedResponse);
+  try {
+    await cli.test('maven-app', {
+      reachableVulns: true,
+      json: true,
+    });
+  } catch (error) {
+    let { message } = error;
+    message = JSON.parse(message);
+
+    const reachabilities = message.vulnerabilities.map(
+      (vuln) => vuln.reachability,
+    );
+
+    t.deepEqual(reachabilities, [
+      'potentially-reachable',
+      'no-info',
+      'reachable',
+    ]);
+    const resType = error.constructor.name;
+    t.equal(resType, 'Error');
+  }
+
+  snykTestStub.restore();
+  t.end();
+});
+
 test('`test npm-package-with-severity-override` show original severity upgrade', async (t) => {
   chdirWorkspaces();
   const stubbedResponse = JSON.parse(

test/acceptance/workspaces/reachable-vulns/maven/test-dep-graph-response-reachable.json

@@ -0,0 +1,194 @@
+{
+  "vulnerabilities": [
+    {
+      "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
+      "alternativeIds": [],
+      "creationTime": "2017-04-13T12:32:00Z",
+      "credit": ["Package level Reachability"],
+      "cvssScore": 5.6,
+      "description": "Package level Reachability",
+      "disclosureTime": "2014-04-23T12:32:00Z",
+      "exploit": "Not Defined",
+      "fixedIn": ["1.4.11", "1.5.6", "1.6.3", "1.7.1"],
+      "functions": [],
+      "functions_new": [
+        {
+          "functionId": {
+            "filePath": "lib/file.js",
+            "functionName": "theFunctionName"
+          },
+          "version": [
+            "<0.0.19"
+          ]
+        }
+      ],
+      "id": "SNYK-JAVA-PACAKGE-12345",
+      "identifiers": {
+        "CVE": ["CVE-2014-0472"],
+        "CWE": ["CWE-94"]
+      },
+      "language": "java",
+      "modificationTime": "2019-07-11T13:26:49.758445Z",
+      "moduleName": "package-name",
+      "packageManager": "maven",
+      "packageName": "package-name",
+      "patches": [],
+      "publicationTime": "2014-04-23T12:32:00Z",
+      "reachability": "package",
+      "references": [
+        {
+          "title": "Vulnerability Description",
+          "url": "https://www.url.com/page.html"
+        }
+      ],
+      "semver": {
+        "vulnerable": ["[,1.4.11)", "[1.5,1.5.6)", "[1.6,1.6.3)", "[1.7,1.7.1)"]
+      },
+      "severity": "medium",
+      "title": "Arbitrary Code Execution",
+      "from": ["root@0.0.0", "package-name@1.6.1"],
+      "upgradePath": [],
+      "isUpgradable": true,
+      "isPatchable": false,
+      "name": "package-name",
+      "version": "1.6.1"
+    },
+    {
+      "CVSSv3": "CVSS:56565656",
+      "alternativeIds": [],
+      "creationTime": "2017-04-13T12:32:00Z",
+      "credit": ["No Info on Reachability"],
+      "cvssScore": 5.6,
+      "description": "No Info on Reachability",
+      "disclosureTime": "2014-04-23T12:32:00Z",
+      "exploit": "Not Defined",
+      "fixedIn": ["1.4.11", "1.5.6", "1.6.3", "1.7.1"],
+      "functions": [],
+      "functions_new": [
+        {
+          "functionId": {
+            "filePath": "lib/file.js",
+            "functionName": "theFunctionName"
+          },
+          "version": [
+            "<0.0.19"
+          ]
+        }
+      ],
+      "id": "SNYK-JAVA-PACAKGE-987765",
+      "identifiers": {
+        "CVE": ["CVE-2014-0472"],
+        "CWE": ["CWE-94"]
+      },
+      "language": "java",
+      "modificationTime": "2019-07-11T13:26:49.758445Z",
+      "moduleName": "package-name",
+      "packageManager": "maven",
+      "packageName": "package-name",
+      "patches": [],
+      "publicationTime": "2014-04-23T12:32:00Z",
+      "reachability": "no-info",
+      "references": [
+        {
+          "title": "Vulnerability Description",
+          "url": "https://www.url.com/page.html"
+        }
+      ],
+      "semver": {
+        "vulnerable": ["[,1.4.11)", "[1.5,1.5.6)", "[1.6,1.6.3)", "[1.7,1.7.1)"]
+      },
+      "severity": "medium",
+      "title": "Arbitrary Code Execution",
+      "from": ["root@0.0.0", "package-name@1.6.1"],
+      "upgradePath": [],
+      "isUpgradable": true,
+      "isPatchable": false,
+      "name": "package-name",
+      "version": "1.6.1"
+    },
+    {
+      "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
+      "alternativeIds": [],
+      "creationTime": "2017-04-13T12:32:00Z",
+      "credit": ["Function level Reachability"],
+      "cvssScore": 5.6,
+      "description": "Function level Reachability",
+      "disclosureTime": "2014-04-23T12:32:00Z",
+      "exploit": "Not Defined",
+      "fixedIn": ["1.4.11", "1.5.6", "1.6.3", "1.7.1"],
+      "functions": [],
+      "functions_new": [
+        {
+          "functionId": {
+            "filePath": "lib/file.js",
+            "functionName": "theFunctionName"
+          },
+          "version": [
+            "<0.0.19"
+          ]
+        }
+      ],
+      "id": "SNYK-JAVA-PACAKGE-1029384",
+      "identifiers": {
+        "CVE": ["CVE-2014-0472"],
+        "CWE": ["CWE-94"]
+      },
+      "language": "java",
+      "modificationTime": "2019-07-11T13:26:49.758445Z",
+      "moduleName": "package-name",
+      "packageManager": "maven",
+      "packageName": "package-name",
+      "patches": [],
+      "publicationTime": "2014-04-23T12:32:00Z",
+      "reachability": "function",
+      "references": [
+        {
+          "title": "Vulnerability Description",
+          "url": "https://www.url.com/page.html"
+        }
+      ],
+      "semver": {
+        "vulnerable": ["[,1.4.11)", "[1.5,1.5.6)", "[1.6,1.6.3)", "[1.7,1.7.1)"]
+      },
+      "severity": "medium",
+      "title": "Arbitrary Code Execution",
+      "from": ["root@0.0.0", "package-name@1.6.1"],
+      "upgradePath": [],
+      "isUpgradable": true,
+      "isPatchable": false,
+      "name": "package-name",
+      "version": "1.6.1"
+    }
+  ],
+  "ok": false,
+  "dependencyCount": 1,
+  "org": "reachable vulns org",
+  "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.0\nignore: {}\npatch: {}\n",
+  "isPrivate": true,
+  "licensesPolicy": {
+    "severities": {},
+    "orgLicenseRules": {}
+  },
+  "packageManager": "maven",
+  "ignoreSettings": null,
+  "summary": "30 vulnerable dependency paths",
+  "remediation": {
+    "unresolved": [],
+    "upgrade": {
+      "package-name@1.6.1": {
+        "upgradeTo": "package-name@1.6.3",
+        "vulns": ["SNYK-JAVA-PACAKGE-12345"],
+        "isTransitive": false
+      }
+    },
+    "patch": {},
+    "ignore": {},
+    "pin": {}
+  },
+  "filesystemPolicy": false,
+  "filtered": {
+    "ignore": [],
+    "patch": []
+  },
+  "uniqueCount": 30
+}