Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
bb5d257
test: unified converter tests
rrama Dec 9, 2025
92cf113
Merge branch 'main' into test/unified-converter-test
rrama Jan 22, 2026
bff0f14
test: update function call signature
rrama Jan 26, 2026
a1e619c
test: make Test_buildUpgradePath make more sense
rrama Jan 28, 2026
e39eff1
test: refactor `Test_buildRemediationAdvice` order
rrama Feb 2, 2026
c93b021
test: improve `Test_buildRemediationAdvice`
rrama Feb 3, 2026
6c9d6d0
test: improve `Test_extractDependencyPath`
rrama Feb 3, 2026
5b6ab00
test: improve `Test_buildMessage`
rrama Feb 3, 2026
ae7a98d
test: improve `Test_getIntroducingFinding`
rrama Feb 3, 2026
5eaee03
test: improve up to `Test_extractUpgradePackage`
rrama Feb 4, 2026
df06f6d
test: vuln as direct and transative dependency
rrama Feb 4, 2026
d459d27
test: pull out setup helper for processIssue tests
rrama Feb 4, 2026
6ef32e1
test: combine code lenses and actions test
rrama Feb 4, 2026
39ab67e
test: pull out common graceful degradation asserts
rrama Feb 4, 2026
489f126
test: combine both no fix available tests
rrama Feb 4, 2026
fe2153e
test: move Test_processIssue_NoFixAvailable up
rrama Feb 4, 2026
ae03a59
test: use table for processIssue golden path tests
rrama Feb 4, 2026
eec0323
test: lint
rrama Feb 5, 2026
3d6c505
Merge branch 'main' into test/unified-converter-test
rrama Mar 9, 2026
5611208
Merge branch 'main' into test/unified-converter-test
nick-y-snyk May 1, 2026
f014c0a
Merge branch 'main' into test/unified-converter-test
andrewrobinsonhodges-snyk May 12, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions infrastructure/oss/unified_converter.go
Original file line number Diff line number Diff line change
Expand Up @@ -322,7 +322,7 @@ func buildRemediationAdvice(
upgradePath[1] == dependencyPath[1]

// Match Legacy logic: check IsUpgradable
// IsUpgradable = len(vuln.InitiallyFixedInVersions) > 0
// IsUpgradable = len(problem.InitiallyFixedInVersions) > 0
// Note: IsPatchable is always false in unified workflow (patches not supported)
isUpgradable := len(problem.InitiallyFixedInVersions) > 0

Expand All @@ -333,8 +333,9 @@ func buildRemediationAdvice(
return buildOutdatedDependencyMessage(problem.PackageName, actualVersion, ecosystemStr)
}
// Return upgrade message when available
// Note: if isUpgradable but upgradeMessage is empty, we return empty string
// but that case should be rare since upgradePath is built from InitiallyFixedInVersions
// Note: if isUpgradable but upgradeMessage is empty (fix exists but no upgrade path available),
// we return empty string. This is common for deep transitive dependencies where intermediate
// packages haven't consumed the fixed version yet.
return upgradeMessage
}

Expand Down Expand Up @@ -400,7 +401,7 @@ func extractUpgradePackage(dependencyPath []string, finding *testapi.FindingData
return nil
}

if len(dependencyPath) == 0 {
if len(dependencyPath) < 2 {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The change from len(dependencyPath) == 0 to len(dependencyPath) < 2 is a critical improvement. Accessing dependencyPath[1] when the slice has fewer than two elements would lead to a runtime panic. This fix correctly handles cases where the dependency path is empty or contains only a single element, preventing potential crashes.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This guard fix is correct — dependencyPath[1] at line 407 would panic on a length-1 path, and < 2 cleanly rejects both empty and single-element inputs while preserving behavior for valid (len ≥ 2) inputs.

Should fix — the structurally identical twin panic just below is still unguarded. At line 412, path[1].Name is reached after only len(path) > 0, so an upgrade DependencyPath with exactly one package panics with index-out-of-range. That path slice comes from the API (upgradeAction.UpgradePaths[…].DependencyPath) and has no length invariant. Since this PR's theme is hardening this exact access pattern, tighten line 412 to len(path) > 1 to match, and add a test case with a single-element upgrade path — none of the new tests currently feed one, so the "avoid panic" coverage they imply doesn't actually exist.

— AI review

return nil

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Should Fix] Good fix here — but the identical bug class remains a few lines below at line 412:

if len(path) > 0 && path[1].Name == depPathPackageName {

path[1] requires length ≥ 2, but the guard only checks len(path) > 0, so a single-element UpgradePath.DependencyPath (API data) panics with index-out-of-range — exactly what you just fixed for dependencyPath. Tighten to len(path) > 1, and add a test feeding a length-1 upgrade path (mirroring the single-element case you already added for the input side). 3 of 4 reviewers flagged this; no current test exercises it.

— AI review

}
depPathPackageName := strings.Split(dependencyPath[1], "@")[0]
Expand Down
Loading
Loading