Guided Remediation: non-interactive mode

[michaelkedar]

It actually can be used now 🎉

This is basically re-written from the internal equivalent, but it should be functionally similar.
Probably will end up extracting some code to use with the interactive code when I end up needing it.

imo, non-interactive mode is currently too opaque to be generally useful - there's no indication of what vulnerabilities exist and which get fixed.

[codecov-commenter]

Codecov Report

Attention: 110 lines in your changes are missing coverage. Please review.

Comparison is base (b50e737) 58.89% compared to head (80326c5) 71.79%.

Files	Patch %	Lines
cmd/osv-scanner/fix/noninteractive.go	63.19%	48 Missing and 12 partials ⚠️
cmd/osv-scanner/fix/regen_lockfile.go	0.00%	32 Missing ⚠️
cmd/osv-scanner/fix/main.go	57.14%	11 Missing and 1 partial ⚠️
internal/resolution/resolve.go	40.00%	5 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #798       +/-   ##
===========================================
+ Coverage   58.89%   71.79%   +12.90%     
===========================================
  Files         116      118        +2     
  Lines        8452     8677      +225     
===========================================
+ Hits         4978     6230     +1252     
+ Misses       3271     2078     -1193     
- Partials      203      369      +166     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[michaelkedar]

Comparison is base (85563d9) 79.98% compared to head (93342b1) 57.73%.

Oof. Is there a way to ignore / separate the fix stuff from the rest of the coverage? At least until I add in tests.

[cuixq]

does this mean that npm needs to be installed to re-lock?

[michaelkedar]

Yeah, we need npm to regenerate the package-lock.json from scratch.
It doesn't need to be installed if osv-scanner fix isn't regenerating the lockfile, but npm install would need to be run eventually.

[oliverchang]

how much work is this to do?

[michaelkedar]

It's probably not too much work for just the counts, as long as we still take the all-or-nothing approach to resolving the vulns.
I think I'll look at this after I port the interactive mode, since it might change how I list the vulnerabilities there.

[oliverchang]

add some high level comments explaining the logic in this function.

[michaelkedar]

Added

[oliverchang]

add a comment explaining this loop logic.

[michaelkedar]

Added

[another-rex]

Let's add some simple integration tests just to make sure it runs, and some small changes e.g. changes in the CLI don't accidentally break functionality.

[michaelkedar]

Let's add some simple integration tests just to make sure it runs, and some small changes e.g. changes in the CLI don't accidentally break functionality.

Added two basic end-to-end tests, bringing the coverage back up to ~70%. Might make the tests take slightly longer to run. Hopefully these don't break easily if new versions of packages are released, but I've tried to pick packages that are unlikely to change.

[another-rex]

LGTM, thanks!

[oliverchang]

Is this ready for merge @michaelkedar ?

[michaelkedar]

Oh yeah - this was ready to merge last week 🙂