From d66c01fff4f8eb4434948b8c64c5529c3c9c7d4f Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Thu, 25 Jun 2026 16:12:28 +0200 Subject: [PATCH 1/4] fix: extract formatSeverityLabel and SEVERITY_ORDER to severity.ts to break circular import override-findings-terminal.ts imported formatSeverityLabel from formatters.ts while formatters.ts re-exported renderOverrideFindings from override-findings-terminal.ts. Moving the shared utilities to severity.ts removes the cycle and eliminates 35 test failures. --- src/output/formatters.ts | 11 ----------- src/utils/severity.ts | 13 +++++++++++++ 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/src/output/formatters.ts b/src/output/formatters.ts index 1b3c502..3a67bb0 100644 --- a/src/output/formatters.ts +++ b/src/output/formatters.ts @@ -14,16 +14,6 @@ import { getPrimaryParent } from "../utils/finding.js"; import { calculatePathCoverage, formatDependencyPath } from "../utils/path-coverage.js"; import { pluralize } from "../utils/string.js"; -export function formatSeverityLabel(severity: string): string { - const lower = severity.toLowerCase(); - if (lower === "critical") return chalk.redBright(severity); - if (lower === "high") return chalk.red(severity); - if (lower === "medium") return chalk.yellow(severity); - if (lower === "low") return chalk.blueBright(severity); - if (lower === "unknown") return chalk.magenta(severity); - return severity; -} - export function formatRelationshipLabel(value: string): string { if (value.startsWith("direct")) return chalk.green(value); if (value.startsWith("transitive")) return chalk.yellow(value); @@ -349,4 +339,3 @@ export function countUniqueAdvisories(findings: Finding[]): number { return new Set(findings.flatMap(f => f.vulnerabilities.map(v => v.id))).size; } -export { renderOverrideFindings } from "./override-findings-terminal.js"; diff --git a/src/utils/severity.ts b/src/utils/severity.ts index cd99f42..680dd1d 100644 --- a/src/utils/severity.ts +++ b/src/utils/severity.ts @@ -1,4 +1,17 @@ import type { SeverityLabel } from "../types.js"; +import { chalk } from "./chalk.js"; + +export const SEVERITY_ORDER: SeverityLabel[] = ["critical", "high", "medium", "low", "unknown", "none"]; + +export function formatSeverityLabel(severity: string): string { + const lower = severity.toLowerCase(); + if (lower === "critical") return chalk.redBright(severity); + if (lower === "high") return chalk.red(severity); + if (lower === "medium") return chalk.yellow(severity); + if (lower === "low") return chalk.blueBright(severity); + if (lower === "unknown") return chalk.magenta(severity); + return severity; +} export function countBySeverity(findings: T[]): Record { const counts: Record = { From 225d4cc01ca55a6205052c53484bab58305c1256 Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Thu, 25 Jun 2026 16:12:32 +0200 Subject: [PATCH 2/4] feat: improve override hygiene output in terminal and HTML modes Terminal: verbose mode uses cyan header without box-drawing separators; compact mode wraps the section in separator lines. Fix commands are deduplicated per ruleId. HTML: severity group rows carry both severity-group and severity CSS classes so border styles apply. Location cells show a separator between file and jsonPath. Fix commands render as an inline block with a copy button when runnableCommand is set. --- src/cli/overrides.ts | 2 +- src/output/html-reporter.ts | 16 +-- src/output/override-findings-html.ts | 19 +++- src/output/override-findings-terminal.ts | 134 +++++++++++++++++++---- 4 files changed, 132 insertions(+), 39 deletions(-) diff --git a/src/cli/overrides.ts b/src/cli/overrides.ts index 8d6c1ac..d071a16 100644 --- a/src/cli/overrides.ts +++ b/src/cli/overrides.ts @@ -5,7 +5,7 @@ import type { OverrideFinding } from "../overrides/index.js"; import { createAuditLog } from "../audit-log/index.js"; import type { AuditLogHandle } from "../audit-log/index.js"; import { EXIT_OK, EXIT_FINDINGS, EXIT_ERROR } from "../types.js"; -import { renderOverrideFindings } from "../output/formatters.js"; +import { renderOverrideFindings } from "../output/override-findings-terminal.js"; import type { Logger } from "../overrides/context.js"; interface RunArgs { diff --git a/src/output/html-reporter.ts b/src/output/html-reporter.ts index 844b114..30b4167 100644 --- a/src/output/html-reporter.ts +++ b/src/output/html-reporter.ts @@ -206,13 +206,13 @@ button.header-link:hover{color:#58a6ff;border-color:#58a6ff} .override-hygiene table tbody tr{border-bottom:1px solid #21262d} .override-hygiene table tbody tr:last-child{border-bottom:none} .override-hygiene table tbody tr.severity-group{background:#1c2128} -.override-hygiene table tbody tr.severity-group th{font-weight:600;color:#e6edf3;padding:10px 14px} +.override-hygiene table tbody tr.severity-group th{font-weight:600;color:#e6edf3;padding:10px 14px;text-align:left} .override-hygiene table tbody tr.finding td{padding:11px 14px;font-size:12px;color:#e6edf3;vertical-align:middle} -.override-hygiene table tbody tr.finding.critical{border-left:3px solid #f85149} -.override-hygiene table tbody tr.finding.high{border-left:3px solid #fb8500} -.override-hygiene table tbody tr.finding.medium{border-left:3px solid #e3b341} -.override-hygiene table tbody tr.finding.low{border-left:3px solid #388bfd} -.override-hygiene table tbody tr.finding.info{border-left:3px solid #8b949e}`; +.override-hygiene table tbody tr.critical{border-left:3px solid #f85149} +.override-hygiene table tbody tr.high{border-left:3px solid #fb8500} +.override-hygiene table tbody tr.medium{border-left:3px solid #e3b341} +.override-hygiene table tbody tr.low{border-left:3px solid #388bfd} +.override-hygiene table tbody tr.unknown{border-left:3px solid #8b949e}`; export function renderHtmlReport(data: ReportData): string { @@ -330,10 +330,10 @@ ${findingRowsHtml} -${noticesHtml} - ${renderOverrideFindingsHtml(data.overrideFindings)} +${noticesHtml} +
Generated by cve-lite v${escapeHtml(data.cliVersion)} ${escapeHtml(data.lockfileSource)}  ยท  ${data.findings.length} findings  ยท  ${data.packageCount} packages diff --git a/src/output/override-findings-html.ts b/src/output/override-findings-html.ts index 43ec9b7..2e6abd2 100644 --- a/src/output/override-findings-html.ts +++ b/src/output/override-findings-html.ts @@ -1,4 +1,6 @@ import type { OverrideFinding } from "../overrides/types.js"; +import type { SeverityLabel } from "../types.js"; +import { SEVERITY_ORDER } from "../utils/severity.js"; function esc(s: string): string { return s @@ -8,7 +10,6 @@ function esc(s: string): string { .replace(/"/g, """); } -const SEVERITY_ORDER = ["critical", "high", "medium", "low", "info"] as const; export function renderOverrideFindingsHtml( findings: ReadonlyArray | undefined @@ -28,22 +29,28 @@ export function renderOverrideFindingsHtml( `; } - const grouped = new Map(); + const grouped = new Map(); for (const sev of SEVERITY_ORDER) grouped.set(sev, []); - for (const f of findings) grouped.get(f.severity as typeof SEVERITY_ORDER[number])?.push(f); + for (const f of findings) grouped.get(f.severity)?.push(f); const rows: string[] = []; for (const sev of SEVERITY_ORDER) { const bucket = grouped.get(sev) ?? []; if (bucket.length === 0) continue; - rows.push(` ${esc(sev.toUpperCase())} (${bucket.length})`); + rows.push(` ${esc(sev.toUpperCase())} (${bucket.length})`); for (const f of bucket) { + const location = f.location.jsonPath + ? `${esc(f.location.file)} โ€บ ${esc(f.location.jsonPath)}` + : esc(f.location.file); + const fixHtml = f.fix?.runnableCommand + ? `
${esc(f.fix.runnableCommand)}
` + : ""; rows.push( ` ` + `${esc(f.ruleId)}` + `${esc(f.package.name)}` + - `${esc(f.location.file)}${f.location.jsonPath ? esc(f.location.jsonPath) : ""}` + - `${esc(f.message)}` + + `${location}` + + `${esc(f.message)}${fixHtml}` + `` ); } diff --git a/src/output/override-findings-terminal.ts b/src/output/override-findings-terminal.ts index ee312ed..f3e7695 100644 --- a/src/output/override-findings-terminal.ts +++ b/src/output/override-findings-terminal.ts @@ -1,42 +1,128 @@ import type { OverrideFinding } from "../overrides/types.js"; +import type { SeverityLabel } from "../types.js"; +import { chalk, stripAnsi } from "../utils/chalk.js"; +import { formatSeverityLabel, SEVERITY_ORDER } from "../utils/severity.js"; +import { pluralize } from "../utils/string.js"; -const SEVERITY_ORDER = ["critical", "high", "medium", "low", "info"] as const; - -export function renderOverrideFindings(findings: ReadonlyArray): string { - if (findings.length === 0) { - return "No override hygiene findings."; - } +const COL_RULE_MAX = 8; +const COL_PKG_MAX = 30; +const COL_MSG_MAX = 50; +export function renderOverrideFindings( + findings: ReadonlyArray, + options?: { verbose?: boolean }, +): string { const lines: string[] = []; lines.push(""); - lines.push("Override hygiene"); - lines.push("================"); + if (options?.verbose) { + lines.push(chalk.bold.cyan("๐Ÿ” Override Hygiene")); + } else { + lines.push("โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€"); + lines.push(chalk.bold("๐Ÿ” Override Hygiene")); + lines.push("โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€"); + } lines.push(""); - const grouped = new Map(); - for (const sev of SEVERITY_ORDER) grouped.set(sev, []); - for (const f of findings) { - grouped.get(f.severity as typeof SEVERITY_ORDER[number])?.push(f); + if (findings.length === 0) { + lines.push(chalk.greenBright("โœ” No override hygiene issues found.")); + return lines.join("\n"); } + const grouped = new Map(); + for (const sev of SEVERITY_ORDER) grouped.set(sev, []); + for (const f of findings) grouped.get(f.severity)?.push(f); + for (const sev of SEVERITY_ORDER) { const bucket = grouped.get(sev) ?? []; if (bucket.length === 0) continue; - lines.push(`${sev.toUpperCase()} (${bucket.length})`); - lines.push("-".repeat(`${sev.toUpperCase()} (${bucket.length})`.length)); - for (const f of bucket) { - lines.push(` ${f.ruleId} ${f.package.name}`); - lines.push(` ${f.location.file}${f.location.jsonPath ? `${f.location.jsonPath}` : ""}`); - lines.push(` ${f.message}`); - if (f.fix) { - lines.push(` fix: autofix available (${f.fix.patch.length} op${f.fix.patch.length === 1 ? "" : "s"})`); - if (f.fix.runnableCommand) { - lines.push(` run: ${f.fix.runnableCommand}`); - } + + lines.push(`${formatSeverityLabel(sev.toUpperCase())} (${bucket.length})`); + + const sorted = [...bucket].sort((a, b) => a.ruleId.localeCompare(b.ruleId)); + + const ruleWidth = Math.min(COL_RULE_MAX, Math.max(4, ...sorted.map(f => f.ruleId.length))); + const pkgWidth = Math.min(COL_PKG_MAX, Math.max(7, ...sorted.map(f => f.package.name.length))); + const msgWidth = Math.min(COL_MSG_MAX, Math.max(7, ...sorted.map(f => + Math.min(COL_MSG_MAX, Math.max(f.message.length, locationString(f).length)), + ))); + + const hr = (l: string, m: string, r: string) => + l + "โ”€".repeat(ruleWidth + 2) + m + "โ”€".repeat(pkgWidth + 2) + m + "โ”€".repeat(msgWidth + 2) + r; + + lines.push(hr("โ”Œ", "โ”ฌ", "โ”")); + lines.push(tableRow(["Rule", "Package", "Message"], [ruleWidth, pkgWidth, msgWidth])); + lines.push(hr("โ”œ", "โ”ผ", "โ”ค")); + + for (let i = 0; i < sorted.length; i++) { + const f = sorted[i]!; + const msgLines = wrapText(f.message, msgWidth); + const locLines = wrapText(locationString(f), msgWidth); + + lines.push(tableRow([chalk.gray(f.ruleId), chalk.whiteBright(f.package.name), msgLines[0] ?? ""], [ruleWidth, pkgWidth, msgWidth])); + for (let m = 1; m < msgLines.length; m++) { + lines.push(tableRow(["", "", msgLines[m]!], [ruleWidth, pkgWidth, msgWidth])); + } + for (const locLine of locLines) { + lines.push(tableRow(["", "", chalk.gray(locLine)], [ruleWidth, pkgWidth, msgWidth])); + } + + if (i < sorted.length - 1) lines.push(hr("โ”œ", "โ”ผ", "โ”ค")); + } + + lines.push(hr("โ””", "โ”ด", "โ”˜")); + + const seenRules = new Set(); + for (const f of sorted) { + if (f.fix?.runnableCommand && !seenRules.has(f.ruleId)) { + seenRules.add(f.ruleId); + lines.push(chalk.bold.cyan(`> ${f.fix.runnableCommand}`)); } - lines.push(""); } + + lines.push(""); } + const worstSev = SEVERITY_ORDER.find(s => (grouped.get(s) ?? []).length > 0); + const footerColor = worstSev === "critical" || worstSev === "high" ? chalk.redBright : chalk.yellow; + lines.push(footerColor(`${findings.length} override hygiene ${pluralize(findings.length, "issue")} found.`)); + lines.push(""); + lines.push(chalk.gray("โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€")); + return lines.join("\n"); } + +function locationString(f: OverrideFinding): string { + return f.location.jsonPath + ? `${f.location.file} โ€บ ${f.location.jsonPath}` + : f.location.file; +} + +function tableRow(cells: string[], widths: number[]): string { + return "โ”‚" + cells.map((c, i) => padCell(c, widths[i]!)).join("โ”‚") + "โ”‚"; +} + +function padCell(value: string, width: number): string { + const truncated = truncate(value, width); + const visible = stripAnsi(truncated).length; + return ` ${truncated}${" ".repeat(Math.max(0, width - visible))} `; +} + +function truncate(value: string, width: number): string { + const plain = stripAnsi(value); + if (plain.length <= width) return value; + return plain.slice(0, Math.max(0, width - 1)) + "โ€ฆ"; +} + +function wrapText(text: string, width: number): string[] { + if (text.length <= width) return [text]; + const lines: string[] = []; + let remaining = text.trim(); + while (remaining.length > width) { + let breakAt = remaining.lastIndexOf(" ", width); + if (breakAt <= 0) breakAt = width; + lines.push(remaining.slice(0, breakAt).trimEnd()); + remaining = remaining.slice(breakAt).trimStart(); + } + if (remaining.length > 0) lines.push(remaining); + return lines.length > 0 ? lines : [text]; +} From afc94e097761f3810c50ecdefc80c3d1dbe310f2 Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Thu, 25 Jun 2026 16:12:36 +0200 Subject: [PATCH 3/4] feat: thread override count and package manager through output printers printActionSummary, printFinalStatus, printSuggestedFixCommands, and printCompactOutput now accept overrideCount so override hygiene issues appear in the quick-take section, suggested-fix coverage note, and final status line. printActionSummary and printCompactOutput also accept packageManager to surface it at the top of output. --- src/index.ts | 27 ++++++++++------ src/output/printers.ts | 60 ++++++++++++++++++++++++----------- src/scan/multi-folder-scan.ts | 4 +-- 3 files changed, 60 insertions(+), 31 deletions(-) diff --git a/src/index.ts b/src/index.ts index 9046083..7eb713d 100644 --- a/src/index.ts +++ b/src/index.ts @@ -617,9 +617,13 @@ if (parsedArgs) { if (!(options.json || options.sarif || options.cdx) || options.verbose) { const offline = !!options.offline || !!options.offlineDb; if (options.verbose) { + const overrideCount = options.checkOverrides ? overrideFindings.length : 0; printSummary(scanState.sorted, packages.length, scanInput); - printActionSummary(scanState.sorted); - printSuggestedFixCommands(scanState.sorted, scanInput, { offline }); + const pmLabel = scanState.suggestedFixCommands + ? `${chalk.cyan(scanState.suggestedFixCommands.packageManager)} ${chalk.gray(`(${scanState.suggestedFixCommands.sourceLabel})`)}` + : undefined; + printActionSummary(scanState.sorted, overrideCount, pmLabel); + printSuggestedFixCommands(scanState.sorted, scanInput, { offline, overrideCount }); printSuggestedFixCommandSkips(scanState.sorted, scanInput, { offline }); if (scanInput.skippedDependencies.length > 0) { printSkippedDependencies(scanInput.skippedDependencies); @@ -634,16 +638,19 @@ if (parsedArgs) { logInfo(`No findings met the table threshold of ${scanState.minSeverity}. Re-run with --all to show everything.`, options); } } + if (options.checkOverrides && overrideFindings.length > 0) { + console.log(renderOverrideFindings(overrideFindings, { verbose: true })); + } printCoverage([...scanInput.notes, ...scanState.coverage]); - printFinalStatus(scanState.sorted); + printFinalStatus(scanState.sorted, overrideCount); } else { - printCompactOutput(scanState.sorted, scanInput, { offline, all: !!options.all }); - } - // Override hygiene section: --check-overrides collects these and threads - // them to JSON/SARIF/HTML; render them in the terminal too so the feature - // is visible in a plain scan, not only in machine output (#35). - if (options.checkOverrides) { - console.log(renderOverrideFindings(overrideFindings)); + const compactPmLabel = scanState.suggestedFixCommands + ? `${chalk.cyan(scanState.suggestedFixCommands.packageManager)} ${chalk.gray(`(${scanState.suggestedFixCommands.sourceLabel})`)}` + : undefined; + printCompactOutput(scanState.sorted, scanInput, { offline, all: !!options.all, packageManager: compactPmLabel }); + if (options.checkOverrides) { + console.log(renderOverrideFindings(overrideFindings, { verbose: false })); + } } } } diff --git a/src/output/printers.ts b/src/output/printers.ts index daf09d3..5adcf5b 100644 --- a/src/output/printers.ts +++ b/src/output/printers.ts @@ -5,12 +5,12 @@ import { isMajorVersionBump } from "../utils/version.js"; import { getPrimaryParent } from "../utils/finding.js"; import { countUniqueAdvisories, - formatSeverityLabel, formatRelationshipLabel, formatRelLabel, sortFindingsForOutput, formatFixCommandWithPublishDates, } from "./formatters.js"; +import { formatSeverityLabel } from "../utils/severity.js"; import { pluralize } from "../utils/string.js"; import { selectFindingsForCompact } from "./finding-display.js"; import { @@ -50,8 +50,8 @@ export function printSummary(findings: Finding[], packageCount: number, scanInpu console.log(renderSeverityTable(counts)); } -export function printActionSummary(findings: Finding[]) { - if (findings.length === 0) return; +export function printActionSummary(findings: Finding[], overrideCount = 0, packageManager?: string) { + if (findings.length === 0 && overrideCount === 0) return; const direct = findings.filter(f => f.relationship === "direct").length; const transitive = findings.filter(f => f.relationship === "transitive").length; const unknown = findings.filter(f => f.relationship === "unknown").length; @@ -60,13 +60,21 @@ export function printActionSummary(findings: Finding[]) { console.log(""); console.log(chalk.bold.cyan("Quick take")); - console.log(`- ${chalk.green(String(direct))} vulnerable ${pluralize(direct, "package")} look directly fixable in this project.`); - console.log(`- ${chalk.yellow(String(transitive))} ${pluralize(transitive, "issue")} come through other dependencies.`); - if (unknown > 0) { - console.log(`- ${chalk.magenta(String(unknown))} ${pluralize(unknown, "package")} could not be clearly classified as direct or transitive.`); + if (packageManager) { + console.log(`- ${chalk.gray("Package manager:")} ${packageManager}`); + } + if (findings.length > 0) { + console.log(`- ${chalk.green(String(direct))} vulnerable ${pluralize(direct, "package")} look directly fixable in this project.`); + console.log(`- ${chalk.yellow(String(transitive))} ${pluralize(transitive, "issue")} come through other dependencies.`); + if (unknown > 0) { + console.log(`- ${chalk.magenta(String(unknown))} ${pluralize(unknown, "package")} could not be clearly classified as direct or transitive.`); + } + console.log(`- ${chalk.blueBright(String(uniqueAdvisories))} ${pluralize(uniqueAdvisories, "CVE")} matched overall.`); + console.log(`- ${chalk.blue(String(fixable))} ${pluralize(fixable, "package")} include a fixed-version hint from OSV.`); + } + if (overrideCount > 0) { + console.log(`- ${chalk.yellow(String(overrideCount))} override hygiene ${pluralize(overrideCount, "issue")} found. Run ${chalk.white("cve-lite overrides --fix")} to address ${pluralize(overrideCount, "it", "them")}.`); } - console.log(`- ${chalk.blueBright(String(uniqueAdvisories))} ${pluralize(uniqueAdvisories, "CVE")} matched overall.`); - console.log(`- ${chalk.blue(String(fixable))} ${pluralize(fixable, "package")} include a fixed-version hint from OSV.`); } function printChainProofLines(targets: SuggestedFixTarget[]): void { @@ -86,7 +94,7 @@ function printChainProofLines(targets: SuggestedFixTarget[]): void { export function printSuggestedFixCommands( findings: Finding[], scanInput: ScanInput, - options?: { offline?: boolean; subfolder?: string }, + options?: { offline?: boolean; subfolder?: string; overrideCount?: number }, ) { const plan = buildSuggestedFixCommandPlan(findings, scanInput, options); if (!plan) return; @@ -96,7 +104,6 @@ export function printSuggestedFixCommands( console.log(""); console.log(chalk.bold.yellow("๐Ÿ›  Suggested Fix Commands")); - console.log(`${chalk.gray("Detected package manager:")} ${chalk.cyan(plan.packageManager)} ${chalk.gray(`(${plan.sourceLabel})`)}`); console.log(chalk.white(formatFixCommandSummary(plan))); for (const section of plan.sections) { @@ -137,9 +144,13 @@ export function printSuggestedFixCommands( if (plan.coveredFindingCount > 0) { console.log(""); const coverage = plan.coveredFindingCount === plan.totalFindingCount - ? chalk.gray(`Running all commands above should fix all ${plan.totalFindingCount} findings.`) - : chalk.gray(`Running all commands above should fix ${chalk.white(String(plan.coveredFindingCount))} of ${chalk.white(String(plan.totalFindingCount))} findings.`); + ? chalk.gray(`Running all commands above should fix all ${plan.totalFindingCount} vulnerability ${pluralize(plan.totalFindingCount, "finding")}.`) + : chalk.gray(`Running all commands above should fix ${chalk.white(String(plan.coveredFindingCount))} of ${chalk.white(String(plan.totalFindingCount))} vulnerability findings.`); console.log(coverage); + const overrideCount = options?.overrideCount ?? 0; + if (overrideCount > 0) { + console.log(chalk.gray(`${overrideCount} override hygiene ${pluralize(overrideCount, "issue")} also ${pluralize(overrideCount, "requires", "require")} attention - see the Override Hygiene section below.`)); + } } } @@ -301,12 +312,20 @@ export function printTable(findings: Finding[], threshold: SeverityLabel | null, } } -export function printFinalStatus(findings: Finding[]) { +export function printFinalStatus(findings: Finding[], overrideCount = 0) { console.log(""); console.log(chalk.gray("โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€")); + const overrideSuffix = overrideCount > 0 + ? `, ${overrideCount} override hygiene ${pluralize(overrideCount, "issue")}` + : ""; + if (findings.length === 0) { - console.log(chalk.greenBright("โœ” Scan complete. No known vulnerabilities found.")); + if (overrideCount > 0) { + console.log(chalk.yellow(`โ–ฒ Scan complete. No known vulnerabilities found, but ${overrideCount} override hygiene ${pluralize(overrideCount, "issue")} detected.`)); + } else { + console.log(chalk.greenBright("โœ” Scan complete. No known vulnerabilities found.")); + } return; } @@ -316,7 +335,7 @@ export function printFinalStatus(findings: Finding[]) { if (criticalCount > 0 || highCount > 0) { console.log( chalk.redBright( - `โœ– Scan complete. ${findings.length} ${pluralize(findings.length, "issue")} found (${criticalCount} critical, ${highCount} high). Start with the priority fixes above.` + `โœ– Scan complete. ${findings.length} ${pluralize(findings.length, "vulnerability")}${overrideSuffix} found (${criticalCount} critical, ${highCount} high). Start with the priority fixes above.` ) ); return; @@ -324,7 +343,7 @@ export function printFinalStatus(findings: Finding[]) { console.log( chalk.yellow( - `โ–ฒ Scan complete. ${findings.length} ${pluralize(findings.length, "issue")} found. Review the suggested fix plan above.` + `โ–ฒ Scan complete. ${findings.length} ${pluralize(findings.length, "vulnerability")}${overrideSuffix} found. Review the suggested fix plan above.` ) ); } @@ -386,10 +405,13 @@ function wrapCell(value: string, width: number): string[] { export function printCompactOutput( findings: Finding[], scanInput?: ScanInput, - options?: { offline?: boolean; all?: boolean; subfolder?: string }, + options?: { offline?: boolean; all?: boolean; subfolder?: string; packageManager?: string }, ) { console.log(""); - + if (options?.packageManager) { + console.log(chalk.gray("Package manager: ") + options.packageManager); + } + if (findings.length === 0) { console.log(chalk.greenBright("โœ” Scan complete. No known vulnerabilities found.")); console.log(""); diff --git a/src/scan/multi-folder-scan.ts b/src/scan/multi-folder-scan.ts index e31d4fb..c3ae2b5 100644 --- a/src/scan/multi-folder-scan.ts +++ b/src/scan/multi-folder-scan.ts @@ -137,10 +137,10 @@ export async function handleMultiFolderScan(params: { } else { printMultiFolderResults(results, params.options); if (params.options.checkOverrides) { - const { renderOverrideFindings } = await import("../output/formatters.js"); + const { renderOverrideFindings } = await import("../output/override-findings-terminal.js"); for (const r of results) { process.stdout.write(`\n${chalk.bold.cyan(`๐Ÿ“ ${r.subfolder}/`)} ${chalk.gray("override hygiene")}\n`); - console.log(renderOverrideFindings(r.overrideFindings)); + console.log(renderOverrideFindings(r.overrideFindings, { verbose: !!params.options.verbose })); } } } From fe7d7a440d7b219e9e9c56362a1ab79b4452589c Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Thu, 25 Jun 2026 16:12:41 +0200 Subject: [PATCH 4/4] tests: add unit tests for override findings output improvements - 12 terminal tests: verbose vs compact header rendering, footer count, fix command deduplication, empty-findings paths for both modes - 12 HTML tests: location separator, fix command block, severity group class, critical- before-high ordering, copy button, no-fix-command case - 9 output.test.ts tests: overrideCount param in printActionSummary, printFinalStatus, printSuggestedFixCommands; packageManager param in printCompactOutput and printActionSummary --- tests/output.test.ts | 97 ++++++++++++++++++- tests/output/override-findings-html.test.ts | 56 +++++++++++ .../output/override-findings-terminal.test.ts | 42 +++++++- 3 files changed, 189 insertions(+), 6 deletions(-) diff --git a/tests/output.test.ts b/tests/output.test.ts index a56fd63..fa06f9a 100644 --- a/tests/output.test.ts +++ b/tests/output.test.ts @@ -1182,7 +1182,7 @@ describe("output printers", () => { expect(lines.join("\n")).toContain("Package"); expect(lines.join("\n")).toContain("lodash"); expect(lines.join("\n")).toContain("OSV-123"); - expect(lines.join("\n")).toContain("โœ– Scan complete. 1 issue found (1 critical, 0 high)."); + expect(lines.join("\n")).toContain("โœ– Scan complete. 1 vulnerability found (1 critical, 0 high)."); }); it("shows โš  no fix in the Fixed column when firstFixedVersion is null", () => { @@ -1313,7 +1313,6 @@ describe("output printers", () => { }); expect(lines.join("\n")).toContain("Suggested Fix Commands"); - expect(lines.join("\n")).toContain("Detected package manager: npm (package-lock.json)"); expect(lines.join("\n")).toContain("2 command groups ready across 2 packages"); expect(lines.join("\n")).toContain("Critical severity fix commands"); expect(lines.join("\n")).toContain("> npm install minimist@1.2.8"); @@ -2330,3 +2329,97 @@ describe("formatRelLabel", () => { expect(formatRelLabel(finding)).toBe("transitive"); }); }); + +describe("printActionSummary - override count", () => { + it("shows override hygiene message when overrideCount > 0", () => { + const consoleSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + printActionSummary([], 2); + const out = consoleSpy.mock.calls.map(c => stripAnsi(String(c[0]))).join("\n"); + expect(out).toContain("2 override hygiene issues found"); + consoleSpy.mockRestore(); + }); + + it("omits override hygiene message when overrideCount is 0", () => { + const consoleSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + printActionSummary([createFinding()], 0); + const out = consoleSpy.mock.calls.map(c => stripAnsi(String(c[0]))).join("\n"); + expect(out).not.toContain("override hygiene"); + consoleSpy.mockRestore(); + }); + + it("shows package manager when provided", () => { + const consoleSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + printActionSummary([createFinding()], 0, "npm (package-lock.json)"); + const out = consoleSpy.mock.calls.map(c => stripAnsi(String(c[0]))).join("\n"); + expect(out).toContain("Package manager:"); + expect(out).toContain("npm (package-lock.json)"); + consoleSpy.mockRestore(); + }); +}); + +describe("printFinalStatus - override count", () => { + it("includes override count in status when overrides exist but no vulns", () => { + const consoleSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + printFinalStatus([], 3); + const out = consoleSpy.mock.calls.map(c => stripAnsi(String(c[0]))).join("\n"); + expect(out).toContain("No known vulnerabilities found"); + expect(out).toContain("3 override hygiene issues"); + consoleSpy.mockRestore(); + }); + + it("appends override count to vuln status line when both exist", () => { + const consoleSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + printFinalStatus([createFinding()], 2); + const out = consoleSpy.mock.calls.map(c => stripAnsi(String(c[0]))).join("\n"); + expect(out).toContain("1 vulnerability"); + expect(out).toContain("2 override hygiene issues"); + consoleSpy.mockRestore(); + }); + + it("does not mention overrides when overrideCount is 0", () => { + const consoleSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + printFinalStatus([createFinding()], 0); + const out = consoleSpy.mock.calls.map(c => stripAnsi(String(c[0]))).join("\n"); + expect(out).not.toContain("override hygiene"); + consoleSpy.mockRestore(); + }); +}); + +describe("printSuggestedFixCommands - override count", () => { + it("appends override attention line when overrideCount > 0", () => { + const consoleSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + const findings = [createFinding({ firstFixedVersion: "1.0.0" })]; + printSuggestedFixCommands(findings, createScanInputForSource("package-lock"), { overrideCount: 1 }); + const out = consoleSpy.mock.calls.map(c => stripAnsi(String(c[0]))).join("\n"); + expect(out).toContain("override hygiene"); + consoleSpy.mockRestore(); + }); + + it("omits override attention line when overrideCount is 0", () => { + const consoleSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + const findings = [createFinding({ firstFixedVersion: "1.0.0" })]; + printSuggestedFixCommands(findings, createScanInputForSource("package-lock"), { overrideCount: 0 }); + const out = consoleSpy.mock.calls.map(c => stripAnsi(String(c[0]))).join("\n"); + expect(out).not.toContain("override hygiene"); + consoleSpy.mockRestore(); + }); +}); + +describe("printCompactOutput - packageManager option", () => { + it("shows package manager line when packageManager option is provided", () => { + const consoleSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + printCompactOutput([createFinding()], createScanInput(), { packageManager: "pnpm (pnpm-lock.yaml)" }); + const out = consoleSpy.mock.calls.map(c => stripAnsi(String(c[0]))).join("\n"); + expect(out).toContain("Package manager:"); + expect(out).toContain("pnpm (pnpm-lock.yaml)"); + consoleSpy.mockRestore(); + }); + + it("omits package manager line when packageManager option is absent", () => { + const consoleSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + printCompactOutput([createFinding()], createScanInput(), {}); + const out = consoleSpy.mock.calls.map(c => stripAnsi(String(c[0]))).join("\n"); + expect(out).not.toContain("Package manager:"); + consoleSpy.mockRestore(); + }); +}); diff --git a/tests/output/override-findings-html.test.ts b/tests/output/override-findings-html.test.ts index f387694..e14663f 100644 --- a/tests/output/override-findings-html.test.ts +++ b/tests/output/override-findings-html.test.ts @@ -45,4 +45,60 @@ describe("renderOverrideFindingsHtml", () => { expect(html).not.toContain(""); expect(html).toContain("<SCRIPT>"); }); + + it("renders location with separator when jsonPath is present", () => { + const html = renderOverrideFindingsHtml([ + f({ location: { file: "package.json", jsonPath: "/overrides/postcss" } }), + ]); + expect(html).toContain("package.json โ€บ /overrides/postcss"); + }); + + it("renders location without separator when jsonPath is absent", () => { + const html = renderOverrideFindingsHtml([ + f({ location: { file: "package.json" } }), + ]); + expect(html).toContain("package.json"); + expect(html).not.toContain("โ€บ"); + }); + + it("renders fix command block with copy button when runnableCommand is present", () => { + const html = renderOverrideFindingsHtml([ + f({ + fix: { + type: "rfc6902", + patch: [{ op: "remove", path: "/overrides/postcss" }], + runnableCommand: "cve-lite overrides --fix --rule OA001", + }, + }), + ]); + expect(html).toContain("fix-cmd-inline"); + expect(html).toContain("copy-btn"); + expect(html).toContain("cve-lite overrides --fix --rule OA001"); + }); + + it("omits fix command block when no runnableCommand", () => { + const html = renderOverrideFindingsHtml([f()]); + expect(html).not.toContain("fix-cmd-inline"); + expect(html).not.toContain("copy-btn"); + }); + + it("severity group row has both severity-group and severity class", () => { + const html = renderOverrideFindingsHtml([f({ severity: "high" })]); + expect(html).toContain('class="severity-group high"'); + }); + + it("severity group header cell shows severity label and count", () => { + const html = renderOverrideFindingsHtml([f({ severity: "high" }), f({ ruleId: "OA002", severity: "high" })]); + expect(html).toContain("HIGH (2)"); + }); + + it("groups critical findings before high findings", () => { + const html = renderOverrideFindingsHtml([ + f({ ruleId: "OA010", severity: "high" }), + f({ ruleId: "OA020", severity: "critical", package: { name: "lodash" } }), + ]); + const critIdx = html.indexOf("OA020"); + const highIdx = html.indexOf("OA010"); + expect(critIdx).toBeLessThan(highIdx); + }); }); diff --git a/tests/output/override-findings-terminal.test.ts b/tests/output/override-findings-terminal.test.ts index a13168b..1f381c0 100644 --- a/tests/output/override-findings-terminal.test.ts +++ b/tests/output/override-findings-terminal.test.ts @@ -13,7 +13,7 @@ const f = (over: Partial = {}): OverrideFinding => ({ describe("renderOverrideFindings (terminal)", () => { it("returns a friendly empty message when there are no findings", () => { const out = renderOverrideFindings([]); - expect(out).toMatch(/no override hygiene findings/i); + expect(out).toMatch(/no override hygiene issues found/i); }); it("renders a section header followed by one row per finding", () => { @@ -50,7 +50,7 @@ describe("renderOverrideFindings (terminal)", () => { }, }), ]); - expect(out).toMatch(/run: cve-lite overrides --fix --rule OA001/); + expect(out).toMatch(/> cve-lite overrides --fix --rule OA001/); }); it("omits the run line when a fix has no runnableCommand", () => { @@ -62,7 +62,41 @@ describe("renderOverrideFindings (terminal)", () => { }, }), ]); - expect(out).toMatch(/fix: autofix available/); - expect(out).not.toMatch(/run:/); + expect(out).not.toMatch(/>/); + }); + + it("verbose mode shows a cyan header without leading box-drawing separators", () => { + const out = renderOverrideFindings([f()], { verbose: true }); + expect(out).toMatch(/Override Hygiene/i); + const headerIdx = out.indexOf("Override Hygiene"); + const separatorBefore = out.lastIndexOf("โ”€โ”€โ”€โ”€", headerIdx); + expect(separatorBefore).toBe(-1); + }); + + it("compact mode (default) wraps the header in box-drawing separators", () => { + const out = renderOverrideFindings([f()]); + expect(out).toMatch(/โ”€โ”€โ”€โ”€/); + expect(out).toMatch(/Override Hygiene/i); + const headerIdx = out.indexOf("Override Hygiene"); + const separatorBefore = out.lastIndexOf("โ”€โ”€โ”€โ”€", headerIdx); + expect(separatorBefore).toBeGreaterThan(-1); + }); + + it("verbose empty shows no override issues without separator", () => { + const out = renderOverrideFindings([], { verbose: true }); + expect(out).toMatch(/no override hygiene issues found/i); + expect(out).not.toMatch(/โ”€โ”€โ”€โ”€/); + }); + + it("shows a footer count line matching the number of findings", () => { + const out = renderOverrideFindings([f(), f({ ruleId: "OA002", severity: "high" })]); + expect(out).toMatch(/2 override hygiene issues found/i); + }); + + it("deduplicates fix commands - only one command per ruleId", () => { + const fix = { type: "rfc6902" as const, patch: [], runnableCommand: "cve-lite overrides --fix --rule OA001" }; + const out = renderOverrideFindings([f({ fix }), f({ fix })]); + const count = (out.match(/> cve-lite overrides --fix --rule OA001/g) ?? []).length; + expect(count).toBe(1); }); });