[pull] main from snyk:main #4
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
…sions fix: [OSM-1018] update vulnerable transitive versions
…for-maven-requests fix: remove topLevelOnly query for reqs
feat: add prodsec/security_scans
`snyk.io/api` is the legacy and deprecated way to access Snyk APIs. Let's default to `api.snyk.io` instead.
refactor: use api.snyk.io as default url
chore: document how to run the plugin locally [OSM-2184]
Adding new ecosystem support in small steps because the diff for the original work is too massive. First baby step = introducing the Ecosystem enum and extracting the file matching logic to it.
chore: extract ecosystem enum [OSM-2231]
In preparation for feeding cached test result into the validation step, extracting the validator to its own class. This commit does not introduce any behavioural changes, only lays the ground for the next iteration. In a follow-up step, we will allow skipping of the test so that gatekeeping is based on cached results.
chore: extract Package Validator [OSM-2240]
In order to let the validation run against cached artifact metadata rather than a full test result, introducing a model representing vuln summary. For the time being, the model is always created from a test result but in a follow-up PR we'll also support deriving it from cached data. This way we'll be able to avoid making an unnecessary Snyk Test request when there is fresh vuln information already.
chore: introduce artefact model [OSM-2240]
...instead of raw test result. This refactor sets the scene for reading cached artifacts from properties, which will allow to skip tests when issue data is fresh.
…ifact-rather-than-raw-test-result chore: write properties based on artefact [OSM-2240]
Adding structure to MonitoredArtifact and pushing the TestResult model into the scanners. Also moving property writing logic into model classes. This is the final refactor before implementing retrieval of test results from properties to reduce number of requests to Snyk API.
…fact chore: extract TestResult from MonitoredArtifact [OSM-2240]
Introducing a new configuration property `snyk.scanner.frequency.hours` defaulting to 168 (1 week). As long as there is a test result younger than the TTL indicated by the test frequency, the plugin skips making a test and filters access based on the previous result.
feat: skip Snyk tests when cache is fresh [OSM-2240]
Introduces a new param `snyk.scanner.extendTestDeadline.hours`. In case there is a Snyk request error when the next test is due, this parameter allows the plugin to use the previous test result when deciding whether to block access.
…o-help-handle-snyk-errors feat: add extendTestDeadline param to help handle Snyk errors
The error message would always mention license issues, even when blocking because of vulnerabilities.
…king-access fix: typo in error message when blocking access
This commit points the details URLs to the new pages (security.snyk.io) and introduces a log message to confirm that the URLs are being written to Artifactory properties.
fix: refresh snyk details URLs
There is a UI bug in Artifactory: the app crashes when rendering URL properties. This is a workaround for the bug which adds a whitespace to the property, causing the value to render correctly.
Adding Snyk package URL to the error messages. Also adding AssertJ as the vanilla JUnit assertion API is rather limited.
...to pull in a fix for this vuln: https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538 Also removing the explicit dependency for `jackson-annotations` as it is not needed.
…-user-agent feat: include artifactory version in user agent
…ror-messages feat: include snyk details URL in error messages
chore: upgrade Jackson
When severity threshold is set to `none`, download should be allowed regardless of the issues discovered.
fix: respect NONE severity threshold
Introducing a new lifecycle method `beforeRemoteDownload` which applies when a package is being fetched from external repositories instead of on every download. Adding a new configuration property `snyk.scanner.test.continuously` which allowes users to switch between applying the plugin on every download (continuous mode) or just once during fetch from remote (non-continuous mode).
feat: add continuous testing mode
Package ecosystems were previously determined based on file extension. This would not scale as we expand the plugin with further ecosystems, e.g. both `pypi` and `cocoapods` use the `.tar.gz` extension. This commit switches to `packageType` field provided by Artifactory's `RepositoryConfiguration` model in order to determine the ecosystem without relying on file extensions.
…ckage-type chore: resolve ecosystem based on package type
Preparation for adding support for Gems, Nuget, and Cocoapods. Making the `SnykClient` more generic, so that it can be more easily re-used for the REST PURL endpoint. Moving the ecosystem-specific methods into the ecosystem scanners so that it's easier to comprehend each scanner.
chore: simplify the API client
Another step towards making the API client work for the PURL REST endpoints: dropping the `v1/` part from the base URL, and moving it into the v1 API request paths.
feat: drop the `v1/` suffix from base URLs
feat: add support for Ruby Gems
Similar to the Gems scanner, CocoaPods and Nuget are powered by Snyk's PURL test API. Disabled by default so these new ecosystems won't be scanned unless explicitly opted-in.
feat: add support for CocoaPods and Nuget ecosystems
Switching the hook which gates artifact downloads from `afterRemoteDownload` to `afterCreate`. For some ecosystems, e.g. Python and Cocoapods, properties would fail to write during the `afterRemoteDownload`. This would manifest with the following error message in Artifactory logs: ``` Cannot add properties for <repository path> Item not found. ``` The `afterCreate` hook is also attached to initial downloads of artifacts, and properties are successfully created in this context across all ecosystems supported by this plugin.
…-afterCreate feat: switch first lifecycle hook to afterCreate
Just in case anyone (myself in 2 days) isn't sure how to quickly set up local ecosystem tools to try out the plugin - adding some tips to the README.
…pported-ecosystem docs: document how to set up local dev tools with Artifactory
…gle-properties docs: document missing ecosystem toggle properties
For artifacts coming with a `v` prefix in the artifactory path, e.g. `libwebp-v1.3.0.tar.gz`, the parsed version number should skip the prefix i.e. it should be `1.3.0` and not `v1.3.0`.
fix: strip off version prefix when parsing CocoaPods paths
chore: add perm ignores for trans deps of provided artifactory-papi
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )