Merge branch main into chore/merge-rc-back-to-main

help/cli-commands/container-monitor.md

@@ -134,6 +134,12 @@ In earlier releases, cannot be used with `--app-vulns`.
 
 For more information see [Detecting application vulnerabilities in container images](https://docs.snyk.io/scan-using-snyk/snyk-container/use-snyk-container-from-the-web-ui/detect-application-vulnerabilities-in-container-images)
 
+### `--exclude-node-modules`
+
+Allow disabling the scan of node_modules directories inside node.js container images; in CLI versions v1.1292.0 and higher, node_modules scanning is enabled by default.
+
+When the node_modules scan is disabled, snyk will report vulnerabilities for npm projects sourced from application file pairs: [package.json, package-lock.json], [package.json, yarn.lock].
+
 ### `--nested-jars-depth`
 
 When `app-vulns` is enabled, use the `--nested-jars-depth=n` option to set how many levels of nested jars Snyk is to unpack. Depth must be a number.

package.json

@@ -116,7 +116,7 @@
     "semver": "^6.0.0",
     "snyk-config": "^5.0.0",
     "snyk-cpp-plugin": "2.24.0",
-    "snyk-docker-plugin": "6.13.18",
+    "snyk-docker-plugin": "6.14.0",
     "snyk-go-plugin": "1.23.0",
     "snyk-gradle-plugin": "4.7.0",
     "snyk-module": "3.1.0",

src/lib/snyk-test/legacy.ts

@@ -165,6 +165,7 @@ export interface LegacyVulnApiResult extends BasicResultData {
   filesystemPolicy?: boolean;
   uniqueCount?: any;
   remediation?: RemediationChanges;
+  depGraph?: depGraphLib.DepGraphData;
 }
 
 export interface BaseImageRemediation {
@@ -452,6 +453,10 @@ function convertTestDepGraphResultToLegacy(
     remediation: result.remediation,
   };
 
+  if (options['print-deps'] && options['json-file-output']) {
+    legacyRes.depGraph = depGraph.toJSON();
+  }
+
   return legacyRes;
 }
 

src/lib/types.ts

@@ -144,6 +144,7 @@ export interface MonitorOptions {
   // Used with the Docker plugin only. Allows application scanning.
   'app-vulns'?: boolean;
   'exclude-app-vulns'?: boolean;
+  'exclude-node-modules'?: boolean;
   initScript?: string;
   yarnWorkspaces?: boolean;
   'max-depth'?: number;

test/jest/acceptance/cli-json-file-output.spec.ts

@@ -4,6 +4,7 @@ import { createProjectFromWorkspace } from '../util/createProject';
 import { runSnykCLI } from '../util/runSnykCLI';
 import { humanFileSize } from '../../utils';
 import { getServerPort } from '../util/getServerPort';
+import * as depGraphLib from '@snyk/dep-graph';
 
 jest.setTimeout(1000 * 60);
 
@@ -112,4 +113,45 @@ describe('test --json-file-output', () => {
     expect(fileExists).toBeFalsy();
     expect(code).toEqual(0);
   });
+
+  describe('print-deps and json-file-output', () => {
+    it('saves JSON output to file with depGraph when --print-deps and --json-file-output are being used', async () => {
+      const project = await createProjectFromWorkspace('maven-app');
+      const outputPath = 'json-file-output.json';
+
+      const { code } = await runSnykCLI(
+        `test --print-deps --json-file-output=${outputPath}`,
+        {
+          cwd: project.path(),
+          env,
+        },
+      );
+
+      expect(code).toEqual(0);
+      const json = await project.readJSON(outputPath);
+      expect(json.depGraph).toBeTruthy();
+      const depGraph = depGraphLib.createFromJSON(json.depGraph);
+      expect(depGraph.getPkgs()).toContainEqual({
+        name: 'axis:axis',
+        version: '1.4',
+      });
+    });
+
+    it('saves JSON output to file without a depGraph when --print-deps is not used', async () => {
+      const project = await createProjectFromWorkspace('maven-app');
+      const outputPath = 'json-file-output.json';
+
+      const { code } = await runSnykCLI(
+        `test --json-file-output=${outputPath}`,
+        {
+          cwd: project.path(),
+          env,
+        },
+      );
+
+      expect(code).toEqual(0);
+      const json = await project.readJSON(outputPath);
+      expect(json.depGraph).toBeUndefined();
+    });
+  });
 });

test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts

@@ -167,3 +167,39 @@ describe('container test projects behavior with --json flag', () => {
     expect(code).toEqual(0);
   });
 });
+
+describe('container test projects behavior with --exclude-node-modules flag', () => {
+  // Dockerfile for node-slim-image.tar
+  // FROM node:alpine
+
+  // COPY package.json /goof1/
+  // COPY package-lock.json /goof1/
+  // COPY package.json /
+  // COPY package-lock.json /
+  // WORKDIR /goof1
+  // RUN npm install
+  // WORKDIR /
+  // RUN npm install
+  it('should scan npm projects only when package.json and package-lock.json pairs are identified in the container image', async () => {
+    const { code, stdout } = await runSnykCLI(
+      `container test docker-archive:test/fixtures/container-projects/node-slim-image.tar --exclude-node-modules --json --exclude-base-image-vulns`,
+    );
+    const jsonOutput = JSON.parse(stdout);
+    const applications = jsonOutput.applications;
+
+    expect(applications.length).toEqual(2);
+    expect(code).toEqual(1);
+  }, 30000);
+
+  it('should scan npm projects from package.json and package-lock.json pairs and node_modules dependencies', async () => {
+    const { code, stdout } = await runSnykCLI(
+      `container test docker-archive:test/fixtures/container-projects/node-slim-image.tar --json --exclude-base-image-vulns`,
+    );
+    const jsonOutput = JSON.parse(stdout);
+    const applications = jsonOutput.applications;
+
+    expect(applications.length).toEqual(3);
+
+    expect(code).toEqual(1);
+  }, 30000);
+});