Merge pull request #5527 from snyk/tmp/1728633383-release-candidate

chore: Update release candidate

.circleci/config.yml

@@ -3,10 +3,10 @@ version: 2.1
 parameters:
   cli_download_base_url:
     type: string
-    default: 'https://static.snyk.io/'
+    default: 'https://downloads.snyk.io/'
   fips_cli_download_base_url:
     type: string
-    default: 'https://static.snyk.io/fips/'
+    default: 'https://downloads.snyk.io/fips/'
   go_download_base_url:
     type: string
     default: 'https://storage.googleapis.com/golang/'
@@ -35,8 +35,12 @@ orbs:
 executors:
   alpine:
     docker:
-      - image: alpine:3.17
+      - image: alpine:3.20
     resource_class: xlarge
+  alpine-arm64:
+    docker:
+      - image: alpine:3.20
+    resource_class: arm.xlarge
   generic-ubuntu:
     docker:
       - image: ubuntu:latest
@@ -56,6 +60,11 @@ executors:
       - image: snyklabs/cli-build-arm64:20240814-161347
     working_directory: /mnt/ramdisk/snyk
     resource_class: arm.large
+  docker-arm64-xl:
+    docker:
+      - image: snyklabs/cli-build-arm64:20240814-161347
+    working_directory: /mnt/ramdisk/snyk
+    resource_class: arm.xlarge
   linux-ubuntu-mantic-amd64:
     docker:
       - image: ubuntu:mantic
@@ -101,6 +110,11 @@ executors:
       # https://circleci.com/docs/2.0/testing-ios/#supported-xcode-versions
       xcode: '14.3.1'
     resource_class: macos.m1.medium.gen1
+  macos-arm64-large:
+    macos:
+      # https://circleci.com/docs/2.0/testing-ios/#supported-xcode-versions
+      xcode: '14.3.1'
+    resource_class: macos.m1.large.gen1
   win-server2022-amd64:
     machine:
       image: windows-server-2022-gui:2024.01.1
@@ -233,7 +247,7 @@ commands:
   install-deps-windows-full-signing:
     steps:
       - install-deps-windows-signing
-      - install-deps-windows-full
+      - install-deps-windows-make
 
   install-deps-windows-make:
     steps:
@@ -329,12 +343,21 @@ commands:
       - run:
           name: Installing Node.js + other test dependencies
           command: |
-            apk add --update nodejs npm bash maven git gradle python3 py3-pip elixir composer
+            arch=$(uname -m)
+            case "$arch" in
+            aarch64) arch="arm64";;
+            *) arch="amd64";;
+            esac
+            echo "using architecture: $arch"
+            apk add --update nodejs npm bash maven git python3 py3-pip elixir composer unzip
             pip3 install pipenv requests PyYAML setuptools==70.3.0
             wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh && chmod +x dotnet-install.sh && ./dotnet-install.sh
-            wget https://go.dev/dl/go<< pipeline.parameters.go_version >>.linux-amd64.tar.gz -O /tmp/go.tgz && \
+            wget https://go.dev/dl/go<< pipeline.parameters.go_version >>.linux-$arch.tar.gz -O /tmp/go.tgz && \
               tar -C /usr/local -xzvf /tmp/go.tgz && \
               ln -s /usr/local/go/bin/go /usr/local/bin
+            wget https://services.gradle.org/distributions/gradle-8.10-bin.zip -O /tmp/gradle.zip && \
+              unzip -d /usr/local /tmp/gradle.zip && \
+              ln -s /usr/local/gradle-8.10/bin/gradle /usr/local/bin
 
   failed-release-notification:
     steps:
@@ -451,7 +474,7 @@ workflows:
           go_arch: amd64
           go_download_base_url: << pipeline.parameters.fips_go_download_base_url >>
           make_target: build clean-golang build-fips
-          executor: docker-amd64
+          executor: docker-amd64-xl
           requires:
             - prepare-build
 
@@ -462,7 +485,7 @@ workflows:
           go_arch: arm64
           go_download_base_url: << pipeline.parameters.fips_go_download_base_url >>
           make_target: build clean-golang build-fips
-          executor: docker-arm64
+          executor: docker-arm64-xl
           requires:
             - prepare-build
 
@@ -472,7 +495,18 @@ workflows:
           go_os: linux
           go_arch: amd64
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
-          executor: docker-amd64
+          executor: docker-amd64-xl
+          c_compiler: /usr/bin/musl-gcc
+          requires:
+            - prepare-build
+
+      - build-artifact:
+          name: build alpine arm64
+          go_target_os: alpine
+          go_os: linux
+          go_arch: arm64
+          go_download_base_url: << pipeline.parameters.go_download_base_url >>
+          executor: docker-arm64-xl
           c_compiler: /usr/bin/musl-gcc
           requires:
             - prepare-build
@@ -483,7 +517,7 @@ workflows:
           go_os: darwin
           go_arch: amd64
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
-          executor: macos-arm64
+          executor: macos-arm64-large
           install_deps_extension: macos-build
           context: snyk-macos-signing
           requires:
@@ -495,7 +529,7 @@ workflows:
           go_os: darwin
           go_arch: arm64
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
-          executor: macos-arm64
+          executor: macos-arm64-large
           install_deps_extension: macos-build
           context: snyk-macos-signing
           requires:
@@ -590,6 +624,23 @@ workflows:
           install_deps_extension: alpine-full
           dont_skip_tests: 0
 
+      - acceptance-tests:
+          name: acceptance-tests alpine arm64
+          context:
+            - nodejs-install
+            - team_hammerhead-cli
+          filters:
+            branches:
+              ignore:
+                - main
+                - '/release.*/'
+          requires:
+            - build alpine arm64
+          executor: alpine-arm64
+          test_snyk_command: ./binary-releases/snyk-alpine-arm64
+          install_deps_extension: alpine-full
+          dont_skip_tests: 0
+
       - acceptance-tests:
           name: acceptance-tests macOS amd64
           context:
@@ -622,7 +673,7 @@ workflows:
           test_snyk_command: binary-releases\\snyk-win.exe
           install_deps_extension: windows-full
           dont_skip_tests: 0
-          shards: 4
+          shards: 8
           pre_test_cmds: Import-Module $env:ChocolateyInstall\helpers\chocolateyProfile.psm1; RefreshEnv
 
       - sign:
@@ -686,6 +737,7 @@ workflows:
             - sign macos arm64
             - sign windows amd64
             - build alpine amd64
+            - build alpine arm64
             - build linux amd64
             - build linux arm64
             - build fix & protect
@@ -1127,6 +1179,8 @@ jobs:
         default: 3
     executor: << parameters.executor >>
     parallelism: << parameters.shards >>
+    environment:
+      PIP_BREAK_SYSTEM_PACKAGES: 1
     steps:
       - prepare-workspace
       - install-deps-<< parameters.install_deps_extension >>
@@ -1371,6 +1425,9 @@ jobs:
       - run:
           name: Publish to GitHub
           command: ./release-scripts/upload-artifacts.sh github
+      - run:
+          name: Create Jira Release
+          command: ./release-scripts/create-jira-release.sh
       - failed-release-notification
 
   release-npm:

.github/workflows/smoke-tests.yml

@@ -18,14 +18,14 @@ jobs:
       matrix:
         os: [ubuntu, macos, windows]
         snyk_install_method: [binary, npm, yarn, brew]
-        node_version: [16, 18, 20]
+        node_version: [18, 20]
         exclude:
           # Skip yarn for Windows, as it's a bit crazy to get it working in CI environment. Unless we see evidence we need it, I'd avoid it
           - snyk_install_method: yarn
             os: windows
           # For binary, use only the Node 18
           - snyk_install_method: binary
-            node_version: 16
+            node_version: 18
           # No need to run brew tests on some Platforms
           - snyk_install_method: brew
             os: ubuntu
@@ -40,14 +40,14 @@ jobs:
             snyk_cli_dl_file: snyk-macos
           - snyk_install_method: alpine-binary
             os: ubuntu
-            node_version: 16
+            node_version: 18
             snyk_cli_dl_file: snyk-alpine
           - snyk_install_method: npm-root-user
             os: ubuntu
-            node_version: 16
+            node_version: 18
           - snyk_install_method: docker-bundle
             os: macos
-            node_version: 16
+            node_version: 18
             snyk_cli_dl_file: snyk-for-docker-desktop-darwin-x64.tar.gz
 
     steps:

.github/workflows/sync-cli-help-to-user-docs.yml

@@ -3,7 +3,7 @@ name: Synchronize Help
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 12 * * 1-5' # Mon-Fri at 12
+    - cron: '0 9 * * 1' # Mon at 9
   push:
     branches: [chore/docs-action]
 

.gitignore

@@ -37,6 +37,8 @@ report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
 /test/acceptance/workspaces/**/project/
 /test/acceptance/workspaces/**/target/
 test/acceptance/workspaces/**/.gradle
+test/acceptance/workspaces/**/.build
+test/acceptance/workspaces/**/Package.resolved
 test/**/.gradle
 .iac-data
 .dccache
@@ -47,7 +49,7 @@ tap-output
 .tap
 # Jest
 coverage
-test/fixtures/basic-swift/.build
-test/fixtures/basic-swift/Package.resolved
+test/fixtures/**/*/.build
+test/fixtures/**/*/Package.resolved
 scripts/Brewfile.lock.json
 test/fixtures/**/go.sum

.gitleaksignore

@@ -84,3 +84,4 @@ c2de35484dcad696a6ee32f2fa317d5cfaffc133:test/fixtures/code/sample-analyze-folde
 25f37b4c609380452b0b96c3853b69e4dc29bb48:test/jest/unit/lib/iac/drift/fixtures/all.console:aws-access-token:98
 ccd03cce97470452766ab397f2ba770dbb2e002e:test/jest/unit/lib/iac/drift/fixtures/all.console:aws-access-token:98
 test/jest/acceptance/instrumentation.spec.ts:snyk-api-token:19
+1b65935bc7c69b1029d7c63808af211ae6030c98:test/fixtures/sast/shallow_sast_webgoat/JWTFinalEndpointTest.java:jwt:31

.snyk

@@ -10,7 +10,7 @@ ignore:
   SNYK-JS-LODASHSET-1320032:
     - '*':
         reason: No upgrade path currently available
-        expires: 2024-09-13T13:14:22.120Z
+        expires: 2024-09-30T10:00:00.000Z
         created: 2023-09-13T13:14:22.120Z
   'snyk:lic:npm:shescape:MPL-2.0':
     - '*':
@@ -25,7 +25,7 @@ ignore:
   SNYK-JS-MICROMATCH-6838728:
     - '*':
         reason: Direct usage within Snyk CLI are not using vulnerable function
-        expires: 2024-08-13T04:12:20.523Z
+        expires: 2024-10-13T04:12:20.523Z
         created: 2024-05-14T04:12:20.531Z
 patch: {}
 exclude:

.vscode/launch.json

@@ -29,6 +29,38 @@
         "${workspaceRoot}/node_modules/.bin/jest",
         "--runInBand"
       ]
+    },
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "snyk test",
+      "console": "integratedTerminal",
+      "program": "node_modules/.bin/ts-node",
+      "args": ["./src/cli/index.ts", "test"]
+    },
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "snyk test --unmanaged",
+      "console": "integratedTerminal",
+      "program": "node_modules/.bin/ts-node",
+      "args": ["./src/cli/index.ts", "test", "--unmanaged"]
+    },
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "snyk container test",
+      "console": "integratedTerminal",
+      "program": "node_modules/.bin/ts-node",
+      "args": ["./src/cli/index.ts", "container", "test", "snyk/snyk:linux"]
+    },
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "snyk iac test",
+      "console": "integratedTerminal",
+      "program": "node_modules/.bin/ts-node",
+      "args": ["./src/cli/index.ts", "iac", "test", "--unmanaged"]
     }
   ]
 }

CONTRIBUTING.md

@@ -39,6 +39,8 @@ To build the project, run the following command in the root of the repository.
 
 ```sh
 make build
+# or
+make build-debug
 ```
 
 Run the build binary like this.
@@ -47,6 +49,30 @@ Run the build binary like this.
 ./binary-releases/snyk-macos --version
 ```
 
+## Debugging the go binary with VSCode
+
+1. Build the cli using `make build-debug`
+
+2. Save the `Installing` path from the build output
+
+3. Open your `.vscode/launch.json` file and add the following under `configurations`
+
+```json
+{
+  "name": "Attach to Go Process",
+  "type": "go",
+  "request": "attach",
+  "mode": "local",
+  "remotePath": "<your Installing path>"
+}
+```
+
+4. Add your break points
+
+5. Run the cli from your build path, you will see a prompt to attach a Debugger
+
+6. Run "Attach to Go Process" from under your debug tab
+
 ## Running tests
 
 You can run tests using standard Jest commands. See: [Jest CLI docs](https://jestjs.io/docs/cli).

Makefile

@@ -119,6 +119,10 @@ $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-alpine: prepack | $(BINARY_RELEASES_FOLDER
 	$(PKG) -t node$(PKG_NODE_VERSION)-alpine-x64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-alpine
 	$(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-alpine.sha256
 
+$(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-alpine-arm64: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI)
+	$(PKG) -t node$(PKG_NODE_VERSION)-alpine-arm64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-alpine-arm64 --no-bytecode
+	$(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-alpine-arm64.sha256
+
 $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-linux: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI)
 	$(PKG) -t node$(PKG_NODE_VERSION)-linux-x64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-linux
 	$(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-linux.sha256
@@ -266,7 +270,7 @@ release-pre:
 	@echo "-- Validating artifacts"
 	@./release-scripts/validate-checksums.sh
 	@echo "-- Validating upload permissions"
-	@./release-scripts/upload-artifacts.sh --dry-run preview latest github npm
+	@./release-scripts/upload-artifacts.sh --dry-run latest github npm
 	@echo "-- Publishing to S3 /version"
 	@./release-scripts/upload-artifacts.sh version
 

binary-deployments.json

@@ -7,7 +7,8 @@
     "amd64": "snyk-win.exe"
   },
   "alpine": {
-    "amd64": "snyk-alpine"
+    "amd64": "snyk-alpine",
+    "arm64": "snyk-alpine-arm64"
   },
   "linux": {
     "amd64": "snyk-linux",