Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: pkg id provenance labels #5635

Merged
merged 1 commit into from
Dec 20, 2024
Merged

feat: pkg id provenance labels #5635

merged 1 commit into from
Dec 20, 2024

Conversation

gitphill
Copy link
Contributor

@gitphill gitphill commented Dec 19, 2024

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • Highlights breaking API changes (if applicable)
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___)

What does this PR do?

Add 'pkgIdProvenance' labels to dependency graph nodes when the package identity has been changed from what has been discovered in the manifest files.

This can happen in ecosystems like Python where package names are case insensitive, and Snyk needs to normalize them to match vulnerabilities.

This new label allows users to see what the package was originally called.

How should this be manually tested?

snyk test --print-deps --json-file-output=out.json
cat out.json | jq.depGraph

On a Python project where package name gets change, for example if using Django instead of django.
On each node where the package name has changed there is now a label

{
  "nodeId": "[email protected]",
  "pkgId": "[email protected]",
  "info": {
    "labels": {
      "pkgIdProvenance": "[email protected]"
    }
  }

}

Or a Gradle project when using --gradle-normalize-deps.

{
  "nodeId": "org.apache.logging.log4j:[email protected]",
  "pkgId": "org.apache.logging.log4j:[email protected]",
  "info": {
    "labels": {
      "pkgIdProvenance": "my.logging:[email protected]"
    }
  }

}

See plugin changes:

@gitphill gitphill self-assigned this Dec 19, 2024
@gitphill gitphill force-pushed the feat/pkg-id-provenance branch 2 times, most recently from 8640074 to 289e665 Compare December 19, 2024 17:10
@gitphill gitphill marked this pull request as ready for review December 19, 2024 17:10
@gitphill gitphill requested a review from a team as a code owner December 19, 2024 17:10
@gitphill gitphill force-pushed the feat/pkg-id-provenance branch from 289e665 to 1935b97 Compare December 20, 2024 09:00
Add 'pkgIdProvenance' labels to dependency graph nodes when the
package identity has been changed from what has been discovered
in the manifest files.

This can happen in ecosystems like Python where package names
are case insensitive, and Snyk needs to normalize them to match
vulnerabilities.

This new lable allows users to see what the package was originally
called.
@gitphill gitphill force-pushed the feat/pkg-id-provenance branch from 1935b97 to 4d529b3 Compare December 20, 2024 10:32
@gitphill gitphill merged commit 5812c0e into main Dec 20, 2024
8 checks passed
@gitphill gitphill deleted the feat/pkg-id-provenance branch December 20, 2024 11:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants