feat: container add --exclude-node-modules option #5636
Merged
+51
−8
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
adrobuta
force-pushed
the
feat/exclude-node-modules-vulns
branch
from
6361aab to
4756f27
Compare
sandor-trombitas
approved these changes
Dec 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request Submission Checklist
What does this PR do?
Before v6.12.0, the docker cli plugin was able to scan npm projects only when strict package.json and package-lock.json pairs of files were identified within container images. The pair of files had to be outside of a node_modules folder’s context in order to avoid creating projects out of the dependencies. Scanning container images that had the manifests/lockfiles removed was not possible and customer needs were created to remove that constraint.
The scanning of npm global and local scoped node_modules directories has been enabled as a default behavior when a node.js image is scanned.
Adding an option to opt-out from the node_modules scan allows the user to scan npm projects only when [strict package.json and package-lock.json pairs] are identified in the container image, thus re-enabling the original npm scan behavior.
Where should the reviewer start?
How should this be manually tested?
Dockerfile:
`FROM node:18-alpine
COPY package.json /goof1/
COPY package-lock.json /goof1/
COPY package.json /
COPY package-lock.json /
WORKDIR /goof1
RUN npm install
WORKDIR /
RUN npm install`
docker build -t npm7-image .2. Run test/monitor without disabling node_modules scan on the nodejs image
SNYK_API=https://app.pre-prod.snyk.io/api/v1 snyk container test npm7-image:latestExpected Results:
Global node_modules are scanned.
A log line should appear that describes the target scanned:
Target file: /usr/local/lib/node_modulesSNYK_API=https://app.pre-prod.snyk.io/api/v1 snyk container test npm7-image:latest --exclude-node-modulesExpected Results
Global node_modules are excluded from the scan.