From 189c061cbdb5684a2b773854a745c1111a060bfa Mon Sep 17 00:00:00 2001
From: Asaf Agami <asaf.agami@snyk.io>
Date: Mon, 24 Jul 2023 12:18:04 +0300
Subject: [PATCH] Merge develop into master for release (#164)

---
 .circleci/config.yml             |  8 ++++
 .github/CODEOWNERS               |  2 +-
 .gitleaksignore                  |  1 +
 .pre-commit-config.yaml          |  7 ++++
 .snyk                            | 15 ++++++++
 ops/deploy/run-test-pipelines.ts | 18 ++++++---
 snykTask/src/index.ts            |  1 +
 snykTask/src/install/index.ts    | 65 ++++++++++++++++++++++++++------
 8 files changed, 99 insertions(+), 18 deletions(-)
 create mode 100644 .gitleaksignore
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 .snyk

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 91723a31..44addd13 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,5 +1,8 @@
 version: 2.1
 
+orbs:
+  prodsec: snyk/prodsec-orb@1.0
+
 jobs:
   test:
     docker:
@@ -128,6 +131,11 @@ workflows:
   version: 2
   build_and_test:
     jobs:
+      - prodsec/secrets-scan:
+          name: Scan repository for secrets
+          context:
+            - snyk-bot-slack
+          channel: hammerhead-alerts
       - test
       - deploy_dev:
           requires:
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index bd0c6e9a..ab2112dd 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1 +1 @@
-* @snyk/road-runner
+* @snyk/hammerhead
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 00000000..0d10b79e
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1 @@
+# add false positives here
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 00000000..a63e408d
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,7 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.17.0
+    hooks:
+      - id: gitleaks
diff --git a/.snyk b/.snyk
new file mode 100644
index 00000000..8434a190
--- /dev/null
+++ b/.snyk
@@ -0,0 +1,15 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-JS-MOCKERY-3043117:
+    - '*':
+        reason: No upgrade available
+        expires: 2024-07-18T00:00:00.000Z
+        created: 2023-07-18T12:52:43.840Z
+  SNYK-JS-SEMVER-3247795:
+    - '*':
+        reason: No upgrade available
+        expires: 2024-07-18T00:00:00.000Z
+        created: 2023-07-18T12:52:32.034Z
+patch: {}
diff --git a/ops/deploy/run-test-pipelines.ts b/ops/deploy/run-test-pipelines.ts
index 7039dbb2..45c359f2 100644
--- a/ops/deploy/run-test-pipelines.ts
+++ b/ops/deploy/run-test-pipelines.ts
@@ -95,6 +95,10 @@ async function runBuild(
 ): Promise<void> {
   let success = false;
 
+  console.log(
+    `Starting build for project: ${testProjectName} with build definition ID: ${testBuildDefinitionId}`,
+  );
+
   try {
     const launchPipelineResult = await launchBuildPipeline(
       webApi,
@@ -123,21 +127,23 @@ async function runBuild(
       }
 
       if (status === BuildStatus.Completed) {
-        console.log('build is complete');
+        console.log(`build is complete for ${testProjectName}`);
         const result = checkBuildStatusRes.result;
         console.log(`build result: ${result}`);
         if (result) {
           if (result === BuildResult.Succeeded) {
-            console.log('build succeeded');
+            console.log(`build succeeded for ${testProjectName}`);
             success = true;
           } else {
-            console.log(`build did not succeed. BuildResult code: ${result}`);
+            console.log(
+              `build did not succeed for ${testProjectName}. BuildResult code: ${result}`,
+            );
           }
         }
         break;
       } else {
         console.log(
-          `Still waiting for build ${buildId} to complete. Status: ${status}. Time: ${new Date().getTime()}`,
+          `Still waiting for build ${buildId} (${testProjectName}) to complete. Status: ${status}. Time: ${new Date().getTime()}`,
         );
         await asyncSleep(10000);
       }
@@ -150,7 +156,9 @@ async function runBuild(
       return Promise.reject();
     }
   } catch (err) {
-    console.log('failed to launching / checking build');
+    console.log(
+      `Failed to launch/check build for project: ${testProjectName} with build definition ID: ${testBuildDefinitionId}`,
+    );
     console.log(err);
     console.log('\nrejecting - not successful');
     return Promise.reject();
diff --git a/snykTask/src/index.ts b/snykTask/src/index.ts
index 5f3b0f5f..cd73bb22 100644
--- a/snykTask/src/index.ts
+++ b/snykTask/src/index.ts
@@ -154,6 +154,7 @@ async function runSnykTest(
     .argIf(taskArgs.organization, `--org=${taskArgs.organization}`)
     .argIf(taskArgs.projectName, `--project-name=${projectNameArg}`)
     .arg(`--json-file-output=${jsonReportOutputPath}`)
+    .argIf(isDebugMode(), '-d')
     .line(taskArgs.additionalArguments);
 
   const options = getOptionsToExecuteSnykCLICommand(
diff --git a/snykTask/src/install/index.ts b/snykTask/src/install/index.ts
index e1ef389f..099d5a63 100644
--- a/snykTask/src/install/index.ts
+++ b/snykTask/src/install/index.ts
@@ -53,18 +53,59 @@ export function getSnykDownloadInfo(platform: Platform): SnykDownloads {
 export async function downloadExecutable(
   targetDirectory: string,
   executable: Executable,
+  maxRetries = 5,
 ) {
-  const fileWriter = fs.createWriteStream(
-    path.join(targetDirectory, executable.filename),
-    {
-      mode: 0o766,
-    },
-  );
-  return new Promise<void>((resolve, reject) => {
-    https.get(executable.downloadUrl, (response) => {
-      response.on('end', () => resolve());
-      response.on('error', (err) => reject(err));
-      response.pipe(fileWriter);
-    });
+  const filePath = path.join(targetDirectory, executable.filename);
+
+  // Check if the file already exists
+  if (fs.existsSync(filePath)) {
+    console.log(
+      `File ${executable.filename} already exists, skipping download.`,
+    );
+    return;
+  }
+
+  const fileWriter = fs.createWriteStream(filePath, {
+    mode: 0o766,
   });
+
+  // Wrapping the download in a function for easy retrying
+  const doDownload = () =>
+    new Promise<void>((resolve, reject) => {
+      https.get(executable.downloadUrl, (response) => {
+        response.on('end', () => resolve());
+        response.on('error', (err) => {
+          console.error(
+            `Download of ${executable.filename} failed: ${err.message}`,
+          );
+          reject(err);
+        });
+        response.pipe(fileWriter);
+      });
+    });
+
+  // Try to download the file, retry up to `maxRetries` times if the attempt fails
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    try {
+      await doDownload();
+      console.log(`Download successful for ${executable.filename}`);
+      break;
+    } catch (err) {
+      console.error(
+        `Download of ${executable.filename} failed: ${err.message}`,
+      );
+
+      // Don't wait before retrying the last attempt
+      if (attempt < maxRetries - 1) {
+        console.log(
+          `Retrying download of ${executable.filename} after 5 seconds...`,
+        );
+        await new Promise((resolve) => setTimeout(resolve, 5000));
+      } else {
+        console.error(
+          `All retries failed for ${executable.filename}: ${err.message}`,
+        );
+      }
+    }
+  }
 }