Skip to content

Commit

Permalink
Merge pull request #3874 from snyk/feat/no-app-vulns
Browse files Browse the repository at this point in the history
feat: add flag to exclude app vulnerabilities
  • Loading branch information
tommyknows authored Oct 4, 2022
2 parents b0467ee + 9216c49 commit 0f54465
Show file tree
Hide file tree
Showing 4 changed files with 63 additions and 6 deletions.
21 changes: 18 additions & 3 deletions src/cli/commands/monitor/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import * as Debug from 'debug';
import * as pathUtil from 'path';
import { legacyPlugin as pluginApi } from '@snyk/cli-interface';
import { checkOSSPaths } from '../../../lib/check-paths';
import * as theme from '../../../lib/theme';

import {
MonitorOptions,
Expand Down Expand Up @@ -50,6 +51,11 @@ import { processCommandArgs } from '../process-command-args';

const SEPARATOR = '\n-------------------------------------------------------\n';
const debug = Debug('snyk');
const appVulnsReleaseWarningMsg = `${theme.icon.WARNING} Important: Beginning January 24th, 2023, application dependencies in container
images will be scanned by default when using the snyk container test/monitor
commands. If you are using Snyk in a CI pipeline, action may be required. Read
https://snyk.io/blog/securing-container-applications-using-the-snyk-cli/ for
more info.`;

// This is used instead of `let x; try { x = await ... } catch { cleanup }` to avoid
// declaring the type of x as possibly undefined.
Expand Down Expand Up @@ -87,9 +93,18 @@ export default async function monitor(...args0: MethodArgs): Promise<any> {
throw new Error('`--remote-repo-url` is not supported for container scans');
}

// TODO remove once https://github.com/snyk/cli/pull/3433 is merged
if (options.docker && !options['app-vulns']) {
options['exclude-app-vulns'] = true;
// TODO remove 'app-vulns' options and warning message once
// https://github.com/snyk/cli/pull/3433 is merged
if (options.docker) {
if (!options['app-vulns'] || options['exclude-app-vulns']) {
options['exclude-app-vulns'] = true;
}

// we can't print the warning message with JSON output as that would make
// the JSON output invalid.
if (!options['app-vulns'] && !options['json']) {
console.log(theme.color.status.warn(appVulnsReleaseWarningMsg));
}
}

// Handles no image arg provided to the container command until
Expand Down
22 changes: 19 additions & 3 deletions src/cli/commands/test/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ const cloneDeep = require('lodash.clonedeep');
const assign = require('lodash.assign');
import chalk from 'chalk';
import { MissingArgError } from '../../../lib/errors';
import * as theme from '../../../lib/theme';

import * as snyk from '../../../lib';
import { Options, TestOptions } from '../../../lib/types';
Expand Down Expand Up @@ -48,6 +49,12 @@ import { checkOSSPaths } from '../../../lib/check-paths';
const debug = Debug('snyk-test');
const SEPARATOR = '\n-------------------------------------------------------\n';

const appVulnsReleaseWarningMsg = `${theme.icon.WARNING} Important: Beginning January 24th, 2023, application dependencies in container
images will be scanned by default when using the snyk container test/monitor
commands. If you are using Snyk in a CI pipeline, action may be required. Read
https://snyk.io/blog/securing-container-applications-using-the-snyk-cli/ for
more info.`;

// TODO: avoid using `as any` whenever it's possible

export default async function test(
Expand Down Expand Up @@ -88,9 +95,18 @@ export default async function test(
throw new MissingArgError();
}

// TODO remove once https://github.com/snyk/cli/pull/3433 is merged
if (options.docker && !options['app-vulns']) {
options['exclude-app-vulns'] = true;
// TODO remove 'app-vulns' options and warning message once
// https://github.com/snyk/cli/pull/3433 is merged
if (options.docker) {
if (!options['app-vulns'] || options['exclude-app-vulns']) {
options['exclude-app-vulns'] = true;
}

// we can't print the warning message with JSON output as that would make
// the JSON output invalid.
if (!options['app-vulns'] && !options['json']) {
console.log(theme.color.status.warn(appVulnsReleaseWarningMsg));
}
}

const ecosystem = getEcosystemForTest(options);
Expand Down
2 changes: 2 additions & 0 deletions src/lib/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ export interface Options {
experimental?: boolean;
// Used with the Docker plugin only. Allows application scanning.
'app-vulns'?: boolean;
'exclude-app-vulns'?: boolean;
debug?: boolean;
sarif?: boolean;
'group-issues'?: boolean;
Expand Down Expand Up @@ -107,6 +108,7 @@ export interface MonitorOptions {
experimental?: boolean;
// Used with the Docker plugin only. Allows application scanning.
'app-vulns'?: boolean;
'exclude-app-vulns'?: boolean;
initScript?: string;
yarnWorkspaces?: boolean;
'max-depth'?: number;
Expand Down
24 changes: 24 additions & 0 deletions test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,30 @@ describe('container test projects behavior with --app-vulns, --file and --exclud
expect(jsonOutput[1].uniqueCount).toBeGreaterThan(0);
expect(code).toEqual(1);
}, 10000);
it('should find nothing when app-vulns are explicitly disabled', async () => {
const { code, stdout } = await runSnykCLI(
`container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --exclude-app-vulns`,
);
const jsonOutput = JSON.parse(stdout);
expect(Array.isArray(jsonOutput)).toBeFalsy();
expect(jsonOutput.applications).toBeUndefined();
expect(jsonOutput.ok).toEqual(false);
expect(jsonOutput.uniqueCount).toBeGreaterThan(0);
expect(code).toEqual(1);
}, 10000);
it('should find nothing on conflicting app-vulns flags', async () => {
// if both flags are set, --exclude-app-vulns should take precedence and
// disable it.
const { code, stdout } = await runSnykCLI(
`container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --app-vulns --exclude-app-vulns --experimental`,
);
const jsonOutput = JSON.parse(stdout);
expect(Array.isArray(jsonOutput)).toBeFalsy();
expect(jsonOutput.applications).toBeUndefined();
expect(jsonOutput.ok).toEqual(false);
expect(jsonOutput.uniqueCount).toBeGreaterThan(0);
expect(code).toEqual(1);
}, 10000);
it('should find all vulns when using --app-vulns without experimental flag', async () => {
const { code, stdout } = await runSnykCLI(
`container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --app-vulns`,
Expand Down

0 comments on commit 0f54465

Please sign in to comment.