diff --git a/src/cli/commands/monitor/index.ts b/src/cli/commands/monitor/index.ts index 4256991afc..a328380418 100644 --- a/src/cli/commands/monitor/index.ts +++ b/src/cli/commands/monitor/index.ts @@ -4,6 +4,7 @@ import * as Debug from 'debug'; import * as pathUtil from 'path'; import { legacyPlugin as pluginApi } from '@snyk/cli-interface'; import { checkOSSPaths } from '../../../lib/check-paths'; +import * as theme from '../../../lib/theme'; import { MonitorOptions, @@ -50,6 +51,11 @@ import { processCommandArgs } from '../process-command-args'; const SEPARATOR = '\n-------------------------------------------------------\n'; const debug = Debug('snyk'); +const appVulnsReleaseWarningMsg = `${theme.icon.WARNING} Important: Beginning January 24th, 2023, application dependencies in container +images will be scanned by default when using the snyk container test/monitor +commands. If you are using Snyk in a CI pipeline, action may be required. Read +https://snyk.io/blog/securing-container-applications-using-the-snyk-cli/ for +more info.`; // This is used instead of `let x; try { x = await ... } catch { cleanup }` to avoid // declaring the type of x as possibly undefined. @@ -87,9 +93,18 @@ export default async function monitor(...args0: MethodArgs): Promise { throw new Error('`--remote-repo-url` is not supported for container scans'); } - // TODO remove once https://github.com/snyk/cli/pull/3433 is merged - if (options.docker && !options['app-vulns']) { - options['exclude-app-vulns'] = true; + // TODO remove 'app-vulns' options and warning message once + // https://github.com/snyk/cli/pull/3433 is merged + if (options.docker) { + if (!options['app-vulns'] || options['exclude-app-vulns']) { + options['exclude-app-vulns'] = true; + } + + // we can't print the warning message with JSON output as that would make + // the JSON output invalid. + if (!options['app-vulns'] && !options['json']) { + console.log(theme.color.status.warn(appVulnsReleaseWarningMsg)); + } } // Handles no image arg provided to the container command until diff --git a/src/cli/commands/test/index.ts b/src/cli/commands/test/index.ts index cbad39fd0f..631bb32f11 100644 --- a/src/cli/commands/test/index.ts +++ b/src/cli/commands/test/index.ts @@ -4,6 +4,7 @@ const cloneDeep = require('lodash.clonedeep'); const assign = require('lodash.assign'); import chalk from 'chalk'; import { MissingArgError } from '../../../lib/errors'; +import * as theme from '../../../lib/theme'; import * as snyk from '../../../lib'; import { Options, TestOptions } from '../../../lib/types'; @@ -48,6 +49,12 @@ import { checkOSSPaths } from '../../../lib/check-paths'; const debug = Debug('snyk-test'); const SEPARATOR = '\n-------------------------------------------------------\n'; +const appVulnsReleaseWarningMsg = `${theme.icon.WARNING} Important: Beginning January 24th, 2023, application dependencies in container +images will be scanned by default when using the snyk container test/monitor +commands. If you are using Snyk in a CI pipeline, action may be required. Read +https://snyk.io/blog/securing-container-applications-using-the-snyk-cli/ for +more info.`; + // TODO: avoid using `as any` whenever it's possible export default async function test( @@ -88,9 +95,18 @@ export default async function test( throw new MissingArgError(); } - // TODO remove once https://github.com/snyk/cli/pull/3433 is merged - if (options.docker && !options['app-vulns']) { - options['exclude-app-vulns'] = true; + // TODO remove 'app-vulns' options and warning message once + // https://github.com/snyk/cli/pull/3433 is merged + if (options.docker) { + if (!options['app-vulns'] || options['exclude-app-vulns']) { + options['exclude-app-vulns'] = true; + } + + // we can't print the warning message with JSON output as that would make + // the JSON output invalid. + if (!options['app-vulns'] && !options['json']) { + console.log(theme.color.status.warn(appVulnsReleaseWarningMsg)); + } } const ecosystem = getEcosystemForTest(options); diff --git a/src/lib/types.ts b/src/lib/types.ts index 3705e27bf4..e206643d40 100644 --- a/src/lib/types.ts +++ b/src/lib/types.ts @@ -73,6 +73,7 @@ export interface Options { experimental?: boolean; // Used with the Docker plugin only. Allows application scanning. 'app-vulns'?: boolean; + 'exclude-app-vulns'?: boolean; debug?: boolean; sarif?: boolean; 'group-issues'?: boolean; @@ -107,6 +108,7 @@ export interface MonitorOptions { experimental?: boolean; // Used with the Docker plugin only. Allows application scanning. 'app-vulns'?: boolean; + 'exclude-app-vulns'?: boolean; initScript?: string; yarnWorkspaces?: boolean; 'max-depth'?: number; diff --git a/test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts b/test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts index 999584c41b..8aeec159bb 100644 --- a/test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts +++ b/test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts @@ -24,6 +24,30 @@ describe('container test projects behavior with --app-vulns, --file and --exclud expect(jsonOutput[1].uniqueCount).toBeGreaterThan(0); expect(code).toEqual(1); }, 10000); + it('should find nothing when app-vulns are explicitly disabled', async () => { + const { code, stdout } = await runSnykCLI( + `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --exclude-app-vulns`, + ); + const jsonOutput = JSON.parse(stdout); + expect(Array.isArray(jsonOutput)).toBeFalsy(); + expect(jsonOutput.applications).toBeUndefined(); + expect(jsonOutput.ok).toEqual(false); + expect(jsonOutput.uniqueCount).toBeGreaterThan(0); + expect(code).toEqual(1); + }, 10000); + it('should find nothing on conflicting app-vulns flags', async () => { + // if both flags are set, --exclude-app-vulns should take precedence and + // disable it. + const { code, stdout } = await runSnykCLI( + `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --app-vulns --exclude-app-vulns --experimental`, + ); + const jsonOutput = JSON.parse(stdout); + expect(Array.isArray(jsonOutput)).toBeFalsy(); + expect(jsonOutput.applications).toBeUndefined(); + expect(jsonOutput.ok).toEqual(false); + expect(jsonOutput.uniqueCount).toBeGreaterThan(0); + expect(code).toEqual(1); + }, 10000); it('should find all vulns when using --app-vulns without experimental flag', async () => { const { code, stdout } = await runSnykCLI( `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --app-vulns`,