fix: fix snapshots

Author: parker-snyk

lib/static.ts

@@ -54,6 +54,8 @@ export async function analyzeStatically(
     packageFormat: parsedAnalysisResult.packageFormat,
   };
 
+  let syntheticDockerfileAnalysis = false;
+
   // If no Dockerfile was provided (or it couldn't detect the base image),
   // try to detect the base image from OCI standard labels.
   // Many modern images (Chainguard, Bitnami, official images) include
@@ -65,12 +67,25 @@ export async function analyzeStatically(
     const baseImageLabel =
       staticAnalysis.imageLabels["org.opencontainers.image.base.name"] ||
       staticAnalysis.imageLabels["org.opencontainers.image.base.digest"];
-    if (baseImageLabel && dockerfileAnalysis) {
-      dockerfileAnalysis.baseImage = baseImageLabel;
+    if (baseImageLabel) {
+      if (dockerfileAnalysis) {
+        dockerfileAnalysis.baseImage = baseImageLabel;
+      } else {
+        dockerfileAnalysis = {
+          baseImage: baseImageLabel,
+          dockerfilePackages: {},
+          dockerfileLayers: {},
+        };
+        syntheticDockerfileAnalysis = true;
+      }
     }
   }
 
-  const excludeBaseImageVulns = isTrue(options["exclude-base-image-vulns"]);
+  // When dockerfileAnalysis was synthetically created from OCI labels (no real
+  // Dockerfile was provided), we have no package data — so excluding base image
+  // vulns would silently strip all vulnerabilities. Disable it in that case.
+  const excludeBaseImageVulns =
+    isTrue(options["exclude-base-image-vulns"]) && !syntheticDockerfileAnalysis;
 
   const names = getImageNames(options, imageName);
   let ociDistributionMetadata: OCIDistributionMetadata | undefined;

test/lib/static.spec.ts

@@ -141,16 +141,94 @@ describe("analyzeStatically", () => {
       },
     });
 
-    // Should not crash
-    await expect(
-      analyzeStatically(
-        "test-image",
-        undefined,
-        "docker-archive",
-        "test-path",
-        { include: [], exclude: [] },
-        {},
-      ),
-    ).resolves.toBeDefined();
+    await analyzeStatically(
+      "test-image",
+      undefined,
+      "docker-archive",
+      "test-path",
+      { include: [], exclude: [] },
+      {},
+    );
+
+    const buildResponseCall = (
+      responseBuilder.buildResponse as jest.Mock
+    ).mock.calls[0];
+    // Second argument is dockerfileAnalysis
+    expect(buildResponseCall[1]).toMatchObject({ baseImage: "alpine:latest" });
+  });
+
+  it("creates synthetic dockerfileAnalysis when dockerfileAnalysis is undefined and OCI labels present", async () => {
+    (analyzer.analyzeStatically as jest.Mock).mockResolvedValue({
+      osRelease: { name: "test", version: "1" },
+      imageLabels: {
+        "org.opencontainers.image.base.name": "alpine:latest",
+      },
+    });
+
+    await analyzeStatically(
+      "test-image",
+      undefined,
+      "docker-archive",
+      "test-path",
+      { include: [], exclude: [] },
+      {},
+    );
+
+    const buildResponseCall = (
+      responseBuilder.buildResponse as jest.Mock
+    ).mock.calls[0];
+    expect(buildResponseCall[1]).toEqual({
+      baseImage: "alpine:latest",
+      dockerfilePackages: {},
+      dockerfileLayers: {},
+    });
+  });
+
+  it("passes excludeBaseImageVulns as false when dockerfileAnalysis is synthetic", async () => {
+    (analyzer.analyzeStatically as jest.Mock).mockResolvedValue({
+      osRelease: { name: "test", version: "1" },
+      imageLabels: {
+        "org.opencontainers.image.base.name": "alpine:latest",
+      },
+    });
+
+    await analyzeStatically(
+      "test-image",
+      undefined,
+      "docker-archive",
+      "test-path",
+      { include: [], exclude: [] },
+      { "exclude-base-image-vulns": "true" },
+    );
+
+    const buildResponseCall = (
+      responseBuilder.buildResponse as jest.Mock
+    ).mock.calls[0];
+    // Third argument is excludeBaseImageVulns
+    expect(buildResponseCall[2]).toBe(false);
+  });
+
+  it("passes excludeBaseImageVulns as true when dockerfileAnalysis is real", async () => {
+    (analyzer.analyzeStatically as jest.Mock).mockResolvedValue({
+      osRelease: { name: "test", version: "1" },
+      imageLabels: {
+        "org.opencontainers.image.base.name": "alpine:latest",
+      },
+    });
+
+    await analyzeStatically(
+      "test-image",
+      { dockerfilePackages: {}, dockerfileLayers: {}, baseImage: undefined },
+      "docker-archive",
+      "test-path",
+      { include: [], exclude: [] },
+      { "exclude-base-image-vulns": "true" },
+    );
+
+    const buildResponseCall = (
+      responseBuilder.buildResponse as jest.Mock
+    ).mock.calls[0];
+    // Third argument is excludeBaseImageVulns
+    expect(buildResponseCall[2]).toBe(true);
   });
 });

test/system/app-os/__snapshots__/globs.spec.ts.snap

@@ -1928,7 +1928,7 @@ Object {
         },
         Object {
           "data": Array [
-            "sha256:756975cb9c7e7933d824af9319b512dd72a50894232761d06ef3be59981df838",
+            "sha256:114ca5b7280f3b49e94a67659890aadde83d58a8bde0d9020b2bc8c902c3b9de",
           ],
           "type": "imageLayers",
         },