fix: revert stricter number validation when using --nested-jars-depth (#752)

* Revert "fix: enforce stricter number validation when using --nested-jars-depth flag (#736)"

This reverts commit ec4f55e.

* chore: removed unused test file

Author: ividalATSnyk

lib/analyzer/static-analyzer.ts

@@ -56,7 +56,6 @@ import {
   getRpmSqliteDbFileContent,
   getRpmSqliteDbFileContentAction,
 } from "../inputs/rpm/static";
-import { resolveNestedJarsOption } from "../option-utils";
 import { isTrue } from "../option-utils";
 import { ImageType, ManifestFile, PluginOptions } from "../types";
 import {
@@ -319,7 +318,8 @@ export async function analyze(
 }
 
 function getNestedJarsDesiredDepth(options: Partial<PluginOptions>) {
-  const nestedJarsOption = resolveNestedJarsOption(options);
+  const nestedJarsOption =
+    options["nested-jars-depth"] || options["shaded-jars-depth"];
   let nestedJarsDepth = 1;
   const depthNumber = Number(nestedJarsOption);
   if (!isNaN(depthNumber) && depthNumber >= 0) {

lib/option-utils.ts

@@ -1,34 +1,9 @@
-import { PluginOptions } from "./types";
-export { isTrue, isNumber, isStrictNumber };
+export { isTrue, isNumber };
 
 function isTrue(value?: boolean | string): boolean {
   return String(value).toLowerCase() === "true";
 }
 
-// This strictly follows the ECMAScript Language Specification: https://262.ecma-international.org/5.1/#sec-9.3
 function isNumber(value?: boolean | string): boolean {
   return !isNaN(Number(value));
 }
-
-// Must be a finite numeric value, excluding booleans, Infinity, and non-numeric strings
-function isStrictNumber(value?: boolean | string): boolean {
-  if (typeof value === "boolean" || !value?.trim().length) {
-    return false;
-  }
-
-  const num = Number(value);
-  return Number.isFinite(num);
-}
-
-export function resolveNestedJarsOption(options?: Partial<PluginOptions>) {
-  const safeOptions = options || {};
-
-  return [
-    safeOptions["nested-jars-depth"],
-    safeOptions["shaded-jars-depth"],
-  ].find(isDefined);
-}
-
-export function isDefined(value?: string | boolean): boolean {
-  return value !== "" && value != null;
-}

lib/scan.ts

@@ -9,12 +9,7 @@ import { ImageName } from "./extractor/image";
 import { ExtractAction, ExtractionResult } from "./extractor/types";
 import { fullImageSavePath } from "./image-save-path";
 import { getArchivePath, getImageType } from "./image-type";
-import {
-  isDefined,
-  isStrictNumber,
-  isTrue,
-  resolveNestedJarsOption,
-} from "./option-utils";
+import { isNumber, isTrue } from "./option-utils";
 import * as staticModule from "./static";
 import { ImageType, PluginOptions, PluginResponse } from "./types";
 import { isValidDockerImageReference } from "./utils";
@@ -45,24 +40,20 @@ async function getAnalysisParameters(
     throw new Error("No image identifier or path provided");
   }
 
+  const nestedJarsDepth =
+    options["nested-jars-depth"] || options["shaded-jars-depth"];
   if (
-    isDefined(options["shaded-jars-depth"]) &&
-    isDefined(options["nested-jars-depth"])
+    (isTrue(nestedJarsDepth) || isNumber(nestedJarsDepth)) &&
+    isTrue(options["exclude-app-vulns"])
   ) {
-    throw new Error(
-      "Cannot use --shaded-jars-depth together with --nested-jars-depth, please use the latter",
-    );
-  }
-
-  const nestedJarsDepth = resolveNestedJarsOption(options);
-  if (isStrictNumber(nestedJarsDepth) && isTrue(options["exclude-app-vulns"])) {
     throw new Error(
       "To use --nested-jars-depth, you must not use --exclude-app-vulns",
     );
   }
 
   if (
-    (!isStrictNumber(nestedJarsDepth) &&
+    (!isNumber(nestedJarsDepth) &&
+      !isTrue(nestedJarsDepth) &&
       typeof nestedJarsDepth !== "undefined") ||
     Number(nestedJarsDepth) < 0
   ) {

test/system/application-scans/java.spec.ts

@@ -96,25 +96,26 @@ describe("jar binaries scanning", () => {
             imageNameAndTag = `docker-archive:${fixturePath}`;
           });
 
-          it(`should unpack 1 level of jars if ${flagName} flag is missing`, async () => {
+          it("should return nested (second-level) jar in the result", async () => {
             // Act
             pluginResult = await scan({
               path: imageNameAndTag,
               "app-vulns": true,
+              [flagName]: true,
             });
 
+            // Assert
             fingerprints =
               pluginResult.scanResults[1].facts[0].data.fingerprints;
 
             expect(fingerprints).toContainEqual(nestedJar);
           });
 
-          it(`should unpack 1 level of jars if ${flagName} flag is ''`, async () => {
+          it(`should unpack 1 level of jars if ${flagName} flag is missing`, async () => {
             // Act
             pluginResult = await scan({
               path: imageNameAndTag,
               "app-vulns": true,
-              [flagName]: "",
             });
 
             fingerprints =
@@ -145,17 +146,6 @@ describe("jar binaries scanning", () => {
             expect(fingerprints).not.toContainEqual(nestedJar);
           });
 
-          it(`should throw if ${flagName} flag is set to true`, async () => {
-            // Act + Assert
-            await expect(
-              scan({
-                path: imageNameAndTag,
-                "app-vulns": true,
-                [flagName]: true,
-              }),
-            ).rejects.toThrow();
-          });
-
           it(`should throw if ${flagName} flag is set to -1`, async () => {
             // Act + Assert
             await expect(
@@ -167,17 +157,6 @@ describe("jar binaries scanning", () => {
             ).rejects.toThrow();
           });
 
-          it(`should throw if ${flagName} flag is set to ' '`, async () => {
-            // Act + Assert
-            await expect(
-              scan({
-                path: imageNameAndTag,
-                "app-vulns": true,
-                [flagName]: " ",
-              }),
-            ).rejects.toThrow();
-          });
-
           it("should throw error if exclude-app-vulns flag is true", async () => {
             // Act
             await expect(
@@ -488,23 +467,5 @@ describe("jar binaries scanning", () => {
         });
       },
     );
-    describe("conflicting flags", () => {
-      const fixturePath = getFixture(
-        "docker-archives/docker-save/java-uberjar.tar",
-      );
-      const imageNameAndTag = `docker-archive:${fixturePath}`;
-
-      it(`should throw if both --shaded-jars-depth and --nested-jars-depth flags are set`, async () => {
-        // Act + Assert
-        await expect(
-          scan({
-            path: imageNameAndTag,
-            "app-vulns": true,
-            "shaded-jars-depth": "2",
-            "nested-jars-depth": "4",
-          }),
-        ).rejects.toThrow();
-      });
-    });
   });
 });