fix: enable exclude base image vulns in monitor (#761)

d3vco · web-flow · commit 56aa5358c1a7 · 2026-02-26T13:35:32.000-05:00
This commit fixes an issue where the exclude-base-image-vulns flag did
not function in monitor mode (filtering base image vulns does work in
test mode).

Root Cause:
Base image vulnerabilities are filtered in `build-response.ts`, but
the filtered dependency tree was not stored and returned to the cli.
This was partially masked by the fact that the cli performed its own filtering in
the test path (`run-test.ts`) but not in the monitor path
(`ecosystems/monitor.ts`).

Changes:
- In `response-builder.ts`, stores the `finalDeps` to the `depTree`.
- Adds unit tests for this functionality.

Impact:
Restores the ability to filter base images vulnerabilities in monitor
mode.

Tickets: CN-568
diff --git a/lib/response-builder.ts b/lib/response-builder.ts
@@ -35,6 +35,9 @@ async function buildResponse(
   /** WARNING! Mutates the depTree.dependencies! */
   annotateLayerIds(finalDeps, dockerfilePkgs);
 
+  // Apply the filtered dependencies back to the depTree
+  depsAnalysis.depTree.dependencies = finalDeps;
+
   /** This must be called after all final changes to the DependencyTree. */
   const depGraph = await legacy.depTreeToGraph(
     depsAnalysis.depTree,
diff --git a/test/lib/response-builder.spec.ts b/test/lib/response-builder.spec.ts
@@ -1351,4 +1351,118 @@ describe("buildResponse", () => {
       });
     });
   });
+
+  describe("supports exclude-base-image-vulns flag", () => {
+    const defaultAnalysis = createMockAnalysis();
+    const baseDepTree = {
+      ...defaultAnalysis.depTree,
+      targetOS: {
+        name: "alpine",
+        version: "3.12",
+        prettyName: "Alpine 3.12",
+      },
+      dependencies: {
+        basePkg: {
+          name: "basePkg",
+          version: "1.0.0",
+          dependencies: {},
+        },
+        dockerfilePkg: {
+          name: "dockerfilePkg",
+          version: "2.0.0",
+          dependencies: {},
+        },
+      },
+    };
+
+    const dockerfileAnalysisWithDockerfilePkgOnly = {
+      baseImage: "alpine:3.12",
+      dockerfilePackages: {
+        dockerfilePkg: {
+          instruction: "RUN apk add dockerfilePkg",
+          installCommand: "apk add dockerfilePkg",
+        },
+      },
+      dockerfileLayers: {},
+    };
+
+    function getDepPkgNames(scanResult: {
+      facts?: Array<{ type: string; data: any }>;
+    }): string[] {
+      const depGraphFact = scanResult.facts?.find((f) => f.type === "depGraph");
+      const depGraph = depGraphFact?.data;
+      if (!depGraph || typeof depGraph.getPkgs !== "function") {
+        return [];
+      }
+      return depGraph.getPkgs().map((p: { name: string }) => p.name);
+    }
+
+    const rootPkgName = defaultAnalysis.depTree.name;
+
+    it("includes all dependencies in depGraph when excludeBaseImageVulns is false", async () => {
+      const mockAnalysis = createMockAnalysis({
+        depTree: JSON.parse(JSON.stringify(baseDepTree)),
+        packageFormat: "apk",
+      });
+
+      const result = await buildResponse(
+        mockAnalysis as any,
+        dockerfileAnalysisWithDockerfilePkgOnly as any,
+        false,
+        undefined,
+        undefined,
+        undefined,
+      );
+
+      const pkgNames = getDepPkgNames(result.scanResults[0]);
+      expect(pkgNames).toContain(rootPkgName);
+      expect(pkgNames).toContain("basePkg");
+      expect(pkgNames).toContain("dockerfilePkg");
+      expect(pkgNames).toHaveLength(3);
+    });
+
+    it("includes only dockerfile-introduced dependencies in depGraph when excludeBaseImageVulns is true", async () => {
+      const mockAnalysis = createMockAnalysis({
+        depTree: JSON.parse(JSON.stringify(baseDepTree)),
+        packageFormat: "apk",
+      });
+
+      const result = await buildResponse(
+        mockAnalysis as any,
+        dockerfileAnalysisWithDockerfilePkgOnly as any,
+        true,
+        undefined,
+        undefined,
+        undefined,
+      );
+
+      const pkgNames = getDepPkgNames(result.scanResults[0]);
+      expect(pkgNames).toContain(rootPkgName);
+      expect(pkgNames).toContain("dockerfilePkg");
+      expect(pkgNames).not.toContain("basePkg");
+      expect(pkgNames).toHaveLength(2);
+    });
+
+    it("includes all dependencies when excludeBaseImageVulns is true but dockerfileAnalysis is undefined", async () => {
+      const mockAnalysis = createMockAnalysis({
+        depTree: JSON.parse(JSON.stringify(baseDepTree)),
+        packageFormat: "apk",
+      });
+
+      const result = await buildResponse(
+        mockAnalysis as any,
+        undefined,
+        true,
+        undefined,
+        undefined,
+        undefined,
+      );
+
+      const pkgNames = getDepPkgNames(result.scanResults[0]);
+      expect(pkgNames).toContain(rootPkgName);
+      expect(pkgNames).toContain("basePkg");
+      expect(pkgNames).toContain("dockerfilePkg");
+      expect(pkgNames).toHaveLength(3);
+    });
+  });
 });
