Merge branch 'main' into CN-941-consolidate-archive-extraction

Author: ividalATSnyk

.github/CODEOWNERS

@@ -1,5 +1,5 @@
 # This is a comment.
 # Each line is a file pattern followed by one or more owners.
 
-* @snyk/infrasec_container
+* @snyk/infrasec_container @snyk/container_container
 

.snyk

@@ -2,18 +2,6 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-JS-TAR-15307072:
-    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
-        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-05-06T00:00:00.000Z
-  SNYK-JS-TAR-15416075:
-    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
-        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-05-06T00:00:00.000Z
-  SNYK-JS-TAR-15456201:
-    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
-        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-05-06T00:00:00.000Z
   SNYK-JS-LODASH-15869625:
     - '*':
         reason: 'Indirect dependency, waiting for upstream fix'

components/common.yaml

@@ -17,6 +17,7 @@ schemas:
     enum:
       - autoDetectedUserInstructions
       - binaries
+      - baseRuntimes
       - depGraph
       - dockerfileAnalysis
       - dockerLayers

lib/analyzer/applications/node-modules-utils.ts

@@ -1,6 +1,8 @@
 import * as Debug from "debug";
 import { mkdir, mkdtemp, rm, stat, writeFile } from "fs/promises";
+import * as os from "os";
 import * as path from "path";
+import { getErrorMessage } from "../../error-utils";
 import { FilePathToContent, FilesByDirMap } from "./types";
 const debug = Debug("snyk");
 
@@ -22,7 +24,7 @@ interface ScanPaths {
 async function createTempProjectDir(
   projectDir: string,
 ): Promise<{ tmpDir: string; tempProjectRoot: string }> {
-  const tmpDir = await mkdtemp("snyk");
+  const tmpDir = await mkdtemp(path.join(os.tmpdir(), "snyk-"));
 
   const tempProjectRoot = path.join(tmpDir, projectDir);
 
@@ -51,7 +53,9 @@ async function createSyntheticManifest(
     await writeFile(tempRootManifestPath, "{}", "utf-8");
   } catch (error) {
     debug(
-      `Error while writing file ${tempRootManifestPath} : ${error.message}`,
+      `Error while writing file ${tempRootManifestPath} : ${getErrorMessage(
+        error,
+      )}`,
     );
   }
 }
@@ -76,20 +80,23 @@ async function persistNodeModules(
   fileNamesGroupedByDirectory: FilesByDirMap,
 ): Promise<ScanPaths> {
   const modules = fileNamesGroupedByDirectory.get(project);
-  const tmpDir: string = "";
-  const tempProjectRoot: string = "";
 
   if (!modules || modules.size === 0) {
     debug(`Empty application directory tree.`);
-
-    return {
-      tempDir: tmpDir,
-      tempProjectPath: tempProjectRoot,
-    };
+    return { tempDir: "", tempProjectPath: "" };
   }
 
+  // Create the temp directory first so we can return it in the catch block
+  // for cleanup. Previously, the outer tmpDir/tempProjectRoot were always
+  // empty strings, meaning any temp directory created before a failure in
+  // saveOnDisk or later steps would be leaked (caller couldn't clean it up).
+  let tmpDir = "";
+  let tempProjectRoot = "";
+
   try {
-    const { tmpDir, tempProjectRoot } = await createTempProjectDir(project);
+    const created = await createTempProjectDir(project);
+    tmpDir = created.tmpDir;
+    tempProjectRoot = created.tempProjectRoot;
 
     await saveOnDisk(tmpDir, modules, filePathToContent);
 
@@ -113,7 +120,9 @@ async function persistNodeModules(
     return result;
   } catch (error) {
     debug(
-      `Failed to copy the application manifest files locally: ${error.message}`,
+      `Failed to copy the application manifest files locally: ${getErrorMessage(
+        error,
+      )}`,
     );
     return {
       tempDir: tmpDir,
@@ -122,12 +131,15 @@ async function persistNodeModules(
   }
 }
 
-async function createFile(filePath, fileContent): Promise<void> {
+async function createFile(
+  filePath: string,
+  fileContent: string,
+): Promise<void> {
   try {
     await mkdir(path.dirname(filePath), { recursive: true });
     await writeFile(filePath, fileContent, "utf-8");
   } catch (error) {
-    debug(`Error while creating file ${filePath} : ${error.message}`);
+    debug(`Error while creating file ${filePath} : ${getErrorMessage(error)}`);
   }
 }
 
@@ -241,6 +253,6 @@ async function cleanupAppNodeModules(appRootDir: string): Promise<void> {
   try {
     await rm(appRootDir, { recursive: true });
   } catch (error) {
-    debug(`Error while removing ${appRootDir} : ${error.message}`);
+    debug(`Error while removing ${appRootDir} : ${getErrorMessage(error)}`);
   }
 }

lib/analyzer/applications/node.ts

@@ -3,6 +3,7 @@ import * as Debug from "debug";
 import * as path from "path";
 import * as lockFileParser from "snyk-nodejs-lockfile-parser";
 import * as resolveDeps from "snyk-resolve-deps";
+import { getErrorMessage } from "../../error-utils";
 import { DepGraphFact, TestedFilesFact } from "../../facts";
 
 const debug = Debug("snyk");
@@ -136,7 +137,7 @@ async function depGraphFromNodeModules(
       }
 
       const depGraph = await legacy.depTreeToGraph(
-        pkgTree,
+        pkgTree as any,
         pkgTree.type || "npm",
       );
 
@@ -162,7 +163,9 @@ async function depGraphFromNodeModules(
       });
     } catch (error) {
       debug(
-        `An error occurred while analysing node_modules dir: ${error.message}`,
+        `An error occurred while analysing node_modules dir: ${getErrorMessage(
+          error,
+        )}`,
       );
     } finally {
       await cleanupAppNodeModules(tempDir);
@@ -300,7 +303,9 @@ async function depGraphFromManifestFiles(
           );
     } catch (err) {
       debug(
-        `An error occurred while analysing a pair of manifest and lock files: ${err.message}`,
+        `An error occurred while analysing a pair of manifest and lock files: ${getErrorMessage(
+          err,
+        )}`,
       );
       continue;
     }
@@ -417,7 +422,7 @@ function stripUndefinedLabels(
   parserResult: lockFileParser.PkgTree,
 ): lockFileParser.PkgTree {
   const optionalLabels = parserResult.labels;
-  const mandatoryLabels: Record<string, string> = {};
+  const mandatoryLabels: Record<string, any> = {};
   if (optionalLabels) {
     for (const currentLabelName of Object.keys(optionalLabels)) {
       if (optionalLabels[currentLabelName] !== undefined) {
@@ -428,7 +433,7 @@ function stripUndefinedLabels(
   const parserResultWithProperLabels = Object.assign({}, parserResult, {
     labels: mandatoryLabels,
   });
-  return parserResultWithProperLabels;
+  return parserResultWithProperLabels as lockFileParser.PkgTree;
 }
 
 async function buildDepGraph(
@@ -513,7 +518,10 @@ async function buildDepGraphFromDepTree(
     // Don't provide a default manifest file name, prefer the parser to infer it.
   );
   const strippedLabelsParserResult = stripUndefinedLabels(parserResult);
-  return await legacy.depTreeToGraph(strippedLabelsParserResult, lockfileType);
+  return await legacy.depTreeToGraph(
+    strippedLabelsParserResult as any,
+    lockfileType,
+  );
 }
 
 export function getLockFileVersion(

lib/analyzer/applications/python/pip.ts

@@ -3,6 +3,7 @@ import * as Debug from "debug";
 import { eventLoopSpinner } from "event-loop-spinner";
 import * as path from "path";
 import * as semver from "semver";
+import { getErrorMessage } from "../../../error-utils";
 import { DepGraphFact } from "../../../facts";
 import { compareVersions } from "../../../python-parser/common";
 import { getPackageInfo } from "../../../python-parser/metadata-parser";
@@ -133,7 +134,7 @@ export async function pipFilesToScannedProjects(
         }
         metadataItems[packageInfo.name.toLowerCase()].push(packageInfo);
       } catch (err) {
-        debug(err.message);
+        debug(getErrorMessage(err));
       }
     }
   }

lib/analyzer/base-runtimes/index.ts

@@ -0,0 +1,11 @@
+import { ExtractedLayers } from "../../extractor/types";
+import { BaseRuntime } from "../../facts";
+import { getJavaRuntimeReleaseContent } from "../../inputs/base-runtimes/static";
+import { parseJavaRuntimeRelease } from "./parser";
+
+export function detectJavaRuntime(
+  extractedLayers: ExtractedLayers,
+): BaseRuntime | null {
+  const releaseContent = getJavaRuntimeReleaseContent(extractedLayers);
+  return releaseContent ? parseJavaRuntimeRelease(releaseContent) : null;
+}

lib/analyzer/base-runtimes/parser.ts

@@ -0,0 +1,34 @@
+import { BaseRuntime } from "../../facts";
+
+const VALID_VERSION_PATTERN =
+  /^(?!.*\.\.)[0-9]+(?:[._+a-zA-Z0-9-]*[a-zA-Z0-9])?$/;
+
+const regex = /^\s*JAVA_VERSION\s*=\s*(?:(["'])(.*?)\1|([^#\r\n]+))/gm;
+
+function isValidJavaVersion(version: string): boolean {
+  if (!version || version.length === 0) {
+    return false;
+  }
+  return VALID_VERSION_PATTERN.test(version);
+}
+
+export function parseJavaRuntimeRelease(content: string): BaseRuntime | null {
+  if (!content || content.trim().length === 0) {
+    return null;
+  }
+  try {
+    const matches = [...content.matchAll(regex)];
+
+    if (matches.length !== 1) {
+      return null;
+    }
+    const version = (matches[0][2] || matches[0][3] || "").trim();
+
+    if (!isValidJavaVersion(version)) {
+      return null;
+    }
+    return { type: "java", version };
+  } catch (error) {
+    return null;
+  }
+}

lib/analyzer/image-inspector.ts

@@ -1,7 +1,7 @@
 import * as Debug from "debug";
 import * as fs from "fs";
-import * as mkdirp from "mkdirp";
 import * as path from "path";
+import { getErrorMessage } from "../error-utils";
 
 import { Docker, DockerOptions } from "../docker";
 import { ImageName } from "../extractor/image";
@@ -35,7 +35,11 @@ function cleanupCallback(imageFolderPath: string, imageName: string) {
     try {
       fs.rmdirSync(imageFolderPath);
     } catch (err) {
-      debug(`Can't remove folder ${imageFolderPath}, got error ${err.message}`);
+      debug(
+        `Can't remove folder ${imageFolderPath}, got error ${getErrorMessage(
+          err,
+        )}`,
+      );
     }
   };
 }
@@ -58,8 +62,19 @@ async function pullWithDockerBinary(
     await docker.save(targetImage, saveLocation);
     return true;
   } catch (err) {
-    debug(`couldn't pull ${targetImage} using docker binary: ${err.message}`);
-    const errorMessage = err.stderr || err.message || err.toString();
+    debug(
+      `couldn't pull ${targetImage} using docker binary: ${getErrorMessage(
+        err,
+      )}`,
+    );
+    const stderrValue =
+      err !== null &&
+      typeof err === "object" &&
+      "stderr" in (err as object) &&
+      (err as { stderr: unknown }).stderr;
+    const errorMessage = stderrValue
+      ? String(stderrValue)
+      : getErrorMessage(err);
     handleDockerPullError(errorMessage, platform);
 
     return false;
@@ -126,7 +141,7 @@ async function pullFromContainerRegistry(
       platform,
     );
   } catch (err) {
-    handleDockerPullError(err.message);
+    handleDockerPullError(getErrorMessage(err));
     throw err;
   }
 }
@@ -200,7 +215,7 @@ async function getImageArchive(
   platform?: string,
 ): Promise<ArchiveResult> {
   const docker = new Docker();
-  mkdirp.sync(imageSavePath);
+  fs.mkdirSync(imageSavePath, { recursive: true });
   const destination: DestinationDir = {
     name: imageSavePath,
     removeCallback: cleanupCallback(imageSavePath, "image.tar"),
@@ -213,7 +228,7 @@ async function getImageArchive(
   } catch (error) {
     debug(
       `${targetImage} does not exist locally, proceeding to pull image.`,
-      error.stack || error,
+      getErrorMessage(error),
     );
   }
 
@@ -370,7 +385,7 @@ function isLocalImageSameArchitecture(
     // Note: this is using the same flag/input pattern as the new Docker buildx: eg. linux/arm64/v8
     platformArchitecture = platformOption.split("/")[1];
   } catch (error) {
-    debug(`Error parsing platform flag: '${error.message}'`);
+    debug(`Error parsing platform flag: '${getErrorMessage(error)}'`);
     return false;
   }
 

lib/analyzer/os-release/static.ts

@@ -1,5 +1,6 @@
 import * as Debug from "debug";
 import { normalize as normalizePath } from "path";
+import { getErrorMessage } from "../../error-utils";
 
 import { DockerFileAnalysis } from "../../dockerfile/types";
 import { ExtractedLayers } from "../../extractor/types";
@@ -74,7 +75,7 @@ export async function detect(
     try {
       osRelease = await handler(osReleaseFile);
     } catch (err) {
-      debug(`Malformed OS release file: ${err.message}`);
+      debug(`Malformed OS release file: ${getErrorMessage(err)}`);
     }
     if (osRelease) {
       break;