Skip to content

Commit 79a0338

Browse files
committed
chore: merge main
1 parent 23fb61a commit 79a0338

File tree

35 files changed

+2480
-591
lines changed

35 files changed

+2480
-591
lines changed

.circleci/config.yml

Lines changed: 30 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -132,17 +132,30 @@ jobs:
132132
- attach_workspace:
133133
at: ~/snyk-docker-plugin
134134
- run: npm run lint
135-
test:
135+
test_unit:
136+
<<: *defaults
137+
resource_class: medium
138+
steps:
139+
- checkout
140+
- attach_workspace:
141+
at: ~/snyk-docker-plugin
142+
- run: npm run test:unit > test-unit-logs.txt 2>&1
143+
- store_artifacts:
144+
path: test-unit-logs.txt
145+
destination: test-unit-logs
146+
test_system:
136147
<<: *defaults
137148
steps:
138149
- checkout
139150
- setup_remote_docker
140151
- attach_workspace:
141152
at: ~/snyk-docker-plugin
142-
- run: npm run test-jest > test-logs.txt 2>&1
153+
- run:
154+
command: npm run test:system > test-system-logs.txt 2>&1
155+
no_output_timeout: 20m
143156
- store_artifacts:
144-
path: test-logs.txt
145-
destination: test-logs
157+
path: test-system-logs.txt
158+
destination: test-system-logs
146159
test_jest_windows_with_docker:
147160
<<: *windows_big
148161
steps:
@@ -252,8 +265,17 @@ workflows:
252265
context: infrasec_container
253266
post-steps:
254267
- *slack-fail-notify
255-
- test:
256-
name: Test
268+
- test_unit:
269+
name: Unit Test
270+
context:
271+
- nodejs-install
272+
- snyk-bot-slack
273+
requires:
274+
- Build
275+
post-steps:
276+
- *slack-fail-notify
277+
- test_system:
278+
name: System Test
257279
context:
258280
- nodejs-install
259281
- snyk-bot-slack
@@ -303,7 +325,8 @@ workflows:
303325
- Lint
304326
- Build
305327
- Security Scans
306-
- Test
328+
- Unit Test
329+
- System Test
307330
- Test Jest Windows with Docker
308331
- Test Jest Windows no Docker
309332
post-steps:

.snyk

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,21 @@
11
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
22
version: v1.25.0
33
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
4-
ignore: {}
4+
ignore:
5+
SNYK-JS-TAR-15307072:
6+
- 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
7+
reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
8+
expires: 2026-05-06T00:00:00.000Z
9+
SNYK-JS-TAR-15416075:
10+
- 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
11+
reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
12+
expires: 2026-05-06T00:00:00.000Z
13+
SNYK-JS-TAR-15456201:
14+
- 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
15+
reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
16+
expires: 2026-05-06T00:00:00.000Z
17+
SNYK-JS-LODASH-15869625:
18+
- '*':
19+
reason: 'Indirect dependency, waiting for upstream fix'
20+
expires: 2026-04-09T00:00:00.000Z
521
patch: {}

lib/analyzer/applications/java.ts

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -251,6 +251,16 @@ async function unpackJars(
251251
return fingerprints;
252252
}
253253

254+
/**
255+
* Packages with inaccurate pom.properties files return null so that the JAR
256+
* will be resolved using the SHA lookup instead.
257+
*
258+
* Long-term solution: resolve all JARs via maven-deps to remove the need for overrides.
259+
*/
260+
const POM_PROPERTIES_OVERRIDES = new Set([
261+
"com.microsoft.sqlserver:mssql-jdbc",
262+
]);
263+
254264
/**
255265
* Gets coords from the contents of a pom.properties file
256266
* @param {string} fileContent
@@ -261,6 +271,10 @@ export function getCoordsFromPomProperties(
261271
): JarCoords | null {
262272
const coords = parsePomProperties(fileContent);
263273

274+
if (POM_PROPERTIES_OVERRIDES.has(`${coords.groupId}:${coords.artifactId}`)) {
275+
return null;
276+
}
277+
264278
// we need all of these props to allow us to inject the package
265279
// into the depGraph
266280
if (!coords.artifactId || !coords.groupId || !coords.version) {

lib/dockerfile/instruction-parser.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ export {
1818
// Naive regex; see tests for cases
1919
// tslint:disable-next-line:max-line-length
2020
const installRegex =
21-
/(rpm\s+-i|rpm\s+--install|apk\s+((--update|-u|--no-cache)\s+)*add(\s+(--update|-u|--no-cache))*|apt-get\s+((--assume-yes|--yes|-y)\s+)*install(\s+(--assume-yes|--yes|-y))*|apt\s+((--assume-yes|--yes|-y)\s+)*install|yum\s+install|aptitude\s+install)\s+/;
21+
/(rpm\s+-i|rpm\s+--install|apk\s+((--update|-u|--no-cache)\s+)*add(\s+(--update|-u|--no-cache))*|apt-get\s+((--assume-yes|--yes|-y)\s+)*install(\s+(--assume-yes|--yes|-y))*|apt\s+((--assume-yes|--yes|-y)\s+)*install|dnf\s+((--assumeyes|--best|--nodocs|--allowerasing|-y)\s+)*install(\s+(--assumeyes|--best|--nodocs|--allowerasing|-y))*|microdnf\s+((--nodocs|--best|--assumeyes|-y)\s+)*install(\s+(--nodocs|--best|--assumeyes|-y))*|yum\s+install|aptitude\s+install)\s+/;
2222

2323
function getPackagesFromDockerfile(dockerfile: Dockerfile): DockerFilePackages {
2424
const runInstructions = getRunInstructionsFromDockerfile(dockerfile);

lib/extractor/index.ts

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
import * as Debug from "debug";
12
import path = require("path");
23
import {
34
getLayersFromPackages,
@@ -20,6 +21,8 @@ import {
2021
OciArchiveManifest,
2122
} from "./types";
2223

24+
const debug = Debug("snyk");
25+
2326
export class InvalidArchiveError extends Error {
2427
constructor(message) {
2528
super();
@@ -157,10 +160,14 @@ export async function extractImageContent(
157160
async function extractArchiveContentFallback(
158161
extractors: Map<ImageType, ArchiveExtractor>,
159162
): Promise<[ExtractedLayersAndManifest, ArchiveExtractor]> {
160-
for (const extractor of extractors.values()) {
163+
for (const [imageType, extractor] of extractors.entries()) {
161164
try {
162165
return [await extractor.getLayersAndManifest(), extractor];
163166
} catch (error) {
167+
// imageType is a string enum value like "docker-archive", "oci-archive"
168+
debug(
169+
`Error getting layers and manifest content from ${imageType} archive: ${error.message}`,
170+
);
164171
continue;
165172
}
166173
}

0 commit comments

Comments
 (0)