chore: merge main

Author: d3vco

.circleci/config.yml

@@ -132,17 +132,30 @@ jobs:
       - attach_workspace:
           at: ~/snyk-docker-plugin
       - run: npm run lint
-  test:
+  test_unit:
+    <<: *defaults
+    resource_class: medium
+    steps:
+      - checkout
+      - attach_workspace:
+          at: ~/snyk-docker-plugin
+      - run: npm run test:unit > test-unit-logs.txt 2>&1
+      - store_artifacts:
+          path: test-unit-logs.txt
+          destination: test-unit-logs
+  test_system:
     <<: *defaults
     steps:
       - checkout
       - setup_remote_docker
       - attach_workspace:
           at: ~/snyk-docker-plugin
-      - run: npm run test-jest > test-logs.txt 2>&1
+      - run:
+          command: npm run test:system > test-system-logs.txt 2>&1
+          no_output_timeout: 20m
       - store_artifacts:
-          path: test-logs.txt
-          destination: test-logs
+          path: test-system-logs.txt
+          destination: test-system-logs
   test_jest_windows_with_docker:
     <<: *windows_big
     steps:
@@ -252,8 +265,17 @@ workflows:
           context: infrasec_container
           post-steps:
             - *slack-fail-notify
-      - test:
-          name: Test
+      - test_unit:
+          name: Unit Test
+          context:
+            - nodejs-install
+            - snyk-bot-slack
+          requires:
+            - Build
+          post-steps:
+            - *slack-fail-notify
+      - test_system:
+          name: System Test
           context:
             - nodejs-install
             - snyk-bot-slack
@@ -303,7 +325,8 @@ workflows:
             - Lint
             - Build
             - Security Scans
-            - Test
+            - Unit Test
+            - System Test
             - Test Jest Windows with Docker
             - Test Jest Windows no Docker
           post-steps:

.snyk

@@ -1,5 +1,21 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
-ignore: {}
+ignore:
+  SNYK-JS-TAR-15307072:
+    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
+        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
+        expires: 2026-05-06T00:00:00.000Z
+  SNYK-JS-TAR-15416075:
+    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
+        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
+        expires: 2026-05-06T00:00:00.000Z
+  SNYK-JS-TAR-15456201:
+    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
+        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
+        expires: 2026-05-06T00:00:00.000Z
+  SNYK-JS-LODASH-15869625:
+    - '*':
+        reason: 'Indirect dependency, waiting for upstream fix'
+        expires: 2026-04-09T00:00:00.000Z
 patch: {}

lib/analyzer/applications/java.ts

@@ -251,6 +251,16 @@ async function unpackJars(
   return fingerprints;
 }
 
+/**
+ * Packages with inaccurate pom.properties files return null so that the JAR
+ * will be resolved using the SHA lookup instead.
+ *
+ * Long-term solution: resolve all JARs via maven-deps to remove the need for overrides.
+ */
+const POM_PROPERTIES_OVERRIDES = new Set([
+  "com.microsoft.sqlserver:mssql-jdbc",
+]);
+
 /**
  * Gets coords from the contents of a pom.properties file
  * @param {string} fileContent
@@ -261,6 +271,10 @@ export function getCoordsFromPomProperties(
 ): JarCoords | null {
   const coords = parsePomProperties(fileContent);
 
+  if (POM_PROPERTIES_OVERRIDES.has(`${coords.groupId}:${coords.artifactId}`)) {
+    return null;
+  }
+
   // we need all of these props to allow us to inject the package
   // into the depGraph
   if (!coords.artifactId || !coords.groupId || !coords.version) {

lib/dockerfile/instruction-parser.ts

@@ -18,7 +18,7 @@ export {
 // Naive regex; see tests for cases
 // tslint:disable-next-line:max-line-length
 const installRegex =
-  /(rpm\s+-i|rpm\s+--install|apk\s+((--update|-u|--no-cache)\s+)*add(\s+(--update|-u|--no-cache))*|apt-get\s+((--assume-yes|--yes|-y)\s+)*install(\s+(--assume-yes|--yes|-y))*|apt\s+((--assume-yes|--yes|-y)\s+)*install|yum\s+install|aptitude\s+install)\s+/;
+  /(rpm\s+-i|rpm\s+--install|apk\s+((--update|-u|--no-cache)\s+)*add(\s+(--update|-u|--no-cache))*|apt-get\s+((--assume-yes|--yes|-y)\s+)*install(\s+(--assume-yes|--yes|-y))*|apt\s+((--assume-yes|--yes|-y)\s+)*install|dnf\s+((--assumeyes|--best|--nodocs|--allowerasing|-y)\s+)*install(\s+(--assumeyes|--best|--nodocs|--allowerasing|-y))*|microdnf\s+((--nodocs|--best|--assumeyes|-y)\s+)*install(\s+(--nodocs|--best|--assumeyes|-y))*|yum\s+install|aptitude\s+install)\s+/;
 
 function getPackagesFromDockerfile(dockerfile: Dockerfile): DockerFilePackages {
   const runInstructions = getRunInstructionsFromDockerfile(dockerfile);

lib/extractor/index.ts

@@ -1,3 +1,4 @@
+import * as Debug from "debug";
 import path = require("path");
 import {
   getLayersFromPackages,
@@ -20,6 +21,8 @@ import {
   OciArchiveManifest,
 } from "./types";
 
+const debug = Debug("snyk");
+
 export class InvalidArchiveError extends Error {
   constructor(message) {
     super();
@@ -157,10 +160,14 @@ export async function extractImageContent(
 async function extractArchiveContentFallback(
   extractors: Map<ImageType, ArchiveExtractor>,
 ): Promise<[ExtractedLayersAndManifest, ArchiveExtractor]> {
-  for (const extractor of extractors.values()) {
+  for (const [imageType, extractor] of extractors.entries()) {
     try {
       return [await extractor.getLayersAndManifest(), extractor];
     } catch (error) {
+      // imageType is a string enum value like "docker-archive", "oci-archive"
+      debug(
+        `Error getting layers and manifest content from ${imageType} archive: ${error.message}`,
+      );
       continue;
     }
   }