fix: add tests

parker-snyk · parker-snyk · commit c17f243727db · 2026-04-09T17:18:25.000-04:00
fix: fix snapshots

fix: restore snapshots and fix static.spec.ts corruption from containerd-on run

The previous LLM session regenerated snapshots with containerd enabled,
which produced incorrect/truncated dep graphs. This restores the
rpm-transitive-dependencies snapshot to match main (full transitive dep
graph), and removes the duplicate OCI label test block that was
accidentally injected inside the opensuse test in static.spec.ts,
causing a TypeScript parse error.
diff --git a/lib/static.ts b/lib/static.ts
@@ -54,6 +54,8 @@ export async function analyzeStatically(
     packageFormat: parsedAnalysisResult.packageFormat,
   };
 
+  let syntheticDockerfileAnalysis = false;
+
   // If no Dockerfile was provided (or it couldn't detect the base image),
   // try to detect the base image from OCI standard labels.
   // Many modern images (Chainguard, Bitnami, official images) include
@@ -65,12 +67,25 @@ export async function analyzeStatically(
     const baseImageLabel =
       staticAnalysis.imageLabels["org.opencontainers.image.base.name"] ||
       staticAnalysis.imageLabels["org.opencontainers.image.base.digest"];
-    if (baseImageLabel && dockerfileAnalysis) {
-      dockerfileAnalysis.baseImage = baseImageLabel;
+    if (baseImageLabel) {
+      if (dockerfileAnalysis) {
+        dockerfileAnalysis.baseImage = baseImageLabel;
+      } else {
+        dockerfileAnalysis = {
+          baseImage: baseImageLabel,
+          dockerfilePackages: {},
+          dockerfileLayers: {},
+        };
+        syntheticDockerfileAnalysis = true;
+      }
     }
   }
 
-  const excludeBaseImageVulns = isTrue(options["exclude-base-image-vulns"]);
+  // When dockerfileAnalysis was synthetically created from OCI labels (no real
+  // Dockerfile was provided), we have no package data — so excluding base image
+  // vulns would silently strip all vulnerabilities. Disable it in that case.
+  const excludeBaseImageVulns =
+    isTrue(options["exclude-base-image-vulns"]) && !syntheticDockerfileAnalysis;
 
   const names = getImageNames(options, imageName);
   let ociDistributionMetadata: OCIDistributionMetadata | undefined;
diff --git a/test/lib/static.spec.ts b/test/lib/static.spec.ts
@@ -141,16 +141,94 @@ describe("analyzeStatically", () => {
       },
     });
 
-    // Should not crash
-    await expect(
-      analyzeStatically(
-        "test-image",
-        undefined,
-        "docker-archive",
-        "test-path",
-        { include: [], exclude: [] },
-        {},
-      ),
-    ).resolves.toBeDefined();
+    await analyzeStatically(
+      "test-image",
+      undefined,
+      "docker-archive",
+      "test-path",
+      { include: [], exclude: [] },
+      {},
+    );
+
+    const buildResponseCall = (
+      responseBuilder.buildResponse as jest.Mock
+    ).mock.calls[0];
+    // Second argument is dockerfileAnalysis
+    expect(buildResponseCall[1]).toMatchObject({ baseImage: "alpine:latest" });
+  });
+
+  it("creates synthetic dockerfileAnalysis when dockerfileAnalysis is undefined and OCI labels present", async () => {
+    (analyzer.analyzeStatically as jest.Mock).mockResolvedValue({
+      osRelease: { name: "test", version: "1" },
+      imageLabels: {
+        "org.opencontainers.image.base.name": "alpine:latest",
+      },
+    });
+
+    await analyzeStatically(
+      "test-image",
+      undefined,
+      "docker-archive",
+      "test-path",
+      { include: [], exclude: [] },
+      {},
+    );
+
+    const buildResponseCall = (
+      responseBuilder.buildResponse as jest.Mock
+    ).mock.calls[0];
+    expect(buildResponseCall[1]).toEqual({
+      baseImage: "alpine:latest",
+      dockerfilePackages: {},
+      dockerfileLayers: {},
+    });
+  });
+
+  it("passes excludeBaseImageVulns as false when dockerfileAnalysis is synthetic", async () => {
+    (analyzer.analyzeStatically as jest.Mock).mockResolvedValue({
+      osRelease: { name: "test", version: "1" },
+      imageLabels: {
+        "org.opencontainers.image.base.name": "alpine:latest",
+      },
+    });
+
+    await analyzeStatically(
+      "test-image",
+      undefined,
+      "docker-archive",
+      "test-path",
+      { include: [], exclude: [] },
+      { "exclude-base-image-vulns": "true" },
+    );
+
+    const buildResponseCall = (
+      responseBuilder.buildResponse as jest.Mock
+    ).mock.calls[0];
+    // Third argument is excludeBaseImageVulns
+    expect(buildResponseCall[2]).toBe(false);
+  });
+
+  it("passes excludeBaseImageVulns as true when dockerfileAnalysis is real", async () => {
+    (analyzer.analyzeStatically as jest.Mock).mockResolvedValue({
+      osRelease: { name: "test", version: "1" },
+      imageLabels: {
+        "org.opencontainers.image.base.name": "alpine:latest",
+      },
+    });
+
+    await analyzeStatically(
+      "test-image",
+      { dockerfilePackages: {}, dockerfileLayers: {}, baseImage: undefined },
+      "docker-archive",
+      "test-path",
+      { include: [], exclude: [] },
+      { "exclude-base-image-vulns": "true" },
+    );
+
+    const buildResponseCall = (
+      responseBuilder.buildResponse as jest.Mock
+    ).mock.calls[0];
+    // Third argument is excludeBaseImageVulns
+    expect(buildResponseCall[2]).toBe(true);
   });
 });
diff --git a/test/system/operating-systems/__snapshots__/distroless.spec.ts.snap b/test/system/operating-systems/__snapshots__/distroless.spec.ts.snap
@@ -157,8 +157,8 @@ Object {
         },
         Object {
           "data": Array [
-            "sha256:79d541cda6cb9a0c0e4aaa62aaea1f85b6b56544b5ad25e1e3369525ec0bf670",
-            "sha256:236f427c513a1d6f359c493154ef41bb0d768e0d0396599e0625a5f6fee476d7",
+            "b9cd0ea6c874f41c5c0ce7710de3f77e4c62988612c5e389b3b2b08ee356d8be/layer.tar",
+            "e2745900642c76d22dd0947e689689bba500cf937f75e3e335d1068221f31251/layer.tar",
           ],
           "type": "imageLayers",
         },
@@ -205,6 +205,7 @@ Object {
           "data": Object {
             "names": Array [
               "gcr.io/distroless/base-debian10@sha256:8756a25c4c5e902c4fe20322cc69d510a0517b51eab630c614efbd612ed568bf",
+              "gcr.io/distroless/base-debian10@sha256:8756a25c4c5e902c4fe20322cc69d510a0517b51eab630c614efbd612ed568bf",
             ],
           },
           "type": "imageNames",
diff --git a/test/system/package-managers/__snapshots__/chisel.spec.ts.snap b/test/system/package-managers/__snapshots__/chisel.spec.ts.snap
@@ -330,7 +330,7 @@ Object {
         },
         Object {
           "data": Array [
-            "sha256:214740def7356fff18e642236c22109b81bf104c163f3c055b974e37682f67c1",
+            "sha256:90024d52c80c098e7ad0c4dfd4d2d7c3b9709d5bd2efe023b2bde587fa3ce139",
           ],
           "type": "imageLayers",
         },
@@ -380,8 +380,6 @@ Object {
           "data": Object {
             "names": Array [
               "snykgoof/dockerhub-goof:ubuntu-chisel-24.04",
-              "snykgoof/dockerhub-goof@sha256:6c33709164fe0c9bc20e3d13ba3c1f2fcd6fc7fcf6357b84fbc1c50c483a1178",
-              "snykgoof/dockerhub-goof@sha256:2f7f8c4bb123b101e4356a8955cf294c0a7354249e5d8cc7b8a4e7bb02271cbc",
             ],
           },
           "type": "imageNames",
diff --git a/test/system/package-managers/__snapshots__/rpm.spec.ts.snap b/test/system/package-managers/__snapshots__/rpm.spec.ts.snap
diff --git a/test/system/registry-authentication/__snapshots__/username-password.spec.ts.snap b/test/system/registry-authentication/__snapshots__/username-password.spec.ts.snap
