fix: enforce stricter number validation when using --nested-jars-depth flag (#736)

* fix: enforce stricter number validation when using --nested-jars-depth flag

Replaced loose validation logic with a new isStrictNumber helper. This narrows the scope of valid inputs to strictly finite numbers, eliminating loose type coercion.

Empty strings remain valid and resolve to the minimum nested-jars-depth of 1. This maintains parity with how other CLI flags handle default/empty states.

BREAKING CHANGE: The application no longer accepts `true` as a valid numeric argument.

* fix: ran npm to format linting

* fix: added formatted changes

* chore: updated snapshots

* refactor: removed redundant call to Number.isNaN(num)

* fix: resolve package-lock.json conflict

* fix: handle empty/whitespace inputs for jar depth flags correctly

- Added relevant test cases for empty strings, w/ and w/o spaces
- Fixed asymmetric behavior between `shaded-jars-depth` and `nested-jars-depth`
- Renamed `test/unit/options-utils.spec.ts` to match source filename

* refactor: added helper function for resolving nested-jars params

* fix: add check to prevent users from using both flags

* chore: fixed linting issues

* chore: switched .replace(...) for .trim()

Author: ividalATSnyk

lib/analyzer/static-analyzer.ts

@@ -56,6 +56,7 @@ import {
   getRpmSqliteDbFileContent,
   getRpmSqliteDbFileContentAction,
 } from "../inputs/rpm/static";
+import { resolveNestedJarsOption } from "../option-utils";
 import { isTrue } from "../option-utils";
 import { ImageType, ManifestFile, PluginOptions } from "../types";
 import {
@@ -318,8 +319,7 @@ export async function analyze(
 }
 
 function getNestedJarsDesiredDepth(options: Partial<PluginOptions>) {
-  const nestedJarsOption =
-    options["nested-jars-depth"] || options["shaded-jars-depth"];
+  const nestedJarsOption = resolveNestedJarsOption(options);
   let nestedJarsDepth = 1;
   const depthNumber = Number(nestedJarsOption);
   if (!isNaN(depthNumber) && depthNumber >= 0) {

lib/option-utils.ts

@@ -1,9 +1,34 @@
-export { isTrue, isNumber };
+import { PluginOptions } from "./types";
+export { isTrue, isNumber, isStrictNumber };
 
 function isTrue(value?: boolean | string): boolean {
   return String(value).toLowerCase() === "true";
 }
 
+// This strictly follows the ECMAScript Language Specification: https://262.ecma-international.org/5.1/#sec-9.3
 function isNumber(value?: boolean | string): boolean {
   return !isNaN(Number(value));
 }
+
+// Must be a finite numeric value, excluding booleans, Infinity, and non-numeric strings
+function isStrictNumber(value?: boolean | string): boolean {
+  if (typeof value === "boolean" || !value?.trim().length) {
+    return false;
+  }
+
+  const num = Number(value);
+  return Number.isFinite(num);
+}
+
+export function resolveNestedJarsOption(options?: Partial<PluginOptions>) {
+  const safeOptions = options || {};
+
+  return [
+    safeOptions["nested-jars-depth"],
+    safeOptions["shaded-jars-depth"],
+  ].find(isDefined);
+}
+
+export function isDefined(value?: string | boolean): boolean {
+  return value !== "" && value != null;
+}

lib/scan.ts

@@ -9,7 +9,12 @@ import { ImageName } from "./extractor/image";
 import { ExtractAction, ExtractionResult } from "./extractor/types";
 import { fullImageSavePath } from "./image-save-path";
 import { getArchivePath, getImageType } from "./image-type";
-import { isNumber, isTrue } from "./option-utils";
+import {
+  isDefined,
+  isStrictNumber,
+  isTrue,
+  resolveNestedJarsOption,
+} from "./option-utils";
 import * as staticModule from "./static";
 import { ImageType, PluginOptions, PluginResponse } from "./types";
 import { isValidDockerImageReference } from "./utils";
@@ -40,20 +45,24 @@ async function getAnalysisParameters(
     throw new Error("No image identifier or path provided");
   }
 
-  const nestedJarsDepth =
-    options["nested-jars-depth"] || options["shaded-jars-depth"];
   if (
-    (isTrue(nestedJarsDepth) || isNumber(nestedJarsDepth)) &&
-    isTrue(options["exclude-app-vulns"])
+    isDefined(options["shaded-jars-depth"]) &&
+    isDefined(options["nested-jars-depth"])
   ) {
+    throw new Error(
+      "Cannot use --shaded-jars-depth together with --nested-jars-depth, please use the latter",
+    );
+  }
+
+  const nestedJarsDepth = resolveNestedJarsOption(options);
+  if (isStrictNumber(nestedJarsDepth) && isTrue(options["exclude-app-vulns"])) {
     throw new Error(
       "To use --nested-jars-depth, you must not use --exclude-app-vulns",
     );
   }
 
   if (
-    (!isNumber(nestedJarsDepth) &&
-      !isTrue(nestedJarsDepth) &&
+    (!isStrictNumber(nestedJarsDepth) &&
       typeof nestedJarsDepth !== "undefined") ||
     Number(nestedJarsDepth) < 0
   ) {

test/lib/save/image.tar

@@ -96,26 +96,25 @@ describe("jar binaries scanning", () => {
             imageNameAndTag = `docker-archive:${fixturePath}`;
           });
 
-          it("should return nested (second-level) jar in the result", async () => {
+          it(`should unpack 1 level of jars if ${flagName} flag is missing`, async () => {
             // Act
             pluginResult = await scan({
               path: imageNameAndTag,
               "app-vulns": true,
-              [flagName]: true,
             });
 
-            // Assert
             fingerprints =
               pluginResult.scanResults[1].facts[0].data.fingerprints;
 
             expect(fingerprints).toContainEqual(nestedJar);
           });
 
-          it(`should unpack 1 level of jars if ${flagName} flag is missing`, async () => {
+          it(`should unpack 1 level of jars if ${flagName} flag is ''`, async () => {
             // Act
             pluginResult = await scan({
               path: imageNameAndTag,
               "app-vulns": true,
+              [flagName]: "",
             });
 
             fingerprints =
@@ -146,6 +145,17 @@ describe("jar binaries scanning", () => {
             expect(fingerprints).not.toContainEqual(nestedJar);
           });
 
+          it(`should throw if ${flagName} flag is set to true`, async () => {
+            // Act + Assert
+            await expect(
+              scan({
+                path: imageNameAndTag,
+                "app-vulns": true,
+                [flagName]: true,
+              }),
+            ).rejects.toThrow();
+          });
+
           it(`should throw if ${flagName} flag is set to -1`, async () => {
             // Act + Assert
             await expect(
@@ -157,6 +167,17 @@ describe("jar binaries scanning", () => {
             ).rejects.toThrow();
           });
 
+          it(`should throw if ${flagName} flag is set to ' '`, async () => {
+            // Act + Assert
+            await expect(
+              scan({
+                path: imageNameAndTag,
+                "app-vulns": true,
+                [flagName]: " ",
+              }),
+            ).rejects.toThrow();
+          });
+
           it("should throw error if exclude-app-vulns flag is true", async () => {
             // Act
             await expect(
@@ -467,5 +488,23 @@ describe("jar binaries scanning", () => {
         });
       },
     );
+    describe("conflicting flags", () => {
+      const fixturePath = getFixture(
+        "docker-archives/docker-save/java-uberjar.tar",
+      );
+      const imageNameAndTag = `docker-archive:${fixturePath}`;
+
+      it(`should throw if both --shaded-jars-depth and --nested-jars-depth flags are set`, async () => {
+        // Act + Assert
+        await expect(
+          scan({
+            path: imageNameAndTag,
+            "app-vulns": true,
+            "shaded-jars-depth": "2",
+            "nested-jars-depth": "4",
+          }),
+        ).rejects.toThrow();
+      });
+    });
   });
 });