fix: Adding a flag to activate applications scans for container images

snyk · Jul 9, 2020 · 7dd3e1d · 7dd3e1d
1 parent 803b971
commit 7dd3e1d
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 22 deletions.
diff --git a/package.json b/package.json
@@ -76,7 +76,7 @@
     "proxy-from-env": "^1.0.0",
     "semver": "^6.0.0",
     "snyk-config": "3.1.0",
-    "snyk-docker-plugin": "3.13.0",
+    "snyk-docker-plugin": "3.13.1",
     "snyk-go-plugin": "1.14.2",
     "snyk-gradle-plugin": "3.5.1",
     "snyk-module": "3.1.0",

diff --git a/src/cli/index.ts b/src/cli/index.ts
@@ -240,6 +240,14 @@ async function main() {
       (args.options as unknown) as AllSupportedCliOptions,
     );
 
+    if (args.options['app-vulns'] && args.options['json']) {
+      throw new UnsupportedOptionCombinationError([
+        'Application vulnerabilities is currently not supported with JSON output. ' +
+          'Please try using —app-vulns only to get application vulnerabilities, or ' +
+          '—json only to get your image vulnerabilties, excluding the application ones.',
+      ]);
+    }
+
     if (
       args.options.file &&
       typeof args.options.file === 'string' &&

diff --git a/src/cli/modes.ts b/src/cli/modes.ts
@@ -12,6 +12,7 @@ const modes: Record<string, ModeData> = {
     config: (args): [] => {
       args['docker'] = true;
       args['experimental'] = true;
+      args['app-vulns'] = args.json ? false : true;
 
       return args;
     },

diff --git a/src/lib/types.ts b/src/lib/types.ts
@@ -67,6 +67,8 @@ export interface Options {
   strictOutOfSync?: boolean;
   // Used with the Docker plugin only. Allows requesting some experimental/unofficial features.
   experimental?: boolean;
+  // Used with the Docker plugin only. Allows application scanning.
+  'app-vulns'?: boolean;
 }
 
 // TODO(kyegupov): catch accessing ['undefined-properties'] via noImplicitAny
@@ -86,6 +88,8 @@ export interface MonitorOptions {
   'prune-repeated-subdependencies'?: boolean;
   // Used with the Docker plugin only. Allows requesting some experimental/unofficial features.
   experimental?: boolean;
+  // Used with the Docker plugin only. Allows application scanning.
+  'app-vulns'?: boolean;
   reachableVulns?: boolean;
   yarnWorkspaces?: boolean;
 }

diff --git a/test/modes.test.ts b/test/modes.test.ts
@@ -136,6 +136,7 @@ test('when is a valid mode', (c) => {
           _: [],
           docker: true,
           experimental: true,
+          'app-vulns': true,
           'package-manager': 'pip',
         };
         const cliCommand = 'container';
@@ -155,28 +156,64 @@ test('when is a valid mode', (c) => {
     );
 
     d.test('when there is a command alias', (t) => {
-      t.test('"container t" should set docker option and test command', (t) => {
-        const expectedCommand = 't';
-        const expectedArgs = {
-          _: [],
-          docker: true,
-          experimental: true,
-          'package-manager': 'pip',
-        };
-        const cliCommand = 'container';
-        const cliArgs = {
-          _: ['t'],
-          'package-manager': 'pip',
-        };
-
-        const command = parseMode(cliCommand, cliArgs);
+      t.test(
+        '"container test" should set docker option and test command',
+        (t) => {
+          const expectedCommand = 't';
+          const expectedArgs = {
+            _: [],
+            docker: true,
+            experimental: true,
+            'app-vulns': true,
+            'package-manager': 'pip',
+          };
+          const cliCommand = 'container';
+          const cliArgs = {
+            _: ['t'],
+            'package-manager': 'pip',
+          };
+
+          const command = parseMode(cliCommand, cliArgs);
+
+          t.equal(command, expectedCommand);
+          t.same(cliArgs, expectedArgs);
+          t.ok(cliArgs['docker']);
+          t.ok(cliArgs['experimental']);
+          t.end();
+        },
+      );
+      t.end();
+    });
 
-        t.equal(command, expectedCommand);
-        t.same(cliArgs, expectedArgs);
-        t.ok(cliArgs['docker']);
-        t.ok(cliArgs['experimental']);
-        t.end();
-      });
+    d.test('when there is a command alias', (t) => {
+      t.test(
+        '"container test" should set docker option and not app-vulns and test command',
+        (t) => {
+          const expectedCommand = 't';
+          const expectedArgs = {
+            _: [],
+            json: true,
+            docker: true,
+            experimental: true,
+            'app-vulns': false,
+            'package-manager': 'pip',
+          };
+          const cliCommand = 'container';
+          const cliArgs = {
+            _: ['t'],
+            json: true,
+            'package-manager': 'pip',
+          };
+
+          const command = parseMode(cliCommand, cliArgs);
+
+          t.equal(command, expectedCommand);
+          t.same(cliArgs, expectedArgs);
+          t.ok(cliArgs['docker']);
+          t.ok(cliArgs['experimental']);
+          t.end();
+        },
+      );
       t.end();
     });
     d.end();