Skip to content

Commit 66fedc9

Browse files
parker-snykparker-snyk
committed
feat: support docker hardened images
1 parent 536c8c4 commit 66fedc9

File tree

4 files changed

+166
-8
lines changed

4 files changed

+166
-8
lines changed

package-lock.json

Lines changed: 8 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,7 @@
117117
"semver": "^6.0.0",
118118
"snyk-config": "^5.0.0",
119119
"snyk-cpp-plugin": "2.24.1",
120-
"snyk-docker-plugin": "8.10.2",
120+
"snyk-docker-plugin": "8.12.0",
121121
"snyk-go-plugin": "1.23.0",
122122
"snyk-gradle-plugin": "5.1.0",
123123
"snyk-module": "3.1.0",

test/tap/cli-test.acceptance.test.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import { CocoapodsTests } from './cli-test/cli-test.cocoapods.spec';
1717
import { SwiftTests } from './cli-test/cli-test.swift.spec';
1818
import { ComposerTests } from './cli-test/cli-test.composer.spec';
1919
import { DockerTests } from './cli-test/cli-test.docker.spec';
20+
import { DockerDHITests } from './cli-test/cli-test.docker-dhi.spec';
2021
import { GoTests } from './cli-test/cli-test.go.spec';
2122
import { GradleTests } from './cli-test/cli-test.gradle.spec';
2223
import { MavenTests } from './cli-test/cli-test.maven.spec';
@@ -34,6 +35,7 @@ const languageTests: AcceptanceTests[] = [
3435
CocoapodsTests,
3536
ComposerTests,
3637
DockerTests,
38+
DockerDHITests,
3739
GoTests,
3840
GradleTests,
3941
MavenTests,

test/tap/cli-test/cli-test.docker-dhi.spec.ts

Lines changed: 155 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,155 @@
1+
import { AcceptanceTests } from '../cli-test.acceptance.test';
2+
3+
export const DockerDHITests: AcceptanceTests = {
4+
language: 'Docker',
5+
tests: {
6+
'`test foo:latest --docker` with mixed DHI and non-DHI packages':
7+
(params) => async (t) => {
8+
const spyPlugin = stubDockerPluginResponse(
9+
params.ecoSystemPlugins,
10+
{
11+
scanResults: [
12+
{
13+
facts: [
14+
{
15+
type: 'depGraph',
16+
data: {
17+
schemaVersion: '1.2.0',
18+
pkgManager: {
19+
name: 'deb',
20+
repositories: [{ alias: 'debian:12' }],
21+
},
22+
pkgs: [
23+
{
24+
id: 'docker-image|foo@latest',
25+
info: {
26+
name: 'docker-image|foo',
27+
version: 'latest',
28+
},
29+
},
30+
{
31+
id: '[email protected]+deb12u8',
32+
info: {
33+
name: 'curl',
34+
version: '7.88.1-10+deb12u8',
35+
purl: 'pkg:deb/dhi/[email protected]%2Bdeb12u8?distro=debian-bookworm',
36+
},
37+
},
38+
{
39+
id: '[email protected]+deb12u5',
40+
info: {
41+
name: 'base-files',
42+
version: '12.4+deb12u5',
43+
purl: 'pkg:deb/debian/[email protected]%2Bdeb12u5?distro=debian-bookworm',
44+
},
45+
},
46+
],
47+
graph: {
48+
rootNodeId: 'root-node',
49+
nodes: [
50+
{
51+
nodeId: 'root-node',
52+
pkgId: 'docker-image|foo@latest',
53+
deps: [
54+
{ nodeId: '[email protected]+deb12u8' },
55+
{ nodeId: '[email protected]+deb12u5' },
56+
],
57+
},
58+
{
59+
nodeId: '[email protected]+deb12u8',
60+
pkgId: '[email protected]+deb12u8',
61+
deps: [],
62+
},
63+
{
64+
nodeId: '[email protected]+deb12u5',
65+
pkgId: '[email protected]+deb12u5',
66+
deps: [],
67+
},
68+
],
69+
},
70+
},
71+
},
72+
{ type: 'dockerfileAnalysis', data: {} },
73+
],
74+
identity: {
75+
type: 'deb',
76+
},
77+
target: {
78+
image: 'docker-image|foo',
79+
},
80+
},
81+
],
82+
},
83+
t,
84+
);
85+
86+
await params.cli.test('foo:latest', {
87+
docker: true,
88+
org: 'explicit-org',
89+
});
90+
91+
const req = params.server.popRequest();
92+
t.equal(req.method, 'POST', 'makes POST request');
93+
t.match(req.url, '/test-dependencies', 'posts to correct url');
94+
95+
const depGraphData = req.body.scanResult.facts.find(
96+
(fact) => fact.type === 'depGraph',
97+
)?.data;
98+
t.ok(depGraphData, 'depGraph fact exists');
99+
100+
const curlPkg = depGraphData.pkgs.find(
101+
(pkg) => pkg.id === '[email protected]+deb12u8',
102+
);
103+
t.ok(curlPkg, 'curl package exists in depGraph');
104+
t.equal(
105+
curlPkg?.info?.purl,
106+
'pkg:deb/dhi/[email protected]%2Bdeb12u8?distro=debian-bookworm',
107+
'DHI package has dhi namespace in PURL',
108+
);
109+
110+
const baseFilesPkg = depGraphData.pkgs.find(
111+
(pkg) => pkg.id === '[email protected]+deb12u5',
112+
);
113+
t.ok(baseFilesPkg, 'base-files package exists in depGraph');
114+
t.equal(
115+
baseFilesPkg?.info?.purl,
116+
'pkg:deb/debian/[email protected]%2Bdeb12u5?distro=debian-bookworm',
117+
'non-DHI package has debian namespace in PURL',
118+
);
119+
120+
t.same(
121+
spyPlugin.getCall(0).args,
122+
[
123+
{
124+
docker: true,
125+
org: 'explicit-org',
126+
showVulnPaths: 'some',
127+
maxVulnPaths: undefined,
128+
'exclude-app-vulns': false,
129+
path: 'foo:latest',
130+
projectName: undefined,
131+
packageManager: undefined,
132+
},
133+
],
134+
'calls docker plugin with expected arguments',
135+
);
136+
},
137+
},
138+
};
139+
140+
function stubDockerPluginResponse(plugins, fixture: string | object, t) {
141+
const plugin = {
142+
async scan() {
143+
return typeof fixture === 'object' ? fixture : await import(fixture);
144+
},
145+
async display() {
146+
return '';
147+
},
148+
};
149+
const spyPlugin = require('sinon').spy(plugin, 'scan');
150+
const loadPlugin = require('sinon').stub(plugins, 'getPlugin');
151+
loadPlugin.withArgs(require('sinon').match.any).returns(plugin);
152+
t.teardown(loadPlugin.restore);
153+
154+
return spyPlugin;
155+
}

0 commit comments

Comments
 (0)