feat: add advanced package manager detection

snyk-tim · snyk-tim · commit 80179e409737 · 2025-09-18T14:39:40.000+01:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -72,6 +72,7 @@
     "@snyk/gemfile": "1.2.0",
     "@snyk/snyk-cocoapods-plugin": "3.1.0",
     "@snyk/snyk-hex-plugin": "2.1.0",
+    "@snyk/package-manager-detection": "^1.3.0",
     "@types/jest-json-schema": "^6.1.1",
     "@types/marked": "^4.0.0",
     "abbrev": "^1.1.1",
diff --git a/src/cli/commands/monitor/index.ts b/src/cli/commands/monitor/index.ts
@@ -53,6 +53,7 @@ import {
   PNPM_FEATURE_FLAG,
   DOTNET_WITHOUT_PUBLISH_FEATURE_FLAG,
   MAVEN_DVERBOSE_EXHAUSTIVE_DEPS_FF,
+  ADVANCED_PACKAGE_MANAGER_DETECTION_FLAG,
 } from '../../../lib/package-managers';
 import { normalizeTargetFile } from '../../../lib/normalize-target-file';
 
@@ -167,6 +168,8 @@ export default async function monitor(...args0: MethodArgs): Promise<any> {
   let hasPnpmSupport = false;
   let hasImprovedDotnetWithoutPublish = false;
   let enableMavenDverboseExhaustiveDeps = false;
+  let enableAdvancedPackageManagerDetection = false;
+
   try {
     hasPnpmSupport = (await hasFeatureFlag(
       PNPM_FEATURE_FLAG,
@@ -182,6 +185,15 @@ export default async function monitor(...args0: MethodArgs): Promise<any> {
     hasPnpmSupport = false;
   }
 
+  try {
+    enableAdvancedPackageManagerDetection = (await hasFeatureFlag(
+      ADVANCED_PACKAGE_MANAGER_DETECTION_FLAG,
+      options,
+    )) as boolean;
+  } catch (err) {
+    enableAdvancedPackageManagerDetection = false;
+  }
+
   try {
     const args = options['_doubleDashArgs'] || [];
     const verboseEnabled =
@@ -202,9 +214,13 @@ export default async function monitor(...args0: MethodArgs): Promise<any> {
     enableMavenDverboseExhaustiveDeps = false;
   }
 
-  const featureFlags = hasPnpmSupport
-    ? new Set<string>([PNPM_FEATURE_FLAG])
-    : new Set<string>();
+  const featureFlags = new Set<string>();
+  if (hasPnpmSupport) {
+    featureFlags.add(PNPM_FEATURE_FLAG);
+  }
+  if (enableAdvancedPackageManagerDetection) {
+    featureFlags.add(ADVANCED_PACKAGE_MANAGER_DETECTION_FLAG);
+  }
 
   if (hasImprovedDotnetWithoutPublish) {
     options.useImprovedDotnetWithoutPublish = true;
diff --git a/src/lib/detect.ts b/src/lib/detect.ts
@@ -6,7 +6,9 @@ import {
   SupportedPackageManagers,
   SUPPORTED_MANIFEST_FILES,
   PNPM_FEATURE_FLAG,
+  ADVANCED_PACKAGE_MANAGER_DETECTION_FLAG,
 } from './package-managers';
+import { detectPackageManagerFromFile as advancedDetectPackageManagerFromFile } from '@snyk/package-manager-detection';
 
 const debug = debugLib('snyk-detect');
 
@@ -70,6 +72,9 @@ export const AUTO_DETECTABLE_FILES: string[] = [
 
 // when file is specified with --file, we look it up here
 // this is also used when --all-projects flag is enabled and auto detection plugin is triggered
+/**
+ * @deprecated Any change here should be reflected in the package @snyk/package-manager-detection
+ */
 const DETECTABLE_PACKAGE_MANAGERS: {
   [key in SUPPORTED_MANIFEST_FILES]: SupportedPackageManagers;
 } = {
@@ -218,6 +223,18 @@ export function detectPackageFile(
 export function detectPackageManagerFromFile(
   file: string,
   featureFlags: Set<string> = new Set<string>(),
+): SupportedPackageManagers {
+  if (featureFlags.has(ADVANCED_PACKAGE_MANAGER_DETECTION_FLAG)) {
+    debug(`using advanced package manager detection for ${file}`);
+    return advancedDetectPackageManagerFromFile(file, featureFlags);
+  }
+
+  return legacyDetectPackageManagerFromFile(file, featureFlags);
+}
+
+function legacyDetectPackageManagerFromFile(
+  file: string,
+  featureFlags: Set<string> = new Set<string>(),
 ): SupportedPackageManagers {
   let key = pathLib.basename(file);
 
diff --git a/src/lib/package-managers.ts b/src/lib/package-managers.ts
@@ -3,7 +3,12 @@ export const DOTNET_WITHOUT_PUBLISH_FEATURE_FLAG =
   'useImprovedDotnetWithoutPublish';
 export const MAVEN_DVERBOSE_EXHAUSTIVE_DEPS_FF =
   'enableMavenDverboseExhaustiveDeps';
+export const ADVANCED_PACKAGE_MANAGER_DETECTION_FLAG =
+  'enableAdvancedPackageManagerDetection';
 
+/**
+ * @deprecated Any change here should be reflected in the package @snyk/package-manager-detection
+ */
 export type SupportedPackageManagers =
   | 'rubygems'
   | 'npm'
@@ -25,6 +30,9 @@ export type SupportedPackageManagers =
   | 'Unmanaged (C/C++)'
   | 'swift';
 
+/**
+ * @deprecated Any change here should be reflected in the package @snyk/package-manager-detection
+ */
 export enum SUPPORTED_MANIFEST_FILES {
   GEMFILE = 'Gemfile',
   GEMFILE_LOCK = 'Gemfile.lock',
diff --git a/src/lib/snyk-test/index.js b/src/lib/snyk-test/index.js
@@ -11,6 +11,7 @@ const {
   PNPM_FEATURE_FLAG,
   DOTNET_WITHOUT_PUBLISH_FEATURE_FLAG,
   MAVEN_DVERBOSE_EXHAUSTIVE_DEPS_FF,
+  ADVANCED_PACKAGE_MANAGER_DETECTION_FLAG,
 } = require('../package-managers');
 
 async function test(root, options, callback) {
@@ -36,6 +37,8 @@ async function executeTest(root, options) {
   let hasPnpmSupport = false;
   let hasImprovedDotnetWithoutPublish = false;
   let enableMavenDverboseExhaustiveDeps = false;
+  let enableAdvancedPackageManagerDetection = false;
+
   try {
     hasPnpmSupport = await hasFeatureFlag(PNPM_FEATURE_FLAG, options);
     if (options['dotnet-runtime-resolution']) {
@@ -51,6 +54,15 @@ async function executeTest(root, options) {
     hasPnpmSupport = false;
   }
 
+  try {
+    enableAdvancedPackageManagerDetection = await hasFeatureFlag(
+      ADVANCED_PACKAGE_MANAGER_DETECTION_FLAG,
+      options,
+    );
+  } catch (err) {
+    enableAdvancedPackageManagerDetection = false;
+  }
+
   try {
     const args = options['_doubleDashArgs'] || [];
     const verboseEnabled =
@@ -72,9 +84,13 @@ async function executeTest(root, options) {
   }
 
   try {
-    const featureFlags = hasPnpmSupport
-      ? new Set([PNPM_FEATURE_FLAG])
-      : new Set([]);
+    const featureFlags = new Set();
+    if (hasPnpmSupport) {
+      featureFlags.add(PNPM_FEATURE_FLAG);
+    }
+    if (enableAdvancedPackageManagerDetection) {
+      featureFlags.add(ADVANCED_PACKAGE_MANAGER_DETECTION_FLAG);
+    }
 
     if (!options.allProjects) {
       options.packageManager = detect.detectPackageManager(
diff --git a/test/acceptance/fake-server.ts b/test/acceptance/fake-server.ts
@@ -17,6 +17,7 @@ const featureFlagDefaults = (): Map<string, boolean> => {
     ['enablePnpmCli', false],
     ['sbomMonitorBeta', false],
     ['useImprovedDotnetWithoutPublish', false],
+    ['enableAdvancedPackageManagerDetection', false],
 
     // Default these to false.
     // TODO: Future acceptance tests targeting these features and their
diff --git a/test/fixtures/npm-nx-build-platform/nx.json b/test/fixtures/npm-nx-build-platform/nx.json
@@ -0,0 +1,3 @@
+{
+  "$schema": "./node_modules/nx/schemas/nx-schema.json"
+}
diff --git a/test/fixtures/npm-nx-build-platform/package-lock.json b/test/fixtures/npm-nx-build-platform/package-lock.json
diff --git a/test/fixtures/npm-nx-build-platform/package.json b/test/fixtures/npm-nx-build-platform/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "with-vulnerable-lodash-dep",
+  "version": "1.2.3",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "license": "ISC",
+  "dependencies": {
+    "lodash": "4.17.15"
+  }
+}
diff --git a/test/fixtures/npm-nx-build-platform/project.json b/test/fixtures/npm-nx-build-platform/project.json
@@ -0,0 +1,31 @@
+{
+  "name": "with-vulnerable-lodash-dep",
+  "$schema": "./node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "src",
+  "projectType": "application",
+  "targets": {
+    "build": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "npm run build"
+      },
+      "inputs": ["default"],
+      "outputs": ["{projectRoot}/dist"]
+    },
+    "test": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "npm test"
+      },
+      "inputs": ["default"]
+    },
+    "lint": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "npm run lint"
+      },
+      "inputs": ["default"]
+    }
+  },
+  "tags": []
+}
diff --git a/test/jest/acceptance/snyk-sbom/npm-options.spec.ts b/test/jest/acceptance/snyk-sbom/npm-options.spec.ts
@@ -1,5 +1,8 @@
 import { fakeServer } from '../../../acceptance/fake-server';
-import { createProjectFromWorkspace } from '../../util/createProject';
+import {
+  createProjectFromWorkspace,
+  createProject,
+} from '../../util/createProject';
 import { runSnykCLI } from '../../util/runSnykCLI';
 
 jest.setTimeout(1000 * 60 * 5);
@@ -35,7 +38,49 @@ describe('snyk sbom: npm options (mocked server only)', () => {
     });
   });
 
-  test('`sbom --strict-out-of-sync=false` generates an SBOM for the NPM project by NOT preventing scanning out-of-sync NPM lockfiles.', async () => {
+  test('sbom creation fails due to presence of nx build platform project.json with advanced package manager detection disabled', async () => {
+    server.setFeatureFlag('enableAdvancedPackageManagerDetection', false);
+    const project = await createProject('npm-nx-build-platform');
+
+    const { code, stdout } = await runSnykCLI(
+      `sbom --org aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee --format cyclonedx1.4+json --all-projects --debug`,
+      {
+        cwd: project.path(),
+        env,
+      },
+    );
+
+    expect(code).toEqual(2);
+    expect(stdout).toContainText(
+      'npm-nx-build-platform/project.json: No valid Dotnet target',
+    );
+  });
+
+  test('sbom creation handles presence of nx build platform project.json file by using advanced package manager detection', async () => {
+    server.setFeatureFlag('enableAdvancedPackageManagerDetection', true);
+    const project = await createProject('npm-nx-build-platform');
+
+    const { code, stdout } = await runSnykCLI(
+      `sbom --org aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee --format cyclonedx1.4+json --all-projects --debug`,
+      {
+        cwd: project.path(),
+        env,
+      },
+    );
+    let bom;
+
+    expect(code).toEqual(0);
+    expect(stdout).not.toContainText(
+      'npm-nx-build-platform/project.json: No valid Dotnet target',
+    );
+    expect(() => {
+      bom = JSON.parse(stdout);
+    }).not.toThrow();
+    expect(bom.metadata.component.name).toEqual('with-vulnerable-lodash-dep');
+    expect(bom.components).toHaveLength(2);
+  });
+
+  test('sbom --strict-out-of-sync=false` generates an SBOM for the NPM project by NOT preventing scanning out-of-sync NPM lockfiles.', async () => {
     const project = await createProjectFromWorkspace('npm-out-of-sync');
 
     const { code, stdout } = await runSnykCLI(
@@ -55,7 +100,7 @@ describe('snyk sbom: npm options (mocked server only)', () => {
     expect(bom.components).toHaveLength(3);
   });
 
-  test('`sbom --strict-out-of-sync=true` fails to generate an SBOM for the NPM project because out-of-sync NPM lockfiles.', async () => {
+  test('sbom --strict-out-of-sync=true` fails to generate an SBOM for the NPM project because out-of-sync NPM lockfiles.', async () => {
     const project = await createProjectFromWorkspace('npm-out-of-sync');
 
     const { code, stdout, stderr } = await runSnykCLI(

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	`+ "$schema": "./node_modules/nx/schemas/nx-schema.json"`
	`3`	`+}`