Skip to content

Commit b0379c9

Browse files
parker-snykparker-snyk
committed
feat: support docker hardened images
1 parent 536c8c4 commit b0379c9

File tree

4 files changed

+169
-8
lines changed

4 files changed

+169
-8
lines changed

package-lock.json

Lines changed: 8 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,7 @@
117117
"semver": "^6.0.0",
118118
"snyk-config": "^5.0.0",
119119
"snyk-cpp-plugin": "2.24.1",
120-
"snyk-docker-plugin": "8.10.2",
120+
"snyk-docker-plugin": "8.12.0",
121121
"snyk-go-plugin": "1.23.0",
122122
"snyk-gradle-plugin": "5.1.0",
123123
"snyk-module": "3.1.0",

test/tap/cli-test.acceptance.test.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import { CocoapodsTests } from './cli-test/cli-test.cocoapods.spec';
1717
import { SwiftTests } from './cli-test/cli-test.swift.spec';
1818
import { ComposerTests } from './cli-test/cli-test.composer.spec';
1919
import { DockerTests } from './cli-test/cli-test.docker.spec';
20+
import { DockerDHITests } from './cli-test/cli-test.docker-dhi.spec';
2021
import { GoTests } from './cli-test/cli-test.go.spec';
2122
import { GradleTests } from './cli-test/cli-test.gradle.spec';
2223
import { MavenTests } from './cli-test/cli-test.maven.spec';
@@ -34,6 +35,7 @@ const languageTests: AcceptanceTests[] = [
3435
CocoapodsTests,
3536
ComposerTests,
3637
DockerTests,
38+
DockerDHITests,
3739
GoTests,
3840
GradleTests,
3941
MavenTests,

test/tap/cli-test/cli-test.docker-dhi.spec.ts

Lines changed: 158 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,158 @@
1+
import { AcceptanceTests } from '../cli-test.acceptance.test';
2+
3+
export const DockerDHITests: AcceptanceTests = {
4+
language: 'Docker',
5+
tests: {
6+
'`test foo:latest --docker` with mixed DHI and non-DHI packages':
7+
(params) => async (t) => {
8+
const spyPlugin = stubDockerPluginResponse(
9+
params.ecoSystemPlugins,
10+
{
11+
scanResults: [
12+
{
13+
facts: [
14+
{
15+
type: 'depGraph',
16+
data: {
17+
schemaVersion: '1.2.0',
18+
pkgManager: {
19+
name: 'deb',
20+
repositories: [{ alias: 'debian:12' }],
21+
},
22+
pkgs: [
23+
{
24+
id: 'docker-image|foo@latest',
25+
info: {
26+
name: 'docker-image|foo',
27+
version: 'latest',
28+
},
29+
},
30+
{
31+
id: '[email protected]+deb12u8',
32+
info: {
33+
name: 'curl',
34+
version: '7.88.1-10+deb12u8',
35+
purl:
36+
'pkg:deb/dhi/[email protected]%2Bdeb12u8?distro=debian-bookworm',
37+
},
38+
},
39+
{
40+
id: '[email protected]+deb12u5',
41+
info: {
42+
name: 'base-files',
43+
version: '12.4+deb12u5',
44+
purl:
45+
'pkg:deb/debian/[email protected]%2Bdeb12u5?distro=debian-bookworm',
46+
},
47+
},
48+
],
49+
graph: {
50+
rootNodeId: 'root-node',
51+
nodes: [
52+
{
53+
nodeId: 'root-node',
54+
pkgId: 'docker-image|foo@latest',
55+
deps: [
56+
{ nodeId: '[email protected]+deb12u8' },
57+
{ nodeId: '[email protected]+deb12u5' },
58+
],
59+
},
60+
{
61+
nodeId: '[email protected]+deb12u8',
62+
pkgId: '[email protected]+deb12u8',
63+
deps: [],
64+
},
65+
{
66+
nodeId: '[email protected]+deb12u5',
67+
pkgId: '[email protected]+deb12u5',
68+
deps: [],
69+
},
70+
],
71+
},
72+
},
73+
},
74+
{ type: 'dockerfileAnalysis', data: {} },
75+
],
76+
identity: {
77+
type: 'deb',
78+
},
79+
target: {
80+
image: 'docker-image|foo',
81+
},
82+
},
83+
],
84+
},
85+
t,
86+
);
87+
88+
await params.cli.test('foo:latest', {
89+
docker: true,
90+
org: 'explicit-org',
91+
});
92+
93+
const req = params.server.popRequest();
94+
t.equal(req.method, 'POST', 'makes POST request');
95+
t.match(req.url, '/test-dependencies', 'posts to correct url');
96+
97+
const depGraphData = req.body.scanResult.facts.find(
98+
(fact) => fact.type === 'depGraph',
99+
)?.data;
100+
t.ok(depGraphData, 'depGraph fact exists');
101+
102+
const curlPkg = depGraphData.pkgs.find(
103+
(pkg) => pkg.id === '[email protected]+deb12u8',
104+
);
105+
t.ok(curlPkg, 'curl package exists in depGraph');
106+
t.equal(
107+
curlPkg?.info?.purl,
108+
'pkg:deb/dhi/[email protected]%2Bdeb12u8?distro=debian-bookworm',
109+
'DHI package has dhi namespace in PURL',
110+
);
111+
112+
const baseFilesPkg = depGraphData.pkgs.find(
113+
(pkg) => pkg.id === '[email protected]+deb12u5',
114+
);
115+
t.ok(baseFilesPkg, 'base-files package exists in depGraph');
116+
t.equal(
117+
baseFilesPkg?.info?.purl,
118+
'pkg:deb/debian/[email protected]%2Bdeb12u5?distro=debian-bookworm',
119+
'non-DHI package has debian namespace in PURL',
120+
);
121+
122+
t.same(
123+
spyPlugin.getCall(0).args,
124+
[
125+
{
126+
docker: true,
127+
org: 'explicit-org',
128+
showVulnPaths: 'some',
129+
maxVulnPaths: undefined,
130+
'exclude-app-vulns': false,
131+
path: 'foo:latest',
132+
projectName: undefined,
133+
packageManager: undefined,
134+
},
135+
],
136+
'calls docker plugin with expected arguments',
137+
);
138+
},
139+
},
140+
};
141+
142+
function stubDockerPluginResponse(plugins, fixture: string | object, t) {
143+
const plugin = {
144+
async scan() {
145+
return typeof fixture === 'object' ? fixture : await import(fixture);
146+
},
147+
async display() {
148+
return '';
149+
},
150+
};
151+
const spyPlugin = require('sinon').spy(plugin, 'scan');
152+
const loadPlugin = require('sinon').stub(plugins, 'getPlugin');
153+
loadPlugin.withArgs(require('sinon').match.any).returns(plugin);
154+
t.teardown(loadPlugin.restore);
155+
156+
return spyPlugin;
157+
}
158+

0 commit comments

Comments
 (0)