Merge pull request #3874 from snyk/feat/no-app-vulns

feat: add flag to exclude app vulnerabilities

Author: tommyknows

src/cli/commands/monitor/index.ts

@@ -4,6 +4,7 @@ import * as Debug from 'debug';
 import * as pathUtil from 'path';
 import { legacyPlugin as pluginApi } from '@snyk/cli-interface';
 import { checkOSSPaths } from '../../../lib/check-paths';
+import * as theme from '../../../lib/theme';
 
 import {
   MonitorOptions,
@@ -50,6 +51,11 @@ import { processCommandArgs } from '../process-command-args';
 
 const SEPARATOR = '\n-------------------------------------------------------\n';
 const debug = Debug('snyk');
+const appVulnsReleaseWarningMsg = `${theme.icon.WARNING} Important: Beginning January 24th, 2023, application dependencies in container
+images will be scanned by default when using the snyk container test/monitor
+commands. If you are using Snyk in a CI pipeline, action may be required. Read
+https://snyk.io/blog/securing-container-applications-using-the-snyk-cli/ for
+more info.`;
 
 // This is used instead of `let x; try { x = await ... } catch { cleanup }` to avoid
 // declaring the type of x as possibly undefined.
@@ -87,9 +93,18 @@ export default async function monitor(...args0: MethodArgs): Promise<any> {
     throw new Error('`--remote-repo-url` is not supported for container scans');
   }
 
-  // TODO remove once https://github.com/snyk/cli/pull/3433 is merged
-  if (options.docker && !options['app-vulns']) {
-    options['exclude-app-vulns'] = true;
+  // TODO remove 'app-vulns' options and warning message once
+  // https://github.com/snyk/cli/pull/3433 is merged
+  if (options.docker) {
+    if (!options['app-vulns'] || options['exclude-app-vulns']) {
+      options['exclude-app-vulns'] = true;
+    }
+
+    // we can't print the warning message with JSON output as that would make
+    // the JSON output invalid.
+    if (!options['app-vulns'] && !options['json']) {
+      console.log(theme.color.status.warn(appVulnsReleaseWarningMsg));
+    }
   }
 
   // Handles no image arg provided to the container command until

src/cli/commands/test/index.ts

@@ -4,6 +4,7 @@ const cloneDeep = require('lodash.clonedeep');
 const assign = require('lodash.assign');
 import chalk from 'chalk';
 import { MissingArgError } from '../../../lib/errors';
+import * as theme from '../../../lib/theme';
 
 import * as snyk from '../../../lib';
 import { Options, TestOptions } from '../../../lib/types';
@@ -48,6 +49,12 @@ import { checkOSSPaths } from '../../../lib/check-paths';
 const debug = Debug('snyk-test');
 const SEPARATOR = '\n-------------------------------------------------------\n';
 
+const appVulnsReleaseWarningMsg = `${theme.icon.WARNING} Important: Beginning January 24th, 2023, application dependencies in container
+images will be scanned by default when using the snyk container test/monitor
+commands. If you are using Snyk in a CI pipeline, action may be required. Read
+https://snyk.io/blog/securing-container-applications-using-the-snyk-cli/ for
+more info.`;
+
 // TODO: avoid using `as any` whenever it's possible
 
 export default async function test(
@@ -88,9 +95,18 @@ export default async function test(
     throw new MissingArgError();
   }
 
-  // TODO remove once https://github.com/snyk/cli/pull/3433 is merged
-  if (options.docker && !options['app-vulns']) {
-    options['exclude-app-vulns'] = true;
+  // TODO remove 'app-vulns' options and warning message once
+  // https://github.com/snyk/cli/pull/3433 is merged
+  if (options.docker) {
+    if (!options['app-vulns'] || options['exclude-app-vulns']) {
+      options['exclude-app-vulns'] = true;
+    }
+
+    // we can't print the warning message with JSON output as that would make
+    // the JSON output invalid.
+    if (!options['app-vulns'] && !options['json']) {
+      console.log(theme.color.status.warn(appVulnsReleaseWarningMsg));
+    }
   }
 
   const ecosystem = getEcosystemForTest(options);

src/lib/types.ts

@@ -73,6 +73,7 @@ export interface Options {
   experimental?: boolean;
   // Used with the Docker plugin only. Allows application scanning.
   'app-vulns'?: boolean;
+  'exclude-app-vulns'?: boolean;
   debug?: boolean;
   sarif?: boolean;
   'group-issues'?: boolean;
@@ -107,6 +108,7 @@ export interface MonitorOptions {
   experimental?: boolean;
   // Used with the Docker plugin only. Allows application scanning.
   'app-vulns'?: boolean;
+  'exclude-app-vulns'?: boolean;
   initScript?: string;
   yarnWorkspaces?: boolean;
   'max-depth'?: number;

test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts

@@ -24,6 +24,30 @@ describe('container test projects behavior with --app-vulns, --file and --exclud
     expect(jsonOutput[1].uniqueCount).toBeGreaterThan(0);
     expect(code).toEqual(1);
   }, 10000);
+  it('should find nothing when app-vulns are explicitly disabled', async () => {
+    const { code, stdout } = await runSnykCLI(
+      `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --exclude-app-vulns`,
+    );
+    const jsonOutput = JSON.parse(stdout);
+    expect(Array.isArray(jsonOutput)).toBeFalsy();
+    expect(jsonOutput.applications).toBeUndefined();
+    expect(jsonOutput.ok).toEqual(false);
+    expect(jsonOutput.uniqueCount).toBeGreaterThan(0);
+    expect(code).toEqual(1);
+  }, 10000);
+  it('should find nothing on conflicting app-vulns flags', async () => {
+    // if both flags are set, --exclude-app-vulns should take precedence and
+    // disable it.
+    const { code, stdout } = await runSnykCLI(
+      `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --app-vulns --exclude-app-vulns --experimental`,
+    );
+    const jsonOutput = JSON.parse(stdout);
+    expect(Array.isArray(jsonOutput)).toBeFalsy();
+    expect(jsonOutput.applications).toBeUndefined();
+    expect(jsonOutput.ok).toEqual(false);
+    expect(jsonOutput.uniqueCount).toBeGreaterThan(0);
+    expect(code).toEqual(1);
+  }, 10000);
   it('should find all vulns when using --app-vulns without experimental flag', async () => {
     const { code, stdout } = await runSnykCLI(
       `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --app-vulns`,