snyk
diff --git a/‎.circleci/config.yml‎
Lines changed: 30 additions & 7 deletions b/‎.circleci/config.yml‎
Lines changed: 30 additions & 7 deletions
diff --git a/‎.snyk‎
Lines changed: 4 additions & 12 deletions b/‎.snyk‎
Lines changed: 4 additions & 12 deletions
diff --git a/‎components/common.yaml‎
Lines changed: 1 addition & 0 deletions b/‎components/common.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/analyzer/base-runtimes/index.ts‎
Lines changed: 11 additions & 0 deletions b/‎lib/analyzer/base-runtimes/index.ts‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎lib/analyzer/base-runtimes/parser.ts‎
Lines changed: 34 additions & 0 deletions b/‎lib/analyzer/base-runtimes/parser.ts‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎lib/analyzer/static-analyzer.ts‎
Lines changed: 6 additions & 0 deletions b/‎lib/analyzer/static-analyzer.ts‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎lib/analyzer/types.ts‎
Lines changed: 2 additions & 0 deletions b/‎lib/analyzer/types.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎lib/facts.ts‎
Lines changed: 10 additions & 0 deletions b/‎lib/facts.ts‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎lib/go-parser/go-binary.ts‎
Lines changed: 12 additions & 7 deletions b/‎lib/go-parser/go-binary.ts‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎lib/inputs/base-runtimes/static.ts‎
Lines changed: 21 additions & 0 deletions b/‎lib/inputs/base-runtimes/static.ts‎
Lines changed: 21 additions & 0 deletions
@@ -132,17 +132,30 @@ jobs:
       - attach_workspace:
           at: ~/snyk-docker-plugin
       - run: npm run lint
-  test:
+  test_unit:
+    <<: *defaults
+    resource_class: medium
+    steps:
+      - checkout
+      - attach_workspace:
+          at: ~/snyk-docker-plugin
+      - run: npm run test:unit > test-unit-logs.txt 2>&1
+      - store_artifacts:
+          path: test-unit-logs.txt
+          destination: test-unit-logs
+  test_system:
     <<: *defaults
     steps:
       - checkout
       - setup_remote_docker
       - attach_workspace:
           at: ~/snyk-docker-plugin
-      - run: npm run test-jest > test-logs.txt 2>&1
+      - run:
+          command: npm run test:system > test-system-logs.txt 2>&1
+          no_output_timeout: 20m
       - store_artifacts:
-          path: test-logs.txt
-          destination: test-logs
+          path: test-system-logs.txt
+          destination: test-system-logs
   test_jest_windows_with_docker:
     <<: *windows_big
     steps:
@@ -252,8 +265,17 @@ workflows:
           context: infrasec_container
           post-steps:
             - *slack-fail-notify
-      - test:
-          name: Test
+      - test_unit:
+          name: Unit Test
+          context:
+            - nodejs-install
+            - snyk-bot-slack
+          requires:
+            - Build
+          post-steps:
+            - *slack-fail-notify
+      - test_system:
+          name: System Test
           context:
             - nodejs-install
             - snyk-bot-slack
@@ -303,7 +325,8 @@ workflows:
             - Lint
             - Build
             - Security Scans
-            - Test
+            - Unit Test
+            - System Test
             - Test Jest Windows with Docker
             - Test Jest Windows no Docker
           post-steps:
 
@@ -2,16 +2,8 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-JS-TAR-15307072:
-    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
-        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-03-26T00:00:00.000Z
-  SNYK-JS-TAR-15416075:
-    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
-        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-03-26T00:00:00.000Z
-  SNYK-JS-TAR-15456201:
-    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
-        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-03-26T00:00:00.000Z
+  SNYK-JS-LODASH-15869625:
+    - '*':
+        reason: 'Indirect dependency, waiting for upstream fix'
+        expires: 2026-04-09T00:00:00.000Z
 patch: {}
@@ -17,6 +17,7 @@ schemas:
     enum:
       - autoDetectedUserInstructions
       - binaries
+      - baseRuntimes
       - depGraph
       - dockerfileAnalysis
       - dockerLayers
 
@@ -0,0 +1,11 @@
+import { ExtractedLayers } from "../../extractor/types";
+import { BaseRuntime } from "../../facts";
+import { getJavaRuntimeReleaseContent } from "../../inputs/base-runtimes/static";
+import { parseJavaRuntimeRelease } from "./parser";
+
+export function detectJavaRuntime(
+  extractedLayers: ExtractedLayers,
+): BaseRuntime | null {
+  const releaseContent = getJavaRuntimeReleaseContent(extractedLayers);
+  return releaseContent ? parseJavaRuntimeRelease(releaseContent) : null;
+}
@@ -0,0 +1,34 @@
+import { BaseRuntime } from "../../facts";
+
+const VALID_VERSION_PATTERN =
+  /^(?!.*\.\.)[0-9]+(?:[._+a-zA-Z0-9-]*[a-zA-Z0-9])?$/;
+
+const regex = /^\s*JAVA_VERSION\s*=\s*(?:(["'])(.*?)\1|([^#\r\n]+))/gm;
+
+function isValidJavaVersion(version: string): boolean {
+  if (!version || version.length === 0) {
+    return false;
+  }
+  return VALID_VERSION_PATTERN.test(version);
+}
+
+export function parseJavaRuntimeRelease(content: string): BaseRuntime | null {
+  if (!content || content.trim().length === 0) {
+    return null;
+  }
+  try {
+    const matches = [...content.matchAll(regex)];
+
+    if (matches.length !== 1) {
+      return null;
+    }
+    const version = (matches[0][2] || matches[0][3] || "").trim();
+
+    if (!isValidJavaVersion(version)) {
+      return null;
+    }
+    return { type: "java", version };
+  } catch (error) {
+    return null;
+  }
+}
@@ -15,6 +15,7 @@ import {
   getDpkgFileContentAction,
   getExtFileContentAction,
 } from "../inputs/apt/static";
+import { getJavaRuntimeReleaseAction } from "../inputs/base-runtimes/static";
 import {
   getBinariesHashes,
   getNodeBinariesFileContentAction,
@@ -67,6 +68,7 @@ import { jarFilesToScannedResults } from "./applications/java";
 import { pipFilesToScannedProjects } from "./applications/python";
 import { getApplicationFiles } from "./applications/runtime-common";
 import { AppDepsScanResultWithoutTarget } from "./applications/types";
+import { detectJavaRuntime } from "./base-runtimes";
 import * as osReleaseDetector from "./os-release";
 import { analyze as apkAnalyze } from "./package-managers/apk";
 import {
@@ -105,6 +107,7 @@ export async function analyze(
     ...getOsReleaseActions,
     getNodeBinariesFileContentAction,
     getOpenJDKBinariesFileContentAction,
+    getJavaRuntimeReleaseAction,
     getDpkgPackageFileContentAction,
     getRedHatRepositoriesContentAction,
   ];
@@ -233,6 +236,8 @@ export async function analyze(
   }
 
   const binaries = getBinariesHashes(extractedLayers);
+  const javaRuntime = detectJavaRuntime(extractedLayers);
+  const baseRuntimes = javaRuntime ? [javaRuntime] : undefined;
 
   const applicationDependenciesScanResults: AppDepsScanResultWithoutTarget[] =
     [];
@@ -309,6 +314,7 @@ export async function analyze(
     platform,
     results,
     binaries,
+    baseRuntimes,
     imageLayers: manifestLayers,
     rootFsLayers,
     applicationDependenciesScanResults,
 
@@ -1,4 +1,5 @@
 import { ImageName } from "../extractor/image";
+import { BaseRuntime } from "../facts";
 import { AutoDetectedUserInstructions, ManifestFile } from "../types";
 import {
   AppDepsScanResultWithoutTarget,
@@ -75,6 +76,7 @@ export interface StaticAnalysis {
   osRelease: OSRelease;
   results: ImageAnalysis[];
   binaries: string[];
+  baseRuntimes?: BaseRuntime[];
   imageLayers: string[];
   rootFsLayers?: string[];
   autoDetectedUserInstructions?: AutoDetectedUserInstructions;
 
@@ -152,3 +152,13 @@ export interface PluginWarningsFact {
     parameterChecks?: string[];
   };
 }
+
+export interface BaseRuntime {
+  type: string;
+  version: string;
+}
+
+export interface BaseRuntimesFact {
+  type: "baseRuntimes";
+  data: BaseRuntime[];
+}
@@ -169,10 +169,7 @@ export class GoBinary {
           // result in the package name "github.com/my/pkg/a".
           const parts = pkgFile.split(modFullName);
           if (parts.length !== 2 || parts[0] !== "") {
-            throw {
-              fileName: pkgFile,
-              moduleName: modFullName,
-            } as GoFileNameError;
+            throw new GoFileNameError(pkgFile, modFullName);
           }
 
           // for files in the "root" of a module
@@ -194,9 +191,17 @@ export class GoBinary {
   }
 }
 
-interface GoFileNameError extends Error {
-  fileName: string;
-  moduleName: string;
+export class GoFileNameError extends Error {
+  public readonly fileName: string;
+  public readonly moduleName: string;
+
+  constructor(fileName: string, moduleName: string) {
+    super();
+    this.name = "GoFileNameError";
+    this.message = `Failed to match Go file "${fileName}" to module "${moduleName}"`;
+    this.fileName = fileName;
+    this.moduleName = moduleName;
+  }
 }
 
 /**
 
@@ -0,0 +1,21 @@
+import { normalize as normalizePath } from "path";
+import { getContentAsString } from "../../extractor";
+import { ExtractAction, ExtractedLayers } from "../../extractor/types";
+import { streamToString } from "../../stream-utils";
+
+export const getJavaRuntimeReleaseAction: ExtractAction = {
+  actionName: "java-runtime-release",
+  filePathMatches: (filePath) =>
+    filePath === normalizePath("/opt/java/openjdk/release"),
+  callback: streamToString,
+};
+
+export function getJavaRuntimeReleaseContent(
+  extractedLayers: ExtractedLayers,
+): string {
+  const content = getContentAsString(
+    extractedLayers,
+    getJavaRuntimeReleaseAction,
+  );
+  return content || "";
+}