chore: merge branch 'main' into fix/dockerfile-attribution

Author: d3vco

.circleci/config.yml

@@ -132,17 +132,30 @@ jobs:
       - attach_workspace:
           at: ~/snyk-docker-plugin
       - run: npm run lint
-  test:
+  test_unit:
+    <<: *defaults
+    resource_class: medium
+    steps:
+      - checkout
+      - attach_workspace:
+          at: ~/snyk-docker-plugin
+      - run: npm run test:unit > test-unit-logs.txt 2>&1
+      - store_artifacts:
+          path: test-unit-logs.txt
+          destination: test-unit-logs
+  test_system:
     <<: *defaults
     steps:
       - checkout
       - setup_remote_docker
       - attach_workspace:
           at: ~/snyk-docker-plugin
-      - run: npm run test-jest > test-logs.txt 2>&1
+      - run:
+          command: npm run test:system > test-system-logs.txt 2>&1
+          no_output_timeout: 20m
       - store_artifacts:
-          path: test-logs.txt
-          destination: test-logs
+          path: test-system-logs.txt
+          destination: test-system-logs
   test_jest_windows_with_docker:
     <<: *windows_big
     steps:
@@ -252,8 +265,17 @@ workflows:
           context: infrasec_container
           post-steps:
             - *slack-fail-notify
-      - test:
-          name: Test
+      - test_unit:
+          name: Unit Test
+          context:
+            - nodejs-install
+            - snyk-bot-slack
+          requires:
+            - Build
+          post-steps:
+            - *slack-fail-notify
+      - test_system:
+          name: System Test
           context:
             - nodejs-install
             - snyk-bot-slack
@@ -303,7 +325,8 @@ workflows:
             - Lint
             - Build
             - Security Scans
-            - Test
+            - Unit Test
+            - System Test
             - Test Jest Windows with Docker
             - Test Jest Windows no Docker
           post-steps:

.github/CODEOWNERS

@@ -1,5 +1,5 @@
 # This is a comment.
 # Each line is a file pattern followed by one or more owners.
 
-* @snyk/infrasec_container
+* @snyk/infrasec_container @snyk/container_container
 

.snyk

@@ -2,16 +2,8 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-JS-TAR-15307072:
-    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
-        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-03-26T00:00:00.000Z
-  SNYK-JS-TAR-15416075:
-    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
-        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-03-26T00:00:00.000Z
-  SNYK-JS-TAR-15456201:
-    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
-        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-03-26T00:00:00.000Z
+  SNYK-JS-LODASH-15869625:
+    - '*':
+        reason: 'Indirect dependency, waiting for upstream fix'
+        expires: 2026-04-09T00:00:00.000Z
 patch: {}

components/common.yaml

@@ -17,6 +17,7 @@ schemas:
     enum:
       - autoDetectedUserInstructions
       - binaries
+      - baseRuntimes
       - depGraph
       - dockerfileAnalysis
       - dockerLayers

lib/analyzer/applications/node-modules-utils.ts

@@ -1,5 +1,6 @@
 import * as Debug from "debug";
 import { mkdir, mkdtemp, rm, stat, writeFile } from "fs/promises";
+import * as os from "os";
 import * as path from "path";
 import { FilePathToContent, FilesByDirMap } from "./types";
 const debug = Debug("snyk");
@@ -22,7 +23,7 @@ interface ScanPaths {
 async function createTempProjectDir(
   projectDir: string,
 ): Promise<{ tmpDir: string; tempProjectRoot: string }> {
-  const tmpDir = await mkdtemp("snyk");
+  const tmpDir = await mkdtemp(path.join(os.tmpdir(), "snyk-"));
 
   const tempProjectRoot = path.join(tmpDir, projectDir);
 
@@ -76,20 +77,23 @@ async function persistNodeModules(
   fileNamesGroupedByDirectory: FilesByDirMap,
 ): Promise<ScanPaths> {
   const modules = fileNamesGroupedByDirectory.get(project);
-  const tmpDir: string = "";
-  const tempProjectRoot: string = "";
 
   if (!modules || modules.size === 0) {
     debug(`Empty application directory tree.`);
-
-    return {
-      tempDir: tmpDir,
-      tempProjectPath: tempProjectRoot,
-    };
+    return { tempDir: "", tempProjectPath: "" };
   }
 
+  // Create the temp directory first so we can return it in the catch block
+  // for cleanup. Previously, the outer tmpDir/tempProjectRoot were always
+  // empty strings, meaning any temp directory created before a failure in
+  // saveOnDisk or later steps would be leaked (caller couldn't clean it up).
+  let tmpDir = "";
+  let tempProjectRoot = "";
+
   try {
-    const { tmpDir, tempProjectRoot } = await createTempProjectDir(project);
+    const created = await createTempProjectDir(project);
+    tmpDir = created.tmpDir;
+    tempProjectRoot = created.tempProjectRoot;
 
     await saveOnDisk(tmpDir, modules, filePathToContent);
 
@@ -122,7 +126,10 @@ async function persistNodeModules(
   }
 }
 
-async function createFile(filePath, fileContent): Promise<void> {
+async function createFile(
+  filePath: string,
+  fileContent: string,
+): Promise<void> {
   try {
     await mkdir(path.dirname(filePath), { recursive: true });
     await writeFile(filePath, fileContent, "utf-8");

lib/analyzer/applications/node.ts

@@ -136,7 +136,7 @@ async function depGraphFromNodeModules(
       }
 
       const depGraph = await legacy.depTreeToGraph(
-        pkgTree,
+        pkgTree as any,
         pkgTree.type || "npm",
       );
 
@@ -417,7 +417,7 @@ function stripUndefinedLabels(
   parserResult: lockFileParser.PkgTree,
 ): lockFileParser.PkgTree {
   const optionalLabels = parserResult.labels;
-  const mandatoryLabels: Record<string, string> = {};
+  const mandatoryLabels: Record<string, any> = {};
   if (optionalLabels) {
     for (const currentLabelName of Object.keys(optionalLabels)) {
       if (optionalLabels[currentLabelName] !== undefined) {
@@ -428,7 +428,7 @@ function stripUndefinedLabels(
   const parserResultWithProperLabels = Object.assign({}, parserResult, {
     labels: mandatoryLabels,
   });
-  return parserResultWithProperLabels;
+  return parserResultWithProperLabels as lockFileParser.PkgTree;
 }
 
 async function buildDepGraph(
@@ -513,7 +513,10 @@ async function buildDepGraphFromDepTree(
     // Don't provide a default manifest file name, prefer the parser to infer it.
   );
   const strippedLabelsParserResult = stripUndefinedLabels(parserResult);
-  return await legacy.depTreeToGraph(strippedLabelsParserResult, lockfileType);
+  return await legacy.depTreeToGraph(
+    strippedLabelsParserResult as any,
+    lockfileType,
+  );
 }
 
 export function getLockFileVersion(

lib/analyzer/base-runtimes/index.ts

@@ -0,0 +1,11 @@
+import { ExtractedLayers } from "../../extractor/types";
+import { BaseRuntime } from "../../facts";
+import { getJavaRuntimeReleaseContent } from "../../inputs/base-runtimes/static";
+import { parseJavaRuntimeRelease } from "./parser";
+
+export function detectJavaRuntime(
+  extractedLayers: ExtractedLayers,
+): BaseRuntime | null {
+  const releaseContent = getJavaRuntimeReleaseContent(extractedLayers);
+  return releaseContent ? parseJavaRuntimeRelease(releaseContent) : null;
+}

lib/analyzer/base-runtimes/parser.ts

@@ -0,0 +1,34 @@
+import { BaseRuntime } from "../../facts";
+
+const VALID_VERSION_PATTERN =
+  /^(?!.*\.\.)[0-9]+(?:[._+a-zA-Z0-9-]*[a-zA-Z0-9])?$/;
+
+const regex = /^\s*JAVA_VERSION\s*=\s*(?:(["'])(.*?)\1|([^#\r\n]+))/gm;
+
+function isValidJavaVersion(version: string): boolean {
+  if (!version || version.length === 0) {
+    return false;
+  }
+  return VALID_VERSION_PATTERN.test(version);
+}
+
+export function parseJavaRuntimeRelease(content: string): BaseRuntime | null {
+  if (!content || content.trim().length === 0) {
+    return null;
+  }
+  try {
+    const matches = [...content.matchAll(regex)];
+
+    if (matches.length !== 1) {
+      return null;
+    }
+    const version = (matches[0][2] || matches[0][3] || "").trim();
+
+    if (!isValidJavaVersion(version)) {
+      return null;
+    }
+    return { type: "java", version };
+  } catch (error) {
+    return null;
+  }
+}

lib/analyzer/image-inspector.ts

@@ -1,6 +1,5 @@
 import * as Debug from "debug";
 import * as fs from "fs";
-import * as mkdirp from "mkdirp";
 import * as path from "path";
 
 import { Docker, DockerOptions } from "../docker";
@@ -200,7 +199,7 @@ async function getImageArchive(
   platform?: string,
 ): Promise<ArchiveResult> {
   const docker = new Docker();
-  mkdirp.sync(imageSavePath);
+  fs.mkdirSync(imageSavePath, { recursive: true });
   const destination: DestinationDir = {
     name: imageSavePath,
     removeCallback: cleanupCallback(imageSavePath, "image.tar"),

lib/analyzer/static-analyzer.ts

@@ -15,6 +15,7 @@ import {
   getDpkgFileContentAction,
   getExtFileContentAction,
 } from "../inputs/apt/static";
+import { getJavaRuntimeReleaseAction } from "../inputs/base-runtimes/static";
 import {
   getBinariesHashes,
   getNodeBinariesFileContentAction,
@@ -67,6 +68,7 @@ import { jarFilesToScannedResults } from "./applications/java";
 import { pipFilesToScannedProjects } from "./applications/python";
 import { getApplicationFiles } from "./applications/runtime-common";
 import { AppDepsScanResultWithoutTarget } from "./applications/types";
+import { detectJavaRuntime } from "./base-runtimes";
 import * as osReleaseDetector from "./os-release";
 import { analyze as apkAnalyze } from "./package-managers/apk";
 import {
@@ -105,6 +107,7 @@ export async function analyze(
     ...getOsReleaseActions,
     getNodeBinariesFileContentAction,
     getOpenJDKBinariesFileContentAction,
+    getJavaRuntimeReleaseAction,
     getDpkgPackageFileContentAction,
     getRedHatRepositoriesContentAction,
   ];
@@ -233,6 +236,8 @@ export async function analyze(
   }
 
   const binaries = getBinariesHashes(extractedLayers);
+  const javaRuntime = detectJavaRuntime(extractedLayers);
+  const baseRuntimes = javaRuntime ? [javaRuntime] : undefined;
 
   const applicationDependenciesScanResults: AppDepsScanResultWithoutTarget[] =
     [];
@@ -309,6 +314,7 @@ export async function analyze(
     platform,
     results,
     binaries,
+    baseRuntimes,
     imageLayers: manifestLayers,
     rootFsLayers,
     applicationDependenciesScanResults,