feat: container add -exclude-node-modules option

snyk · Dec 19, 2024 · 6361aab · 6361aab
1 parent a813940
commit 6361aab
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 8 deletions.
diff --git a/help/cli-commands/container-monitor.md b/help/cli-commands/container-monitor.md
@@ -134,6 +134,12 @@ In earlier releases, cannot be used with `--app-vulns`.
 
 For more information see [Detecting application vulnerabilities in container images](https://docs.snyk.io/scan-using-snyk/snyk-container/use-snyk-container-from-the-web-ui/detect-application-vulnerabilities-in-container-images)
 
+### `--exclude-node-modules`
+
+Allow disabling the scan of node_modules directories inside node.js container images; in CLI versions v1.1292.0 and higher, node_modules scanning is enabled by default.
+
+When the node_modules scan is disabled, snyk will report vulnerabilities for npm projects sourced from application files: package.json, package-lock.json, yarn.lock.
+
 ### `--nested-jars-depth`
 
 When `app-vulns` is enabled, use the `--nested-jars-depth=n` option to set how many levels of nested jars Snyk is to unpack. Depth must be a number.

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -116,7 +116,7 @@
     "semver": "^6.0.0",
     "snyk-config": "^5.0.0",
     "snyk-cpp-plugin": "2.24.0",
-    "snyk-docker-plugin": "6.13.18",
+    "snyk-docker-plugin": "6.14.0",
     "snyk-go-plugin": "1.23.0",
     "snyk-gradle-plugin": "4.7.0",
     "snyk-module": "3.1.0",

diff --git a/src/lib/types.ts b/src/lib/types.ts
@@ -144,6 +144,7 @@ export interface MonitorOptions {
   // Used with the Docker plugin only. Allows application scanning.
   'app-vulns'?: boolean;
   'exclude-app-vulns'?: boolean;
+  'exclude-node-modules'?: boolean;
   initScript?: string;
   yarnWorkspaces?: boolean;
   'max-depth'?: number;

diff --git a/test/fixtures/container-projects/node-slim-image.tar b/test/fixtures/container-projects/node-slim-image.tar
diff --git a/test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts b/test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts
@@ -167,3 +167,39 @@ describe('container test projects behavior with --json flag', () => {
     expect(code).toEqual(0);
   });
 });
+
+describe('container test projects behavior with --exclude-node-modules flag', () => {
+  // Dockerfile for node-slim-image.tar
+  // FROM node:alpine
+
+  // COPY package.json /goof1/
+  // COPY package-lock.json /goof1/
+  // COPY package.json /
+  // COPY package-lock.json /
+  // WORKDIR /goof1
+  // RUN npm install
+  // WORKDIR /
+  // RUN npm install
+  it('should scan npm projects only when package.json and package-lock.json pairs are identified in the container image', async () => {
+    const { code, stdout } = await runSnykCLI(
+      `container test docker-archive:test/fixtures/container-projects/node-slim-image.tar --exclude-node-modules --json --exclude-base-image-vulns`,
+    );
+    const jsonOutput = JSON.parse(stdout);
+    const applications = jsonOutput.applications;
+
+    expect(applications.length).toEqual(2);
+    expect(code).toEqual(1);
+  }, 30000);
+
+  it('should scan npm projects from package.json and package-lock.json pairs and node_modules dependencies', async () => {
+    const { code, stdout } = await runSnykCLI(
+      `container test docker-archive:test/fixtures/container-projects/node-slim-image.tar --json --exclude-base-image-vulns`,
+    );
+    const jsonOutput = JSON.parse(stdout);
+    const applications = jsonOutput.applications;
+
+    expect(applications.length).toEqual(3);
+
+    expect(code).toEqual(1);
+  }, 30000);
+});