From 8edf9bcd26369ac2c611f81cb4d391acf8db5509 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Thu, 9 Nov 2023 14:27:54 +0000 Subject: [PATCH 1/3] fix: upgrade snyk-docker-plugin from 6.5.9 to 6.5.10 Snyk has created this PR to upgrade snyk-docker-plugin from 6.5.9 to 6.5.10. See this package in npm: https://www.npmjs.com/package/snyk-docker-plugin See this project in Snyk: https://app.snyk.io/org/runtime-3by/project/3af2d020-78e9-4846-9064-bd2167f7613f?utm_source=github&utm_medium=referral&page=upgrade-pr --- package-lock.json | 14 +++++++------- package.json | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/package-lock.json b/package-lock.json index 91d2a006e..fc8b980cd 100644 --- a/package-lock.json +++ b/package-lock.json @@ -19,7 +19,7 @@ "needle": "^3.2.0", "sleep-promise": "^9.1.0", "snyk-config": "5.1.0", - "snyk-docker-plugin": "^6.5.9", + "snyk-docker-plugin": "^6.5.10", "source-map-support": "^0.5.21", "tunnel": "0.0.6", "typescript": "4.7.4", @@ -10312,9 +10312,9 @@ } }, "node_modules/snyk-docker-plugin": { - "version": "6.5.9", - "resolved": "https://registry.npmjs.org/snyk-docker-plugin/-/snyk-docker-plugin-6.5.9.tgz", - "integrity": "sha512-+htd0OFckcluij2w1/hJthMPF3GSYCo25KT7YRtb6rg3+tU8k/IPxZkoOFPvjPTsKQfFfVCWQ5c9xQr9VRWGpg==", + "version": "6.5.10", + "resolved": "https://registry.npmjs.org/snyk-docker-plugin/-/snyk-docker-plugin-6.5.10.tgz", + "integrity": "sha512-Xj8dupW3/p3nu5haCX/+/dSY/+jQR1eE6Lp8iFBZN77oXMPbfZbJ4Fe4+WuWl0JzlC3UGUAyv/Zm6C8X3yugtg==", "dependencies": { "@snyk/composer-lockfile-parser": "^1.4.1", "@snyk/dep-graph": "^2.7.1", @@ -20069,9 +20069,9 @@ } }, "snyk-docker-plugin": { - "version": "6.5.9", - "resolved": "https://registry.npmjs.org/snyk-docker-plugin/-/snyk-docker-plugin-6.5.9.tgz", - "integrity": "sha512-+htd0OFckcluij2w1/hJthMPF3GSYCo25KT7YRtb6rg3+tU8k/IPxZkoOFPvjPTsKQfFfVCWQ5c9xQr9VRWGpg==", + "version": "6.5.10", + "resolved": "https://registry.npmjs.org/snyk-docker-plugin/-/snyk-docker-plugin-6.5.10.tgz", + "integrity": "sha512-Xj8dupW3/p3nu5haCX/+/dSY/+jQR1eE6Lp8iFBZN77oXMPbfZbJ4Fe4+WuWl0JzlC3UGUAyv/Zm6C8X3yugtg==", "requires": { "@snyk/composer-lockfile-parser": "^1.4.1", "@snyk/dep-graph": "^2.7.1", diff --git a/package.json b/package.json index e8e9d40ee..23106cffd 100644 --- a/package.json +++ b/package.json @@ -48,7 +48,7 @@ "needle": "^3.2.0", "sleep-promise": "^9.1.0", "snyk-config": "5.1.0", - "snyk-docker-plugin": "^6.5.9", + "snyk-docker-plugin": "^6.5.10", "source-map-support": "^0.5.21", "tunnel": "0.0.6", "typescript": "4.7.4", From 8b8f455d2966625896bb885550db69fcf7205b69 Mon Sep 17 00:00:00 2001 From: Ahmed Agabani <70949530+ahmed-agabani-snyk@users.noreply.github.com> Date: Mon, 20 Nov 2023 17:09:02 +0000 Subject: [PATCH 2/3] fix: add percent-encoded plus sign in purl version tests --- test/unit/snyk-dep-graph.spec.ts | 59 ++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 test/unit/snyk-dep-graph.spec.ts diff --git a/test/unit/snyk-dep-graph.spec.ts b/test/unit/snyk-dep-graph.spec.ts new file mode 100644 index 000000000..1aab85739 --- /dev/null +++ b/test/unit/snyk-dep-graph.spec.ts @@ -0,0 +1,59 @@ +import { createFromJSON } from '@snyk/dep-graph'; + +describe('@snyk/dep-graph', () => { + describe('createFromJSON', () => { + it('supports percent-encoded plus sign in purl version', () => { + // Arrange + const json = { + schemaVersion: '1.3.0', + pkgManager: { + name: 'deb', + repositories: [ + { + alias: 'repository:tag', + }, + ], + }, + pkgs: [ + { + id: 'repository@digest', + info: { + name: 'repository', + version: 'digest', + }, + }, + { + id: 'db5.3/libdb5.3@5.3.28+dfsg1-0.6ubuntu2', + info: { + name: 'db5.3/libdb5.3', + version: '5.3.28+dfsg1-0.6ubuntu2', + purl: 'pkg:deb/libdb5.3@5.3.28%2Bdfsg1-0.6ubuntu2?upstream=db5.3', + }, + }, + ], + graph: { + rootNodeId: 'root-node', + nodes: [ + { + nodeId: 'root-node', + pkgId: 'repository@digest', + deps: [ + { + nodeId: 'db5.3/libdb5.3@5.3.28+dfsg1-0.6ubuntu2', + }, + ], + }, + { + nodeId: 'db5.3/libdb5.3@5.3.28+dfsg1-0.6ubuntu2', + pkgId: 'db5.3/libdb5.3@5.3.28+dfsg1-0.6ubuntu2', + deps: [], + }, + ], + }, + }; + + // Act + createFromJSON(json); + }); + }); +}); From e9a7d45eb2b07a38c74085eced727c98940bbb48 Mon Sep 17 00:00:00 2001 From: Katie Armstrong Date: Thu, 23 Nov 2023 17:44:48 +0000 Subject: [PATCH 3/3] fix: remove stack, message and childProcess from the skopeo error logs all skopeo args were being logged in the stack and message including -src-creds --- src/scanner/images/index.ts | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/scanner/images/index.ts b/src/scanner/images/index.ts index 467d59062..634073bb6 100644 --- a/src/scanner/images/index.ts +++ b/src/scanner/images/index.ts @@ -50,7 +50,10 @@ export async function pullImages( pulledImages.push(pulledImage); } catch (error) { logger.error( - { error, image: image.imageWithDigest ?? image.imageName }, + { + error: sanitizeSkopeoErrorForLogging(error), + image: image.imageWithDigest ?? image.imageName, + }, 'failed to pull image docker/oci archive image', ); } @@ -58,6 +61,13 @@ export async function pullImages( return pulledImages; } +function sanitizeSkopeoErrorForLogging(error) { + delete error.stack; + delete error.message; + delete error.childProcess; + return error; +} + export function getImagesWithFileSystemPath( images: IScanImage[], ): IPullableImage[] {