fix: unmanaged scan unknown archives

See snyk/snyk-mvn-plugin#137

Adding warning message to indicate when projects have a dep-graph that contains packages with unknown versions (like in the Snyk UI).

package.json

@@ -118,7 +118,7 @@
     "snyk-go-plugin": "1.19.2",
     "snyk-gradle-plugin": "3.23.2",
     "snyk-module": "3.1.0",
-    "snyk-mvn-plugin": "2.31.0",
+    "snyk-mvn-plugin": "2.31.1",
     "snyk-nodejs-lockfile-parser": "1.38.0",
     "snyk-nuget-plugin": "1.23.5",
     "snyk-php-plugin": "1.9.2",

src/lib/dep-graph.ts

@@ -0,0 +1,13 @@
+import { DepGraph } from '@snyk/dep-graph';
+
+export function hasUnknownVersions(depGraph?: DepGraph): boolean {
+  if (!depGraph) {
+    return false;
+  }
+  for (const pkg of depGraph.getPkgs()) {
+    if (pkg.version === 'unknown') {
+      return true;
+    }
+  }
+  return false;
+}

src/lib/formatters/test/display-result.ts

@@ -22,6 +22,7 @@ import {
   getDisplayedOutput,
 } from '../../../lib/formatters/test/format-test-results';
 import { showMultiScanTip } from '../show-multi-scan-tip';
+import * as theme from '../../theme';
 
 export function displayResult(
   res: TestResult,
@@ -66,6 +67,13 @@ export function displayResult(
   );
   const multiProjAdvice = multiProjectTip ? `\n\n${multiProjectTip}` : '';
 
+  const warningMessage = theme.color.status.warn(
+    `${theme.icon.WARNING} Warning!`,
+  );
+  const hasUnknownVersions = res.hasUnknownVersions
+    ? `\n\n${warningMessage} Some dependencies in this project could not be identified.`
+    : '';
+
   // OK  => no vulns found, return
   if (res.ok && res.vulnerabilities.length === 0) {
     const vulnPathsText = options.showVulnPaths
@@ -98,6 +106,7 @@ export function displayResult(
       meta +
       '\n\n' +
       summaryOKText +
+      hasUnknownVersions +
       multiProjAdvice +
       (isCI()
         ? ''
@@ -115,6 +124,7 @@ export function displayResult(
     projectType,
     meta,
     prefix,
+    hasUnknownVersions,
     multiProjAdvice,
     dockerAdvice,
   );

src/lib/formatters/test/format-test-results.ts

@@ -142,6 +142,7 @@ export function getDisplayedOutput(
   projectType: SupportedProjectTypes,
   meta: string,
   prefix: string,
+  hasUnknownVersions: string,
   multiProjAdvice: string,
   dockerAdvice: string,
 ): string {
@@ -168,7 +169,8 @@ export function getDisplayedOutput(
     vulnCountText += '.';
   }
 
-  const summary = testedInfoText + ', ' + chalk.red.bold(vulnCountText);
+  const summary =
+    testedInfoText + ', ' + chalk.red.bold(vulnCountText) + hasUnknownVersions;
 
   const fixTip = showFixTip(projectType, res, options);
   const fixAdvice = fixTip ? `\n\n${fixTip}` : '';

src/lib/snyk-test/legacy.ts

@@ -177,6 +177,7 @@ export interface TestResult extends LegacyVulnApiResult {
   displayTargetFile?: string; // used for display only
   foundProjectCount?: number;
   scanResult?: ScanResult;
+  hasUnknownVersions?: boolean;
 }
 
 interface UpgradePathItem {

src/lib/snyk-test/run-test.ts

@@ -66,6 +66,7 @@ import { Issue } from '../ecosystems/types';
 import { assembleEcosystemPayloads } from './assemble-payloads';
 import { makeRequest } from '../request';
 import { spinner } from '../spinner';
+import { hasUnknownVersions } from '../dep-graph';
 
 const debug = debugModule('snyk:run-test');
 
@@ -121,6 +122,7 @@ function prepareEcosystemResponseForParsing(
     payloadPolicy: payloadBody?.policy,
     platform,
     scanResult: payloadBody,
+    hasUnknownVersions: hasUnknownVersions(depGraph),
   };
 }
 
@@ -156,6 +158,7 @@ function prepareLanguagesResponseForParsing(payload: Payload) {
     foundProjectCount,
     displayTargetFile,
     dockerfilePackages,
+    hasUnknownVersions: hasUnknownVersions(depGraph),
   };
 }
 
@@ -234,6 +237,7 @@ async function sendAndParseResults(
       dockerfilePackages,
       platform,
       scanResult,
+      hasUnknownVersions,
     } = prepareResponseForParsing(
       payloadCopy,
       res as TestDependenciesResponse,
@@ -267,6 +271,7 @@ async function sendAndParseResults(
       displayTargetFile,
       platform,
       scanResult,
+      hasUnknownVersions,
     });
   }
   return results;
@@ -601,6 +606,7 @@ async function assembleLocalPayloads(
           maybePrintDepTree(options, pkg as DepTree);
         }
       }
+
       const project = scannedProject as ScannedProjectCustom;
       const packageManager = extractPackageManager(project, deps, options);
 

test/acceptance/workspaces/ruby-app-no-vulns/test-graph-result.json

@@ -8,6 +8,7 @@
     "isLicensesEnabled": false,
     "licensesPolicy": null,
     "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.13.1\nignore: {}\npatch: {}\n",
+    "hasUnknownVersions": false,
     "ignoreSettings": null,
     "org": "test-org"
   },

test/acceptance/workspaces/ruby-app-no-vulns/test-result.json

@@ -7,6 +7,7 @@
   "isPrivate": true,
   "packageManager": "rubygems",
   "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.13.1\nignore: {}\npatch: {}\n",
+  "hasUnknownVersions": false,
   "ignoreSettings": null,
   "projectName": "ruby-app-no-vulns",
   "displayTargetFile": "Gemfile",

test/acceptance/workspaces/ruby-app-policy/test-graph-result-cloud-ignore.json

@@ -386,6 +386,7 @@
     "isLicensesEnabled": false,
     "licensesPolicy": null,
     "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.13.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n  SNYK-RUBY-LYNX-20160:\n    - '*':\n        reason: will check again in 2100\n        expires: 2100-01-01T00:00:00.000Z\n        source: cli\n  SNYK-RUBY-SANITIZE-22024:\n    - '*':\n        reason: who needs sanitization anyway\n        created: '2018-11-23T07:33:16.687Z'\n        ignoredBy:\n          id: 3c2d7dd6-e86e-4842-8124-5766bf55e060\n          name: brian@doogdog.com\n          email: brian@doogdog.com\n        reasonType: temporary-ignore\n        disregardIfFixable: false\n        source: api\npatch: {}\n",
+    "hasUnknownVersions": false,
     "ignoreSettings": null,
     "org": "test-org"
   },

test/acceptance/workspaces/ruby-app-policy/test-graph-result.json

@@ -386,6 +386,7 @@
     "isLicensesEnabled": false,
     "licensesPolicy": null,
     "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.13.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n  SNYK-RUBY-LYNX-20160:\n    - '*':\n        reason: will check again in 2100\n        expires: 2100-01-01T00:00:00.000Z\n        source: cli\npatch: {}\n",
+    "hasUnknownVersions": false,
     "ignoreSettings": null,
     "org": "test-org"
   },

test/acceptance/workspaces/ruby-app-policy/test-result-cloud-ignore.json

@@ -281,6 +281,7 @@
   "isPrivate": true,
   "packageManager": "rubygems",
   "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.13.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n  SNYK-RUBY-LYNX-20160:\n    - '*':\n        reason: will check again in 2100\n        expires: 2100-01-01T00:00:00.000Z\n        source: cli\n  SNYK-RUBY-SANITIZE-22024:\n    - '*':\n        reason: who needs sanitization anyway\n        created: '2018-11-23T07:33:16.687Z'\n        ignoredBy:\n          id: 3c2d7dd6-e86e-4842-8124-5766bf55e060\n          name: brian@doogdog.com\n          email: brian@doogdog.com\n        reasonType: temporary-ignore\n        disregardIfFixable: false\n        source: api\npatch: {}\n",
+  "hasUnknownVersions": false,
   "ignoreSettings": null,
   "summary": "7 vulnerable dependency paths",
   "displayTargetFile": "Gemfile",

test/acceptance/workspaces/ruby-app-policy/test-result.json

@@ -335,6 +335,7 @@
   "isPrivate": true,
   "packageManager": "rubygems",
   "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.13.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n  SNYK-RUBY-LYNX-20160:\n    - '*':\n        reason: will check again in 2100\n        expires: 2100-01-01T00:00:00.000Z\n        source: cli\npatch: {}\n",
+  "hasUnknownVersions": false,
   "ignoreSettings": null,
   "summary": "7 vulnerable dependency paths",
   "displayTargetFile": "Gemfile",

test/acceptance/workspaces/ruby-app-thresholds/test-result-critical-severity.json

@@ -126,6 +126,7 @@
     "ignore": [],
     "patch": []
   },
+  "hasUnknownVersions": false,
   "projectName": "ruby-app-thresholds",
   "uniqueCount": 1,
   "path": "ruby-app-thresholds"

test/acceptance/workspaces/ruby-app-thresholds/test-result-high-severity.json

@@ -236,6 +236,7 @@
     "ignore": [],
     "patch": []
   },
+  "hasUnknownVersions": false,
   "projectName": "ruby-app-thresholds",
   "uniqueCount": 3,
   "path": "ruby-app-thresholds"

test/acceptance/workspaces/ruby-app-thresholds/test-result-low-severity.json

@@ -395,6 +395,7 @@
     "ignore": [],
     "patch": []
   },
+  "hasUnknownVersions": false,
   "projectName": "ruby-app-thresholds",
   "uniqueCount": 6,
   "path": "ruby-app-thresholds"

test/acceptance/workspaces/ruby-app-thresholds/test-result-medium-severity.json

@@ -344,6 +344,7 @@
     "ignore": [],
     "patch": []
   },
+  "hasUnknownVersions": false,
   "projectName": "ruby-app-thresholds",
   "uniqueCount": 5,
   "path": "ruby-app-thresholds"

test/acceptance/workspaces/sbt-simple-struts/legacy-res-json.json

@@ -1961,6 +1961,7 @@
   "isPrivate": true,
   "packageManager": "maven",
   "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.13.1\nignore: {}\npatch: {}\n",
+  "hasUnknownVersions": false,
   "ignoreSettings": null,
   "summary": "31 vulnerable dependency paths",
   "displayTargetFile": "build.sbt",

test/acceptance/workspaces/sbt-simple-struts/test-graph-result.json

@@ -2259,6 +2259,7 @@
       }
     },
     "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.13.1\nignore: {}\npatch: {}\n",
+    "hasUnknownVersions": false,
     "ignoreSettings": null,
     "org": "snyk"
   },

test/jest/acceptance/dep-graph.spec.ts

@@ -0,0 +1,27 @@
+import { DepGraphBuilder } from '@snyk/dep-graph';
+import { hasUnknownVersions } from '../../../src/lib/dep-graph';
+
+describe('dep-graph', () => {
+  describe('hasUnknownVersions', () => {
+    it('returns true when dep-graph has unknown versions', () => {
+      const builder = new DepGraphBuilder({ name: 'maven' });
+      builder.addPkgNode({ name: 'test', version: 'unknown' }, 'test@unknown');
+      builder.connectDep(builder.rootNodeId, 'test@unknown');
+      const depGraph = builder.build();
+      const received = hasUnknownVersions(depGraph);
+      expect(received).toBe(true);
+    });
+    it('returns false when dep-graph does not have unknown versions', () => {
+      const builder = new DepGraphBuilder({ name: 'maven' });
+      builder.addPkgNode({ name: 'test', version: '1.2.3' }, 'test@1.2.3');
+      builder.connectDep(builder.rootNodeId, 'test@1.2.3');
+      const depGraph = builder.build();
+      const received = hasUnknownVersions(depGraph);
+      expect(received).toBe(false);
+    });
+    it('returns false when dep-graph is undefined', () => {
+      const received = hasUnknownVersions(undefined);
+      expect(received).toBe(false);
+    });
+  });
+});

test/jest/unit/python/snyk-test-pyproject.spec.ts

@@ -103,6 +103,7 @@ describe('snyk test for python project', () => {
           foundProjectCount: undefined,
           displayTargetFile: 'pyproject.toml',
           platform: undefined,
+          hasUnknownVersions: false,
           path: fixturePath,
         };
         expect(result).toMatchObject({
@@ -183,6 +184,7 @@ describe('snyk test for python project', () => {
           foundProjectCount: undefined,
           displayTargetFile: 'Pipfile',
           platform: undefined,
+          hasUnknownVersions: false,
           path: fixturePath,
         };
         expect(result).toMatchObject({
@@ -283,6 +285,7 @@ describe('snyk test for python project', () => {
           projectName: undefined,
           displayTargetFile: 'Pipfile',
           platform: undefined,
+          hasUnknownVersions: false,
           path: fixturePath,
         };
         const expectedPyprojectResultObject = {
@@ -307,6 +310,7 @@ describe('snyk test for python project', () => {
           projectName: undefined,
           displayTargetFile: 'pyproject.toml',
           platform: undefined,
+          hasUnknownVersions: false,
           path: fixturePath,
         };
         expect(result).toMatchObject({