feat: container app vulns by default

Enables container app scan by default. We are introducing a new flag,
`exclude-app-vulns` in case a user would like to disable app scan.

package.json

@@ -111,7 +111,7 @@
     "semver": "^6.0.0",
     "snyk-config": "4.0.0",
     "snyk-cpp-plugin": "2.20.0",
-    "snyk-docker-plugin": "^4.38.0",
+    "snyk-docker-plugin": "^5.0.0",
     "snyk-go-plugin": "1.19.0",
     "snyk-gradle-plugin": "3.20.2",
     "snyk-module": "3.1.0",

src/lib/types.ts

@@ -74,8 +74,8 @@ export interface Options {
   strictOutOfSync?: boolean;
   // Used only with the IaC mode & Docker plugin. Allows requesting some experimental/unofficial features.
   experimental?: boolean;
-  // Used with the Docker plugin only. Allows application scanning.
-  'app-vulns'?: boolean;
+  // Used with the Docker plugin only. Disables application scanning.
+  'exclude-app-vulns'?: boolean;
   debug?: boolean;
   sarif?: boolean;
   'group-issues'?: boolean;

test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts

@@ -5,16 +5,16 @@ import { runSnykCLI } from '../../util/runSnykCLI';
 describe('container test projects behavior with --app-vulns, --file and --exclude-base-image-vulns flags', () => {
   it('should find nothing when only vulns are in base image', async () => {
     const { code, stdout } = await runSnykCLI(
-      `container test docker-archive:test/fixtures/container-projects/os-app-alpine-and-debug.tar --json --exclude-base-image-vulns`,
+      `container test docker-archive:test/fixtures/container-projects/os-app-alpine-and-debug.tar --exclude-app-vulns --json --exclude-base-image-vulns`,
     );
 
     const jsonOutput = JSON.parse(stdout);
     expect(jsonOutput.ok).toEqual(true);
     expect(code).toEqual(0);
   }, 10000);
-  it('should find all vulns when using --app-vulns', async () => {
+  it('should find all vulns including app vulns', async () => {
     const { code, stdout } = await runSnykCLI(
-      `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --experimental --app-vulns`,
+      `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --experimental`,
     );
     const jsonOutput = JSON.parse(stdout);
 
@@ -26,9 +26,9 @@ describe('container test projects behavior with --app-vulns, --file and --exclud
     expect(applications[0].ok).toEqual(false);
     expect(code).toEqual(1);
   }, 10000);
-  it('should find all vulns when using --app-vulns without experimental flag', async () => {
+  it('should find all vulns without experimental flag', async () => {
     const { code, stdout } = await runSnykCLI(
-      `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --app-vulns`,
+      `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json`,
     );
     const jsonOutput = JSON.parse(stdout);
 
@@ -46,7 +46,7 @@ describe('container test projects behavior with --app-vulns, --file and --exclud
     );
 
     const { code, stdout } = await runSnykCLI(
-      `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --file=${dockerfilePath} --exclude-base-image-vulns`,
+      `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --exclude-app-vulns --json --file=${dockerfilePath} --exclude-base-image-vulns`,
     );
     const jsonOutput = JSON.parse(stdout);
 
@@ -55,13 +55,13 @@ describe('container test projects behavior with --app-vulns, --file and --exclud
     expect(code).toEqual(1);
   }, 10000);
 
-  it('finds dockerfile instructions and app vulns when excluding base image vulns and using --app-vulns', async () => {
+  it('finds dockerfile instructions and app vulns when excluding base image vulns', async () => {
     const dockerfilePath = path.normalize(
       'test/fixtures/container-projects/Dockerfile-vulns',
     );
 
     const { code, stdout } = await runSnykCLI(
-      `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --app-vulns --file=${dockerfilePath} --exclude-base-image-vulns`,
+      `container test docker-archive:test/fixtures/container-projects/os-packages-and-app-vulns.tar --json --file=${dockerfilePath} --exclude-base-image-vulns`,
     );
     const jsonOutput = JSON.parse(stdout);
 
@@ -73,7 +73,7 @@ describe('container test projects behavior with --app-vulns, --file and --exclud
   }, 10000);
 });
 
-describe('container test projects behavior with --app-vulns, --json flags', () => {
+describe('container test projects behavior with --json flag', () => {
   let server;
   let env: Record<string, string>;
 
@@ -106,7 +106,7 @@ describe('container test projects behavior with --app-vulns, --json flags', () =
 
   it('returns a json with the --experimental flags', async () => {
     const { code, stdout } = await runSnykCLI(
-      `container test docker-archive:test/fixtures/container-projects/os-app-alpine-and-debug.tar --app-vulns --json --experimental`,
+      `container test docker-archive:test/fixtures/container-projects/os-app-alpine-and-debug.tar --json --experimental`,
       {
         env,
       },

test/jest/unit/ecosystems-monitor-docker.spec.ts

@@ -63,7 +63,6 @@ describe('monitorEcosystem docker/container', () => {
       {
         path: '/srv',
         docker: true,
-        'app-vulns': true,
         org: 'my-org',
         tags: 'keyone=valueone',
       },
@@ -76,7 +75,6 @@ describe('monitorEcosystem docker/container', () => {
       {
         path: '/srv',
         docker: true,
-        'app-vulns': true,
         org: 'my-org',
       } as Options,
     );