Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

container: npm/yarn scan without a lockfile UNIFY-68 #5196

Merged
merged 1 commit into from
May 16, 2024
Merged

container: npm/yarn scan without a lockfile UNIFY-68 #5196

merged 1 commit into from
May 16, 2024
+64 −11

Conversation

adrobuta
Copy link
Contributor

@adrobuta adrobuta commented Apr 23, 2024
edited
Loading

Pull Request Submission

Adding integration tests for the new functionality released in snyk-docker-plugin@6.12.0 that scans node_modules directory content when npm/yarn lockfiles are missing from the docker image filesystem:

  1. snyk will return a dependency graph constructed from the application’s node_modules when package.json / package-lock.json/ yarn.lock manifest files are not installed in the container filesystem.
  2. when package.json is existent in the application directory but package-lock.json/yarn.lock files are missing, snyk reports only the production dependencies from the physical content of node_modules, without the dev dependencies.
  3. when package.json is not found in the application directory, all the packages existent in node_modules : production and dev dependencies are reported from the physical content of node_modules.
  4. when package.json is not found in the application directory, the dependency graph’s package manager is defaulting to ‘npm’ and the name of the rootPkg is the name of the application root directory @1.0.0 : e.g if your application is mounted in /home/app directory the rootPkg name will be app @ 1.0.0.
  5. snyk persists a copy of the npm/yarn manifests files from the container image to the user’s disk of up to 10 MB, the copy is cleaned up at the end of the scan.

Please check the boxes once done.

The pull request must:

  • Reviewer Documentation
    • follow CONTRIBUTING rules
    • be accompanied by a detailed description of the changes
    • contain a risk assessment of the change (Low | Medium | High) with regards to breaking existing functionality. A change e.g. of an underlying language plugin can completely break the functionality for that language, but appearing as only a version change in the dependencies.
    • highlight breaking API if applicable
    • contain a link to the automatic tests that cover the updated functionality.
    • contain testing instructions in case that the reviewer wants to manual verify as well, to add to the manual testing done by the author.
    • link to the link to the PR for the User-facing documentation
  • User facing Documentation
    • update any relevant documentation in gitbook by submitting a gitbook PR, and including the PR link here
    • ensure that the message of the final single commit is descriptive and prefixed with either feat: or fix: , others might be used in rare occasions as well, if there is no need to document the changes in the release notes. The changes or fixes should be described in detail in the commit message for the changelog & release notes.
  • Testing
    • Changes, removals and additions to functionality must be covered by acceptance / integration tests or smoke tests - either already existing ones, or new ones, created by the author of the PR.

Pull Request Review

All pull requests must undergo a thorough review process before being merged.
The review process of the code PR should include code review, testing, and any necessary feedback or revisions.
Pull request reviews of functionality developed in other teams only review the given documentation and test reports.

Manual testing will not be performed by the reviewing team, and is the responsibility of the author of the PR.

For Node projects: It’s important to make sure changes in package.json are also affecting package-lock.json correctly.

If a dependency is not necessary, don’t add it.

When adding a new package as a dependency, make sure that the change is absolutely necessary. We would like to refrain from adding new dependencies when possible.
Documentation PRs in gitbook are reviewed by Snyk's content team. They will also advise on the best phrasing and structuring if needed.

Pull Request Approval

Once a pull request has been reviewed and all necessary revisions have been made, it is approved for merging into
the main codebase. The merging of the code PR is performed by the code owners, the merging of the documentation PR
by our content writers.

What does this PR do?

Where should the reviewer start?

How should this be manually tested?

Any background context you want to provide?

What are the relevant tickets?

Screenshots

Additional questions

@adrobuta adrobuta requested a review from a team as a code owner April 23, 2024 07:25
@adrobuta adrobuta force-pushed the feat/npm-without-lockfiles branch 9 times, most recently from 6dee227 to b9fb8b6 Compare April 23, 2024 19:54
thisislawatts
thisislawatts reviewed Apr 26, 2024
View reviewed changes
cliv2/go.mod Outdated Show resolved Hide resolved
@adrobuta adrobuta force-pushed the feat/npm-without-lockfiles branch 7 times, most recently from 097ca4e to 255b40a Compare May 15, 2024 03:50
@adrobuta adrobuta changed the title feat: npm without lockfiles integration test UNIFY-68 container: npm/yarn scan without a lockfile UNIFY-68 May 15, 2024
@adrobuta adrobuta force-pushed the feat/npm-without-lockfiles branch from 255b40a to e2d77a9 Compare May 16, 2024 12:16
@adrobuta adrobuta merged commit 3fcf8bc into main May 16, 2024
15 checks passed
@adrobuta adrobuta deleted the feat/npm-without-lockfiles branch May 16, 2024 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thisislawatts thisislawatts thisislawatts approved these changes

@neil-snyk neil-snyk neil-snyk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@adrobuta @thisislawatts @neil-snyk