Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default nested #388

Merged
merged 1 commit into from
Dec 20, 2021
Merged

Default nested #388

merged 1 commit into from
Dec 20, 2021

Conversation

shaninja
Copy link
Contributor

@shaninja shaninja commented Dec 19, 2021
edited
Loading

  • Ready for review
  • Follows CONTRIBUTING rules
  • Reviewed by Snyk internal team

What does this PR do?

Step #1 for detecting log4j automatically for customers who scan images with shaded and nested jars.

The end goal is to have always at least 1 level scanned,

see here https://www.notion.so/snyk/log4shell-shaded-Jar-detection-552bed54e8964a968867c601905f80a0#723610c656e7467684a6cbf62f84322d and here https://snyk.slack.com/archives/C01EPSKVC9L/p1639908202242500?thread_ts=1639765350.234600&cid=C01EPSKVC9L

The first step (in this PR) is making the default level of unpacking 1 (instead of 0, which it once was).

The second step would be to unpack 1 level more than what the customer requested, so we can get the pom.properties (the shaded jars) for that level of nesting.

@shaninja
feat: always unpack at least 1 level of JARs
6a81f89 
We need to unpack a JAR to get the pom.dependencies in it, which
we need to get shaded JARs.
This commit:
- makes the default level of unpacking JARs 1 (instead of 0)
- unpacks the default level whenevet --app-vulns is provided, even if --nested-jars-depth was not
- prohibits any attempt to not unpack at least 1 level (no 0)
@shaninja shaninja self-assigned this Dec 19, 2021
@github-actions
Copy link

github-actions bot commented Dec 19, 2021
edited by shaninja
Loading

Expected release notes (by @shaninja)

features:
always unpack at least 1 level of JARs (6a81f89)

  • I hereby acknowledge these release notes are 🥙 AWESOME 🥙

@shaninja shaninja marked this pull request as ready for review December 19, 2021 13:46
@shaninja shaninja requested a review from a team as a code owner December 19, 2021 13:46
@shaninja shaninja merged commit ba5f9f4 into master Dec 20, 2021
@shaninja shaninja deleted the default-nested branch December 20, 2021 08:25
@snyksec
Copy link

snyksec commented Dec 20, 2021

🎉 This PR is included in version 4.32.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michael-c-snyk michael-c-snyk michael-c-snyk approved these changes

Assignees

@shaninja shaninja

Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shaninja @snyksec @michael-c-snyk