From 0e8c4d33af14b1f381d4ec31f892fe4f71ea2c9c Mon Sep 17 00:00:00 2001 From: Bastian Doetsch Date: Thu, 5 Jan 2023 16:10:11 +0100 Subject: [PATCH 1/5] chore: update public gpg key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit chore: update signing script Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com> --- .../snyk-code-signing-public.pgp | 58 ++++--------------- release-scripts/sha256sums.txt.asc.sh | 2 +- 2 files changed, 11 insertions(+), 49 deletions(-) diff --git a/help/_about-this-project/snyk-code-signing-public.pgp b/help/_about-this-project/snyk-code-signing-public.pgp index 6f28702703..14c7a4d7c9 100644 --- a/help/_about-this-project/snyk-code-signing-public.pgp +++ b/help/_about-this-project/snyk-code-signing-public.pgp @@ -1,51 +1,13 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mQINBGJmfEwBEADWBKcDoaf8cAnCg1FPcibCzEtKLts9GEpv1ekXi3BP+ZVqdY6/ -vPVznMPgSCDJz4kahDoX18mSZcxJUc6cgu1XPvGHhQE0rcvpUwnTTjnoo4vzvOAM -SNvaVTmCwO6jYecj5HrBLpy5dhyGUc68GKcOB0CnmsQYFnHrnJOcGdB0AgKsL1Ll -TZ3qZYe7vS/1i3RoPfoOx+jW8hHPqKltaSf7HRiWcTBpQg8rPjpBRPY/PtXklHy8 -ib76GzEYA7J/X4azBs6I08mSUoUWH0ATwNFSsnR6xN96kEA+d4cL8O9gL9SNpZRX -X1FPZXfUr8KjS7X2VfDAhG/Ch+aKmTgJF3dIUGHwuegJlVYia32EV3uQH93qnFxA -oIkP5muhDNNlZ0SDVQLRCTuC6TTKy36VoHNTj3XzUG3+q49RaSdHsp/f90A+caVy -R6HgYJfcvBhdX7SC+aYpU822j/4SLi2L3K32j+qcIE8iEPR2LlgopEecHQmyI2G4 -0K5HUWaHJPu+EH0s4fsIZfZgESkLQhiBEIon2zTO7Zz8tWxVV0aR4/85Djnn5UUq -h6efMw2g8WaUkRD3Djsi9CpepyKLakWH3+bBVnKzH8pWdGMa272wn9PVfeCwF8xq -wICI/PPfN7d7RpULWjphzqeEl/ni0yUIiNPiwBlYH5fbpUlVpndWWXROZwARAQAB -tCNTbnlrIExpbWl0ZWQgPGNvZGUtc2lnbmluZ0BzbnlrLmlvPokCTgQTAQoAOBYh -BGi/vM63eU5vwGogRKKcMukfS5VpBQJiZnxMAhsDBQsJCAcDBRUKCQgLBRYCAwEA -Ah4BAheAAAoJEKKcMukfS5VpeQ0P/j5CgXpwsx3De56+4tibEBqHLfv4wwWxBsoy -Wv6L1BfgKyI0NSs1IUJSx5GdsXSwtU9Mp5PhBlVVA6U0SwOxt5ghRSf/kCvB1oP1 -Oo8W3dBl4Y4oWFlIM280t2v/PveBdB1nNiPxmAG1jHtoMqbHFkmZDFvroYFSj/rm -FOe2qXOc/gwj5RUVVu+tTCPwCyCF9tBfqnbYbLjmI2z1om90uFqSOVDZJbUCY9ZK -OR9Szu0/Jybg9/7VQ2BDRLi4LSRIASHOc4ZbHfX/44NZOODwzCme78MbbS9cFvRX -SkFzH1I1yEqtCzCF23Nav/Dbemyhe2zi/Qhi/XCufOsg3tK3uSjWWqeIm5knP/IL -MSdoEOxIkGZ+FHJ6yzO5r4bLYrfwWLrFI/k5dCGgzKiX76TwakqkcJ0NX5kSLdle -O2HBSuuoPCLcX7QfPWh51CF/EZ6IV/Rmc+ZbyW2UbJ4FuYWsb9wMdSiaoi8TGiVt -1snb9QRbTo3ZJWRN+pE4bW2UadieE8wfyHHVEMo5RQ49heaR0Q5VJkapnPWfKb1v -3QTJh4L2Jju0cGQD+OtAvTQ005ZjG0ZXR4GiKArCUMebJRzNR3FFR/vyItP2lb31 -GwCObABWUtP4oCMRxTGHpGRNLJCmMvWIs1RejxB9Y7svU7fcF06jHF5UXke7NSOs -fLaduZz2uQINBGJmfEwBEACpd4neyneH+/2d5KKQyXpPnPpCnxPIcQ9Ql4QyGuJB -Em/PeVZDMaqpuQwNfFsPCjV1C9uF9VJfTlvQnXPqA/OndVaWbfBFqEtnS6RX4NHf -FWIMcYibpg+3lHSY5iY4B4R/WIrlO021g3ULpsVL/Sz4Zz4drF2lZXgcGiBmiRVo -JopU+KPUbjO0rFh927EYEJ80+LT0E4M+dJnEofGd5P0bTeQWNqoVABLAKql+erHX -kBUrwMk8/ekdqfn5DYM31OR19Ogud/3cxsxOkhgvWWwUhtihu9NiqtO2y0c4ijHG -WgWXjM3K2zs23f+pfNLfTtE8pkZw7Swmr0GRQ6Ikx9LqhdGPKqoALr8TqVUudZXU -8clact0OtmHKASAI4bH51b3XSTmj1+v8g4/oEjukniuFm5Fave78Rh/EaO2IXjxc -moCSCk6bK2YEM2fSjCuTVI9zm+CzyQ9MmvEJcR0vBCU2vHcrwKkvKXQIssePZT12 -B8IO9LT5jeVnFmtI+tLY2E/r7tqrmcgmHciAw0ugFGG7uYQivF21Mlqz72Dx+P0+ -WVch456NHUy26ALhAv8jU7OQprpzuRQOytYKiUK5GwrF91/6WmhYyIzlVFIYoqfQ -s0WEu2apcPIx9OVtWoot8cynskneJ9s+EtPNF4T/Zh8YTCvGIhRy7Tvt6GbEnDQE -UQARAQABiQI2BBgBCgAgFiEEaL+8zrd5Tm/AaiBEopwy6R9LlWkFAmJmfEwCGwwA -CgkQopwy6R9LlWkJpg/+JWhBKpWJ9Kv4I0XWpMOlCzaKPk0TDqXpSPg+MWOGrv3i -Q2Xeyi4HCy7oBISI1YpF4mJeaJikC1KQIikOmCKyj6kYj+WnHfjBUkplOKMe80ZU -X5AZWsUfw2p1LJn0fCcdJrHDAn29R0abaoe9ExYPlXgFmBNoIQNvG/fMzwoIYmPO -WsWPmqCzYQ7oCi4kOHhOo1isDlrunT0egSb6KXKdLPwn1u+rTQno1fBFQB/cY9s5 -F036QfVx0M4NdX8LzNQCObXZdln0PSqSNs7EXzHGv5ivuBZaFVsKv+HPSnaUng/M -fyDZhOowNy6NEgB042lnOl0wO8JEm8Av1PC7y/1gTijAd1bFAjX7m0FqIfkJnhvY -yGwSnGq4qXECpivBGA4Y2xUXURaSDNk8h1TjUT4366CGqSaVgTL5zZ2Jiu6rDozk -9A4ur3GwldHpszUm3zAhDrjTHxDVFohhbBW9kmcQQmsz1PKiWMqCKT2V3J+Pn/HE -VEu6go9VxdW4bZyb4Zc0ikB5T+FEuHOMK8QSeEfdWgzG87YJZkTCf5o90wl3A8YJ -dvQcwQJsZ4FGInMk62VVyHrrJmD7W6+35/dLcAbrjMfrkR9FE97q3wRk4KkGPzDi -r3OBWax7GYllVWd94kYFN4mRQxQISPRpO9yvH58WbsGxlymYr5lfibYI7AX+/B0= -=vpdV +mDMEY7bmTBYJKwYBBAHaRw8BAQdAYBCJOraO3kiE/7Q2/7k6WNZG9I3KSmbm6aNp +05rNYji0I1NueWsgTGltaXRlZCA8Y29kZS1zaWduaW5nQHNueWsuaW8+iJkEExYK +AEEWIQSiJmX7lsqw4Jc2BMg2dsS4KJwpbgUCY7bmTAIbAwUJA8JnAAULCQgHAgIi +AgYVCgkICwIEFgIDAQIeBwIXgAAKCRA2dsS4KJwpbnQGAQCspMHbIQxwH0juRMye +j3zCcQK2hDCWPIs4ecx8T4Be2wEAtcD8AnZSbmXbrnPAarKeCGwfIWCKcUsmkqzz +rB04/gm4OARjtuZMEgorBgEEAZdVAQUBAQdAOALchLEyLdhJ0U/RF+c+HFczClpE +yqMOyzPlF9OOaAwDAQgHiH4EGBYKACYWIQSiJmX7lsqw4Jc2BMg2dsS4KJwpbgUC +Y7bmTAIbDAUJA8JnAAAKCRA2dsS4KJwpbv9eAQDD25qh5WF7TkOZUUhe+4hLDkS3 +RdLL7tBDogAoIORt8QEA2XZvHmEfFyJgrJus+gv3GRKXHwiScYhlpmXV4T4+gws= +=MsMZ -----END PGP PUBLIC KEY BLOCK----- diff --git a/release-scripts/sha256sums.txt.asc.sh b/release-scripts/sha256sums.txt.asc.sh index c595213c71..efe20215f4 100755 --- a/release-scripts/sha256sums.txt.asc.sh +++ b/release-scripts/sha256sums.txt.asc.sh @@ -11,7 +11,7 @@ echo "${SNYK_CODE_SIGNING_PGP_PRIVATE}" \ echo "Signing shasums file" gpg \ --clear-sign \ - --local-user=1F4B9569 \ + --local-user=3676C4B8289C296E \ --passphrase="${SNYK_CODE_SIGNING_GPG_PASSPHRASE}" \ --pinentry-mode=loopback \ --armor \ From 910a86c9b573af794488ac90a81176453d6baa69 Mon Sep 17 00:00:00 2001 From: Damilola Olufemi Date: Fri, 6 Jan 2023 11:54:48 +0000 Subject: [PATCH 2/5] fix: add logic to ignore unsupporting package managers during snyk monitor --- src/cli/commands/monitor/index.ts | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/cli/commands/monitor/index.ts b/src/cli/commands/monitor/index.ts index 0543096a58..dac257ab72 100644 --- a/src/cli/commands/monitor/index.ts +++ b/src/cli/commands/monitor/index.ts @@ -175,7 +175,16 @@ export default async function monitor(...args0: MethodArgs): Promise { } else { packageManager = detect.detectPackageManager(path, options); } - + const unsupportedPackageManagers: Array<{ + label: string; + name: string; + }> = [{ label: 'Swift PM', name: 'swift' }]; + const unsupportedPackageManager = unsupportedPackageManagers.find( + (pm) => pm.name === packageManager, + ); + if (unsupportedPackageManager) { + return `${unsupportedPackageManager.label} projects do not currently support "snyk monitor"`; + } const targetFile = !options.scanAllUnmanaged && options.docker && !options.file // snyk monitor --docker (without --file) ? undefined From 7d2c6bef311bc669c0b059ab7a7738f8d8d9d23c Mon Sep 17 00:00:00 2001 From: Simon Strassl Date: Fri, 6 Jan 2023 17:14:13 +0100 Subject: [PATCH 3/5] fix: run snyk code test with the default org --- test/smoke/spec/snyk_code_spec.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/smoke/spec/snyk_code_spec.sh b/test/smoke/spec/snyk_code_spec.sh index 684f18cdb5..52b41d6e36 100644 --- a/test/smoke/spec/snyk_code_spec.sh +++ b/test/smoke/spec/snyk_code_spec.sh @@ -7,7 +7,7 @@ Describe "Snyk Code test command" Describe "snyk code test" run_test_in_subfolder() { cd ../fixtures/sast/shallow_sast_webgoat || return - snyk code test . --org=snyk-cli-smoke-test-with-snykcode + snyk code test . } It "finds vulns in a project in the same folder" @@ -15,7 +15,7 @@ Describe "Snyk Code test command" The output should include "Static code analysis" The output should include "✗ [High] SQL Injection" The status should be failure - if should_have_deprecation_warnings; then + if should_have_deprecation_warnings; then The stderr should not equal "" else The stderr should equal "" @@ -25,11 +25,11 @@ Describe "Snyk Code test command" Describe "code test with SARIF output" It "outputs a valid SARIF with vulns" - When run snyk code test ../fixtures/sast/shallow_sast_webgoat --sarif --org=snyk-cli-smoke-test-with-snykcode + When run snyk code test ../fixtures/sast/shallow_sast_webgoat --sarif The status should be failure # issues found The output should include '"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json"' The output should include '"name": "SnykCode"' - if should_have_deprecation_warnings; then + if should_have_deprecation_warnings; then The stderr should not equal "" else The stderr should equal "" From 11841c815e3ea2c8c5d6bdd226e7b998af313842 Mon Sep 17 00:00:00 2001 From: magdziarek Date: Mon, 9 Jan 2023 09:18:06 +0100 Subject: [PATCH 4/5] feat: disable gradle config caching by default --- package-lock.json | 14 +++++++------- package.json | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3bb7db067b..7f2b6c4b85 100644 --- a/package-lock.json +++ b/package-lock.json @@ -68,7 +68,7 @@ "snyk-cpp-plugin": "2.20.1", "snyk-docker-plugin": "5.7.2", "snyk-go-plugin": "^1.19.4", - "snyk-gradle-plugin": "3.24.6", + "snyk-gradle-plugin": "3.25.1", "snyk-module": "3.1.0", "snyk-mvn-plugin": "2.32.0", "snyk-nodejs-lockfile-parser": "1.45.1", @@ -16859,9 +16859,9 @@ } }, "node_modules/snyk-gradle-plugin": { - "version": "3.24.6", - "resolved": "https://registry.npmjs.org/snyk-gradle-plugin/-/snyk-gradle-plugin-3.24.6.tgz", - "integrity": "sha512-e5Sy/KbEKqDT2bKnvqs9raAdsxiyr9UNxmne9ARnJUQtD3ndNPnAURZQCdUIHBarEyBp6AIJMO/XUp42+hVWTA==", + "version": "3.25.1", + "resolved": "https://registry.npmjs.org/snyk-gradle-plugin/-/snyk-gradle-plugin-3.25.1.tgz", + "integrity": "sha512-qBFehAQ0/t84Vk8sTn5WHO1jrym9UrlRbHjqP62810ptWA23iT9neXo12Y8A0XQR/tr5gA2ayDu4XP/emcqLcQ==", "dependencies": { "@snyk/cli-interface": "2.11.3", "@snyk/dep-graph": "^1.28.0", @@ -33402,9 +33402,9 @@ } }, "snyk-gradle-plugin": { - "version": "3.24.6", - "resolved": "https://registry.npmjs.org/snyk-gradle-plugin/-/snyk-gradle-plugin-3.24.6.tgz", - "integrity": "sha512-e5Sy/KbEKqDT2bKnvqs9raAdsxiyr9UNxmne9ARnJUQtD3ndNPnAURZQCdUIHBarEyBp6AIJMO/XUp42+hVWTA==", + "version": "3.25.1", + "resolved": "https://registry.npmjs.org/snyk-gradle-plugin/-/snyk-gradle-plugin-3.25.1.tgz", + "integrity": "sha512-qBFehAQ0/t84Vk8sTn5WHO1jrym9UrlRbHjqP62810ptWA23iT9neXo12Y8A0XQR/tr5gA2ayDu4XP/emcqLcQ==", "requires": { "@snyk/cli-interface": "2.11.3", "@snyk/dep-graph": "^1.28.0", diff --git a/package.json b/package.json index b877c8450b..e274895243 100644 --- a/package.json +++ b/package.json @@ -115,7 +115,7 @@ "snyk-cpp-plugin": "2.20.1", "snyk-docker-plugin": "5.7.2", "snyk-go-plugin": "^1.19.4", - "snyk-gradle-plugin": "3.24.6", + "snyk-gradle-plugin": "3.25.1", "snyk-module": "3.1.0", "snyk-mvn-plugin": "2.32.0", "snyk-nodejs-lockfile-parser": "1.45.1", From 31c0124c04812f8cb4a12cc2155f23efcde662c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20Scha=CC=88fer?= <101886095+PeterSchafer@users.noreply.github.com> Date: Mon, 9 Jan 2023 12:45:53 +0100 Subject: [PATCH 5/5] =?UTF-8?q?chore:=20explicitely=20set=20=E2=80=94times?= =?UTF-8?q?tamp=20for=20codesign?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit just to ensure that timestamping is being used. Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com> --- cliv2/scripts/sign_darwin.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cliv2/scripts/sign_darwin.sh b/cliv2/scripts/sign_darwin.sh index 47ed19706d..c90840d63f 100755 --- a/cliv2/scripts/sign_darwin.sh +++ b/cliv2/scripts/sign_darwin.sh @@ -48,7 +48,7 @@ rm $APPLE_SIGNING_SECRETS security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME" echo "$LOG_PREFIX Signing binary $APP_PATH" -codesign -s "$APPLE_SIGNING_IDENTITY" -v "$APP_PATH" --options runtime +codesign -s "$APPLE_SIGNING_IDENTITY" -v "$APP_PATH" --timestamp --options runtime # # notarization