feat: patching vulnerable lodash with @snyk/lodash

Vulnerability in lodash@4.17.15
No fix available so using @snyk/lodash

Using @snyk/inquirer and @snyk/graphlib because of transitive
dependencies on vulnerable lodash

Bump to snyk internal packages that include lodash patch

package.json

@@ -53,12 +53,15 @@
   "author": "snyk.io",
   "license": "Apache-2.0",
   "dependencies": {
-    "@snyk/cli-interface": "^2.4.0",
+    "@snyk/cli-interface": "2.6.0",
     "@snyk/configstore": "^3.2.0-rc1",
-    "@snyk/dep-graph": "1.16.1",
+    "@snyk/dep-graph": "1.18.2",
     "@snyk/gemfile": "1.2.0",
-    "@snyk/ruby-semver": "2.1.2",
-    "@snyk/snyk-cocoapods-plugin": "2.1.1",
+    "@snyk/graphlib": "2.1.9-patch",
+    "@snyk/inquirer": "6.2.2-patch",
+    "@snyk/lodash": "^4.17.15-patch",
+    "@snyk/ruby-semver": "2.2.0",
+    "@snyk/snyk-cocoapods-plugin": "2.2.0",
     "@snyk/update-notifier": "^2.5.1-rc2",
     "@types/agent-base": "^4.2.0",
     "abbrev": "^1.1.1",
@@ -69,24 +72,21 @@
     "diff": "^4.0.1",
     "git-url-parse": "11.1.2",
     "glob": "^7.1.3",
-    "graphlib": "^2.1.8",
-    "inquirer": "^6.2.2",
-    "lodash": "^4.17.14",
     "needle": "^2.2.4",
     "open": "^7.0.3",
     "os-name": "^3.0.0",
     "proxy-agent": "^3.1.1",
     "proxy-from-env": "^1.0.0",
     "semver": "^6.0.0",
-    "snyk-config": "^2.2.1",
-    "snyk-docker-plugin": "3.0.0",
-    "snyk-go-plugin": "1.13.0",
+    "snyk-config": "3.1.0",
+    "snyk-docker-plugin": "3.1.0",
+    "snyk-go-plugin": "1.14.0",
     "snyk-gradle-plugin": "3.2.5",
     "snyk-module": "1.9.1",
-    "snyk-mvn-plugin": "2.11.0",
-    "snyk-nodejs-lockfile-parser": "1.21.0",
-    "snyk-nuget-plugin": "1.16.0",
-    "snyk-php-plugin": "1.7.0",
+    "snyk-mvn-plugin": "2.15.0",
+    "snyk-nodejs-lockfile-parser": "1.22.0",
+    "snyk-nuget-plugin": "1.17.0",
+    "snyk-php-plugin": "1.9.0",
     "snyk-policy": "1.13.5",
     "snyk-python-plugin": "1.17.0",
     "snyk-resolve": "1.0.1",
@@ -103,7 +103,6 @@
   },
   "devDependencies": {
     "@types/diff": "^3.5.2",
-    "@types/lodash": "^4.14.136",
     "@types/needle": "^2.0.4",
     "@types/node": "8.10.59",
     "@types/restify": "^8.4.2",

src/cli/commands/monitor/formatters/format-monitor-response.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import chalk from 'chalk';
 import * as url from 'url';
 

src/cli/commands/protect/prompts.ts

@@ -7,7 +7,7 @@ export {
   startOver,
 };
 
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import * as semver from 'semver';
 import { format as fmt } from 'util';
 import * as debugModule from 'debug';

src/cli/commands/protect/tasks.ts

@@ -2,7 +2,7 @@ export = answersToTasks;
 
 import * as debugModule from 'debug';
 const debug = debugModule('snyk');
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 
 function answersToTasks(answers) {
   const tasks = {

src/cli/commands/protect/wizard.ts

@@ -10,12 +10,12 @@ import * as debugModule from 'debug';
 const debug = debugModule('snyk');
 
 import * as path from 'path';
-import * as inquirer from 'inquirer';
+import * as inquirer from '@snyk/inquirer';
 import * as fs from 'then-fs';
 import * as tryRequire from 'snyk-try-require';
 import chalk from 'chalk';
 import * as url from 'url';
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import { exec } from 'child_process';
 import { apiTokenExists } from '../../../lib/api-token';
 import * as auth from '../auth/is-authed';

src/cli/commands/test/formatters/docker/format-docker-binary-heading.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import chalk from 'chalk';
 
 export function createDockerBinaryHeading(pkgInfo): string {

src/cli/commands/test/formatters/docker/format-docker-binary-issues.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import { createDockerBinaryHeading } from './format-docker-binary-heading';
 import { Options, TestOptions } from '../../../../../lib/types';
 import { formatIssues } from '../legacy-format-issue';

src/cli/commands/test/formatters/legacy-format-issue.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import chalk from 'chalk';
 import * as config from '../../../../lib/config';
 import { Options, TestOptions, ShowVulnPaths } from '../../../../lib/types';

src/cli/commands/test/index.ts

@@ -1,6 +1,6 @@
 export = test;
 
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import chalk from 'chalk';
 import * as snyk from '../../../lib';
 import * as config from '../../../lib/config';

src/lib/config.ts

@@ -15,7 +15,10 @@ interface Config {
   TOKEN: string;
 }
 
-const config: Config = snykConfig(__dirname + '/../..');
+// TODO: fix the types!
+const config = (snykConfig.loadConfig(
+  __dirname + '/../..',
+) as unknown) as Config;
 
 // allow user config override of the api end point
 const endpoint = userConfig.get('endpoint');

src/lib/detect.ts

@@ -1,7 +1,7 @@
 import * as fs from 'then-fs';
 import * as pathLib from 'path';
 import * as debugLib from 'debug';
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import { NoSupportedManifestsFoundError } from './errors';
 import { SupportedPackageManagers } from './package-managers';
 

src/lib/find-files.ts

@@ -1,6 +1,6 @@
 import * as fs from 'fs';
 import * as pathLib from 'path';
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import { detectPackageManagerFromFile } from './detect';
 import * as debugModule from 'debug';
 const debug = debugModule('snyk');

src/lib/module-info/index.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import * as Debug from 'debug';
 import { legacyPlugin as pluginApi } from '@snyk/cli-interface';
 

src/lib/monitor/index.ts

@@ -5,7 +5,7 @@ import { apiTokenExists } from '../api-token';
 import request = require('../request');
 import * as config from '../config';
 import * as os from 'os';
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import { isCI } from '../is-ci';
 import * as analytics from '../analytics';
 import { DepTree, MonitorMeta, MonitorResult } from '../types';

src/lib/plugins/get-multi-plugin-result.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import * as path from 'path';
 import * as cliInterface from '@snyk/cli-interface';
 import chalk from 'chalk';

src/lib/plugins/rubygems/index.ts

@@ -1,7 +1,7 @@
 import { inspectors, Spec } from './inspectors';
 import { MissingTargetFileError } from '../../errors/missing-targetfile-error';
 import gemfileLockToDependencies = require('./gemfile-lock-to-dependencies');
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import { MultiProjectResult } from '@snyk/cli-interface/legacy/plugin';
 
 export async function inspect(

src/lib/policy/pluck-policies.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 
 export function pluckPolicies(pkg) {
   if (!pkg) {

src/lib/reachable-vulns.ts

@@ -1,4 +1,4 @@
-import * as graphlib from 'graphlib';
+import * as graphlib from '@snyk/graphlib';
 import { CallGraph } from '@snyk/cli-interface/legacy/common';
 
 import {

src/lib/snyk-test/legacy.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import * as depGraphLib from '@snyk/dep-graph';
 import { SupportedPackageManagers } from '../package-managers';
 import { SEVERITIES } from './common';

src/lib/snyk-test/run-test.ts

@@ -1,5 +1,5 @@
 import * as fs from 'fs';
-import * as _ from 'lodash';
+import * as _ from '@snyk/lodash';
 import * as path from 'path';
 import * as debugModule from 'debug';
 import * as pathUtil from 'path';

test/prompts.test.ts

@@ -3,7 +3,7 @@ import { test } from 'tap';
 import * as _ from 'lodash';
 import * as path from 'path';
 import * as sinon from 'sinon';
-import * as inquirer from 'inquirer';
+import * as inquirer from '@snyk/inquirer';
 
 import wizard = require('../src/cli/commands/protect/wizard');
 

test/utils.ts

@@ -1,7 +1,7 @@
 import { tmpdir } from 'os';
 import { join } from 'path';
 import { mkdir, readFileSync } from 'fs';
-import * as graphlib from 'graphlib';
+import * as graphlib from '@snyk/graphlib';
 
 export function silenceLog() {
   const old = console.log;

test/wizard-instrumented.js

@@ -4,7 +4,7 @@ var proxyquire = require('proxyquire');
 var sinon = require('sinon');
 var spy;
 var wizard = proxyquire('../src/cli/commands/protect/wizard', {
-  inquirer: {
+  '@snyk/inquirer': {
     prompt: function(q, cb) {
       if (!cb) {
         cb = (_) => Promise.resolve(_);

test/wizard-patch-multiple-locations.test.ts

@@ -0,0 +1,26 @@
+import { test } from 'tap';
+import interactive = require('./wizard-instrumented');
+import answersToTasks = require('../src/cli/commands/protect/tasks');
+import * as snykPolicy from 'snyk-policy';
+import * as proxyquire from 'proxyquire';
+const patch = proxyquire('../src/lib/protect/patch', {
+  './apply-patch': () => {
+    return Promise.resolve(true);
+  },
+});
+
+test('patch does not try to apply the same patch more than once', async (t) => {
+  const responses = ['default:patch', 'default:patch', 'n', 'n'];
+
+  const vulns = require(__dirname + '/fixtures/scenarios/SC-965.json');
+
+  const answers = await interactive(vulns, responses);
+  const tasks = answersToTasks(answers);
+  const res = await patch(tasks.patch, false);
+  const demunged = snykPolicy.demunge(res);
+  const count = demunged.patch.reduce((acc, curr) => {
+    acc += curr.paths.length;
+    return acc;
+  }, 0);
+  t.equal(count, 6, 'all patches in place');
+});

test/wizard-prepare.test.js

@@ -7,7 +7,7 @@ var dir = __dirname + '/fixtures/protect-via-snyk/';
 var fixture = require('./fixtures/protect-via-snyk/package.json');
 
 var wizard = proxyquire('../src/cli/commands/protect/wizard', {
-  inquirer: {
+  '@snyk/inquirer': {
     prompt: function(q, cb) {
       cb(q);
     },