Merge pull request #238 from snyk/feat/docker-remediation

feat: docker base image remediation advice
snyk · Oct 9, 2018 · 596c18f · 596c18f
2 parents ae88c53 + 5df5863
commit 596c18f
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -58,7 +58,7 @@
     "recursive-readdir": "^2.2.2",
     "semver": "^5.5.0",
     "snyk-config": "2.2.0",
-    "snyk-docker-plugin": "1.11.0",
+    "snyk-docker-plugin": "1.12.0",
     "snyk-go-plugin": "1.5.2",
     "snyk-gradle-plugin": "2.1.0",
     "snyk-module": "1.8.2",

diff --git a/src/cli/commands/test.js b/src/cli/commands/test.js
@@ -194,6 +194,7 @@ function summariseErrorResults(errorResults) {
 
 function displayResult(res, options) {
   var meta = metaForDisplay(res, options) + '\n\n';
+  var dockerAdvice = dockerRemediationForDisplay(res);
   var packageManager = options.packageManager;
   var prefix = chalk.bold.white('\nTesting ' + options.path + '...\n\n');
 
@@ -227,7 +228,7 @@ function displayResult(res, options) {
         '\n- Run `snyk test` as part of ' +
         'your CI/test.';
     return (
-      prefix + meta + summaryOKText + (isCI ? nextStepsText : '')
+      prefix + meta + summaryOKText + (isCI ? '' : dockerAdvice + nextStepsText)
     );
   }
 
@@ -308,7 +309,7 @@ function displayResult(res, options) {
   });
 
   var body = groupedVulnInfoOutput.join('\n\n') + '\n\n' + meta + summary;
-  return prefix + body;
+  return prefix + body + dockerAdvice;
 }
 
 function createFixedInText(groupedVuln) {
@@ -464,6 +465,9 @@ function metaForDisplay(res, options) {
     meta.push(chalk.bold(rightPadWithSpaces('Open source: ', padToLength)) + openSource);
     meta.push(chalk.bold(rightPadWithSpaces('Project path: ', padToLength)) + options.path);
   }
+  if (res.docker && res.docker.baseImage) {
+    meta.push(chalk.bold(rightPadWithSpaces('Base image: ', padToLength)) + res.docker.baseImage);
+  }
 
   if (res.filesystemPolicy) {
     meta.push(chalk.bold(rightPadWithSpaces('Local Snyk policy: ', padToLength)) + chalk.green('found'));
@@ -478,6 +482,26 @@ function metaForDisplay(res, options) {
   return meta.join('\n');
 }
 
+function dockerRemediationForDisplay(res) {
+  if (!res.docker || !res.docker.baseImageRemediation) {
+    return '';
+  }
+  const {advice, message} = res.docker.baseImageRemediation;
+  const out = [];
+
+  if (advice) {
+    for (const item of advice) {
+      out.push(item.bold ? chalk.bold(item.message) : item.message);
+    }
+  } else if (message) {
+    out.push(message);
+  } else {
+    return '';
+  }
+
+  return '\n\n' + out.join('\n');
+}
+
 function validateSeverityThreshold(severityThreshold) {
   return SEVERITIES
     .map(function (s) {

diff --git a/src/lib/monitor.js b/src/lib/monitor.js
@@ -47,6 +47,7 @@ function monitor(root, meta, info) {
               pluginName: pluginMeta.name,
               pluginRuntime: pluginMeta.runtime,
               dockerImageId: pluginMeta.dockerImageId,
+              dockerBaseImage: pkg.docker ? pkg.docker.baseImage : undefined,
               projectName: meta['project-name'],
             },
             policy: policy.toString(),

diff --git a/src/lib/snyk-test/run-test.js b/src/lib/snyk-test/run-test.js
@@ -140,6 +140,10 @@ function assembleLocalPayload(root, options, policyLocations) {
       if (_.get(info, 'plugin.packageManager')) {
         options.packageManager = info.plugin.packageManager;
       }
+      if (!_.get(pkg, 'docker.baseImage') && options['base-image']) {
+        pkg.docker = pkg.docker || {};
+        pkg.docker.baseImage = options['base-image'];
+      }
       analytics.add('policies', policyLocations.length);
       analytics.add('packageManager', options.packageManager);
       analytics.add('packageName', pkg.name);

diff --git a/test/acceptance/cli.acceptance.test.js b/test/acceptance/cli.acceptance.test.js
@@ -1162,6 +1162,54 @@ function (t) {
   });
 });
 
+test('`test foo:latest --docker --file=Dockerfile`',
+function (t) {
+  var plugin = {
+    inspect: function () {
+      return Promise.resolve({
+        plugin: {
+          packageManager: 'deb',
+        },
+        package: {
+          docker: {
+            baseImage: 'ubuntu:14.04',
+          },
+        },
+      });
+    },
+  };
+  sinon.spy(plugin, 'inspect');
+
+  sinon.stub(plugins, 'loadPlugin')
+    .withArgs(sinon.match.any, sinon.match({docker: true}))
+    .returns(plugin);
+  t.teardown(plugins.loadPlugin.restore);
+
+  return cli.test('foo:latest', {
+    docker: true,
+    org: 'explicit-org',
+    file: 'Dockerfile',
+  })
+  .then(function () {
+    var req = server.popRequest();
+    t.equal(req.method, 'POST', 'makes POST request');
+    t.match(req.url, '/vuln/deb',
+      'posts to correct url (uses package manager from plugin response)');
+    t.equal(req.body.docker.baseImage, 'ubuntu:14.04',
+      'posts docker baseImage');
+    t.same(plugin.inspect.getCall(0).args,
+      ['foo:latest', 'Dockerfile', {
+        args: null,
+        file: 'Dockerfile',
+        docker: true,
+        org: 'explicit-org',
+        packageManager: null,
+        path: 'foo:latest',
+        showVulnPaths: true,
+      }], 'calls docker plugin with expected arguments');
+  });
+});
+
 test('`test foo:latest --docker` doesnt collect policy from cwd',
 function (t) {
   chdirWorkspaces('npm-package-policy');