UNPKG

8.93 kBPlain TextView Raw
1import { DepGraphData } from "@snyk/dep-graph";
2
3import {
4 DockerFileAnalysis,
5 DockerFileLayers,
6 DockerFilePackages,
7} from "./dockerfile/types";
8
9export enum ImageType {
10 Identifier, // e.g. "nginx:latest"
11 DockerArchive = "docker-archive", // e.g. "docker-archive:/tmp/nginx.tar"
12 OciArchive = "oci-archive", // e.g. "oci-archive:/tmp/nginx.tar"
13}
14
15export enum OsReleaseFilePath {
16 Linux = "/etc/os-release",
17 LinuxFallback = "/usr/lib/os-release",
18 Lsb = "/etc/lsb-release",
19 Debian = "/etc/debian_version",
20 Alpine = "/etc/alpine-release",
21 RedHat = "/etc/redhat-release",
22 Oracle = "/etc/oracle-release",
23 Centos = "/etc/centos-release",
24}
25
26export enum HashAlgorithm {
27 Sha256 = "sha256",
28 Sha1 = "sha1",
29}
30
31export enum UnresolvedDockerfileVariableHandling {
32 Abort = "Abort",
33 Continue = "Continue",
34}
35
36export interface ManifestFile {
37 name: string;
38 path: string;
39 /**
40 * Base64-encoded file contents.
41 * We use Base64 to avoid any assumptions about the original file encoding,
42 * which is difficult to infer and may be corrupted when the data is transferred over the network.
43 */
44 contents: string;
45}
46
47export interface ImageNameInfo {
48 names: string[];
49 // this will allow us to extend in the future when needed
50}
51
52export type FactType =
53 | "autoDetectedUserInstructions"
54 | "depGraph"
55 | "dockerfileAnalysis"
56 | "imageCreationTime"
57 | "imageId"
58 | "imageLabels"
59 // Collects the file names of the individual .tar layers found in the scanned image.
60 | "imageLayers"
61 // Package manager manifests (e.g. requirements.txt, Gemfile.lock) collected as part of an application scan.
62 | "imageManifestFiles"
63 | "imageNames"
64 | "imageOsReleasePrettyName"
65 | "imageSizeBytes"
66 // Hashes of extracted *.jar binaries, hashed with sha1 algorithm
67 | "jarFingerprints"
68 // Hashes of executables not installed by a package manager (e.g. if they were copied straight onto the image).
69 | "keyBinariesHashes"
70 | "loadedPackages"
71 | "ociDistributionMetadata"
72 | "rootFs"
73 // Used for application dependencies scanning; shows which files were used in the analysis of the dependencies.
74 | "testedFiles";
75
76export interface PluginResponse {
77 /** The first result is guaranteed to be the OS dependencies scan result. */
78 scanResults: ScanResult[];
79}
80
81export interface ScanResult {
82 /** User-friendly name to use as the name of the Project that Snyk creates. */
83 name?: string;
84 /** Contains the Snyk policy file content. */
85 policy?: string;
86 /** The target defines "where" you found this scan result. */
87 target: ContainerTarget;
88 /** Identity defines "what" you found. */
89 identity: Identity;
90 /** Facts are the collection of things you found. */
91 facts: Fact[];
92}
93
94export interface AutoDetectedUserInstructions {
95 dockerfilePackages: DockerFilePackages;
96 dockerfileLayers: DockerFileLayers;
97}
98
99export interface ContainerTarget {
100 image: string;
101}
102
103/**
104 * The identity of a scan result allows to uniquely locate "what" you found.
105 * Any differences in the identity influences how a Project is created in Snyk
106 * and can result in a completely different Project (for example, if "args.targetFramework" differs).
107 */
108export interface Identity {
109 /**
110 * This used to be represented as "packageManager" but now can contain any sensible ecosystem type.
111 * Examples: dockerfile, cpp, terraform-module, deb, npm, and so on.
112 */
113 type: string;
114 targetFile?: string;
115 args?: { [key: string]: string };
116}
117
118/**
119 * A collection of things that were found as part of a scan.
120 * As the developer and owner, you are responsible for defining and maintaining your own Facts.
121 * Examples of facts: a dependency graph, a list of file content hashes, Dockerfile analysis. See FactType.
122 */
123export interface Fact {
124 type: FactType;
125 data: any;
126}
127
128/**
129 * WARNING! WARNING! WARNING!
130 * The CLI may pass certain values as strings.
131 * Please make sure to sanitize ALL input and not assume it is a "number" or "boolean".
132 */
133export interface PluginOptions {
134 /** This can be an image identifier, or a path to an OCI or Docker archive. */
135 path: string;
136 /** Override the default plugin path when pulling images to the filesystem. */
137 imageSavePath: string;
138 /** Path to a Dockerfile. */
139 file: string;
140
141 /**
142 * Override the "name" and "version" fields of the OS dependencies result.
143 * WARNING! This is NOT used by the Snyk CLI!
144 *
145 * It is used by K8s-Monitor and DRA to preserve the image identifier when scanning archives.
146 * The archives do not contain any data about the image's name and tag (since they are only
147 * known by the container registry) and in some contexts we know this data and want to keep it.
148 *
149 * This flag will be processed only when scanning image archives. In other cases "path" is used.
150 */
151 imageNameAndTag: string;
152
153 /**
154 * WARNING! This is NOT used by the Snyk CLI!
155 *
156 * It is used by K8s-Monitor to preserve the imageNameAndDigest if we can extract this
157 * information from the workload metadata when scanning archives.
158 */
159 imageNameAndDigest: string;
160
161 /**
162 * WARNING! This is NOT used by the Snyk CLI!
163 *
164 * It is used by Docker Registry Agent to preserve the image digests if we can extract this
165 * information from pulling the image with Snyk Docker Pull.
166 */
167 digests: { manifest?: string; index?: string };
168
169 /**
170 * Provide patterns on which to match for detecting package manager manifest files.
171 * Used for the APP+OS deps feature, not by the CLI.
172 */
173 globsToFind: {
174 include: string[];
175 exclude: string[];
176 };
177
178 /** For authentication to a container registry. */
179 username: string;
180 /** For authentication to a container registry. */
181 password: string;
182
183 /**
184 * Format is "operating-system/processor-architecture", for example "linux/arm64/v8".
185 * The default is "linux/amd64".
186 */
187 platform: string;
188
189 /**
190 * Whether to enable application dependencies scanning.
191 * It's here so that things don't completely break if used, but it should not be used
192 * (and is ignored) starting with release version 5.0.0
193 */
194 "app-vulns": boolean | string;
195
196 /** Whether to disable application dependencies scanning. The default is "false" */
197 "exclude-app-vulns": boolean | string;
198 /** Whether to disable node modules dependencies scanning. The default is "false" */
199 "exclude-node-modules": boolean | string;
200 /**
201 * How many levels of (nested) JARs we should unpack
202 * If a JAR contains other JARs (AKA JAR of JARs), we send back only the children JARs, and don't look for vulns in the parent.
203 *
204 * If the flag was not provided but --app-vuls was, we unpack 1 level.
205 * If 0 is provided, we do not unpack any JARs
206 * if n > 0 is provided, we try to unpack n levels of JARs.
207 * The default (if flag is provided, but without a number) is 1 level
208 *
209 * Cannot come with exclude-app-vulns
210 *
211 * Alias: shaded-jars-depth
212 * TODO remove shaded-jars-depth
213 * A shaded JAR is when you unpack all JAR files, then repack them into a single JAR, while
214 * renaming (i.e., "shading") all packages of all dependencies.
215 */
216 "nested-jars-depth": boolean | string;
217 "shaded-jars-depth": boolean | string;
218
219 /** The default is "false". */
220 "exclude-base-image-vulns": boolean | string;
221}
222
223export interface DepTreeDep {
224 name: string;
225 version: string;
226 sourceVersion?: string;
227 dependencies: {
228 [depName: string]: DepTreeDep;
229 };
230 purl?: string;
231 labels?: {
232 [key: string]: string;
233 };
234}
235
236/** @deprecated Prefer building Graphs instead of Trees. */
237export interface DepTree extends DepTreeDep {
238 type?: string;
239 packageFormatVersion: string;
240 targetOS: {
241 name: string;
242 prettyName: string;
243 version: string;
244 };
245
246 targetFile?: string;
247 policy?: string;
248 docker?: {
249 dockerfileAnalysis?: DockerFileAnalysis;
250 dockerfilePkgs?: DockerFilePackages;
251 dockerImageId?: string;
252 imageLayers?: string[];
253 rootFs?: string[];
254 imageName?: string;
255 };
256 files?: any;
257}
258
259export interface Issue {
260 pkgName: string;
261 pkgVersion?: string;
262 issueId: string;
263 fixInfo: {
264 nearestFixedInVersion?: string; // TODO: add more fix info
265 };
266}
267
268export interface IssuesData {
269 [issueId: string]: {
270 id: string;
271 severity: string;
272 from: string[][];
273 title: string;
274 };
275}
276
277export interface BaseImageRemediationAdvice {
278 message: string;
279 bold?: boolean;
280 color?: string;
281}
282
283interface BaseImageRemediation {
284 code: string;
285 advice: BaseImageRemediationAdvice[];
286 message?: string; // TODO: check if this is still being sent
287}
288
289export interface TestResult {
290 org: string;
291 licensesPolicy: object | null;
292 docker: {
293 baseImage?: string;
294 baseImageRemediation?: BaseImageRemediation;
295 };
296 issues: Issue[];
297 issuesData: IssuesData;
298 depGraphData: DepGraphData;
299}
300
301export interface Options {
302 path: string;
303 file?: string;
304 debug?: boolean;
305 isDockerUser?: boolean;
306 config?: any;
307}