test: show that excluding base image vulns returns wrong exit code

ivanstanev · ivanstanev · commit 4d8273d22b42 · 2021-07-30T12:36:24.000+01:00
The Snyk CLI first produces a not-ok test result when it gets the list of vulnerabilities from Snyk and only then excludes the base image vulns when using the --exclude-base-image-vulns CLI flag. This leads it to incorrectly reporting an error. The CLI sees an unsuccessful test response with 0 vulnerabilities and cannot handle it.
diff --git a/test/acceptance/fixtures/docker/Dockerfile.alpine-3.12.0 b/test/acceptance/fixtures/docker/Dockerfile.alpine-3.12.0
@@ -0,0 +1 @@
+FROM alpine:3.12.0
diff --git a/test/jest/acceptance/cli-args.spec.ts b/test/jest/acceptance/cli-args.spec.ts
@@ -332,3 +332,18 @@ test('container test --sarif-file-output can be used at the same time as --json'
   expect(sarifOutput.version).toMatch('2.1.0');
   expect(code).toEqual(0);
 });
+
+test('bug: container test --file=Dockerfile --exclude-base-image-vulns returns exit code 2', async () => {
+  const dockerfilePath = path.normalize(
+    'test/acceptance/fixtures/docker/Dockerfile.alpine-3.12.0',
+  );
+
+  const { code, stdout } = await runSnykCLI(
+    `container test alpine:3.12.0 --json --file=${dockerfilePath} --exclude-base-image-vulns`,
+  );
+  const jsonOutput = JSON.parse(stdout);
+
+  // BUG: it should return ok: true and exit code 0 when all vulns are excluded
+  expect(jsonOutput.ok).toEqual(false);
+  expect(code).toEqual(2);
+});
