fix: fix invalid poetry detection

Author: jan-stehlik

package.json

@@ -126,7 +126,7 @@
     "snyk-nuget-plugin": "1.21.1",
     "snyk-php-plugin": "1.9.2",
     "snyk-policy": "1.19.0",
-    "snyk-python-plugin": "1.19.8",
+    "snyk-python-plugin": "1.19.9",
     "snyk-resolve": "1.1.0",
     "snyk-resolve-deps": "4.7.2",
     "snyk-sbt-plugin": "2.11.0",

src/lib/detect.ts

@@ -3,7 +3,10 @@ import * as pathLib from 'path';
 import * as debugLib from 'debug';
 const endsWith = require('lodash.endswith');
 import { NoSupportedManifestsFoundError } from './errors';
-import { SupportedPackageManagers } from './package-managers';
+import {
+  SupportedPackageManagers,
+  SUPPORTED_MANIFEST_FILES,
+} from './package-managers';
 
 const debug = debugLib('snyk-detect');
 
@@ -29,7 +32,6 @@ const DETECTABLE_FILES: string[] = [
   'composer.lock',
   'Podfile',
   'Podfile.lock',
-  'pyproject.toml',
   'poetry.lock',
   'mix.exs',
   'mix.lock',
@@ -57,46 +59,45 @@ export const AUTO_DETECTABLE_FILES: string[] = [
   'build.sbt',
   'build.gradle',
   'build.gradle.kts',
-  'pyproject.toml',
   'poetry.lock',
   'mix.exs',
   'mix.lock',
 ];
 
 // when file is specified with --file, we look it up here
+// this is also used when --all-projects flag is enabled and auto detection plugin is triggered
 const DETECTABLE_PACKAGE_MANAGERS: {
-  [name: string]: SupportedPackageManagers;
+  [key in SUPPORTED_MANIFEST_FILES]: SupportedPackageManagers;
 } = {
-  Gemfile: 'rubygems',
-  'Gemfile.lock': 'rubygems',
-  '.gemspec': 'rubygems',
-  'package-lock.json': 'npm',
-  'pom.xml': 'maven',
-  '.jar': 'maven',
-  '.war': 'maven',
-  'build.gradle': 'gradle',
-  'build.gradle.kts': 'gradle',
-  'build.sbt': 'sbt',
-  'yarn.lock': 'yarn',
-  'package.json': 'npm',
-  Pipfile: 'pip',
-  'setup.py': 'pip',
-  'requirements.txt': 'pip',
-  'Gopkg.lock': 'golangdep',
-  'go.mod': 'gomodules',
-  'vendor.json': 'govendor',
-  'project.assets.json': 'nuget',
-  'packages.config': 'nuget',
-  'project.json': 'nuget',
-  'paket.dependencies': 'paket',
-  'composer.lock': 'composer',
-  'Podfile.lock': 'cocoapods',
-  'CocoaPods.podfile.yaml': 'cocoapods',
-  'CocoaPods.podfile': 'cocoapods',
-  Podfile: 'cocoapods',
-  'pyproject.toml': 'poetry',
-  'poetry.lock': 'poetry',
-  'mix.exs': 'hex',
+  [SUPPORTED_MANIFEST_FILES.GEMFILE]: 'rubygems',
+  [SUPPORTED_MANIFEST_FILES.GEMFILE_LOCK]: 'rubygems',
+  [SUPPORTED_MANIFEST_FILES.GEMSPEC]: 'rubygems',
+  [SUPPORTED_MANIFEST_FILES.PACKAGE_LOCK_JSON]: 'npm',
+  [SUPPORTED_MANIFEST_FILES.POM_XML]: 'maven',
+  [SUPPORTED_MANIFEST_FILES.JAR]: 'maven',
+  [SUPPORTED_MANIFEST_FILES.WAR]: 'maven',
+  [SUPPORTED_MANIFEST_FILES.BUILD_GRADLE]: 'gradle',
+  [SUPPORTED_MANIFEST_FILES.BUILD_GRADLE_KTS]: 'gradle',
+  [SUPPORTED_MANIFEST_FILES.BUILD_SBT]: 'sbt',
+  [SUPPORTED_MANIFEST_FILES.YARN_LOCK]: 'yarn',
+  [SUPPORTED_MANIFEST_FILES.PACKAGE_JSON]: 'npm',
+  [SUPPORTED_MANIFEST_FILES.PIPFILE]: 'pip',
+  [SUPPORTED_MANIFEST_FILES.SETUP_PY]: 'pip',
+  [SUPPORTED_MANIFEST_FILES.REQUIREMENTS_TXT]: 'pip',
+  [SUPPORTED_MANIFEST_FILES.GOPKG_LOCK]: 'golangdep',
+  [SUPPORTED_MANIFEST_FILES.GO_MOD]: 'gomodules',
+  [SUPPORTED_MANIFEST_FILES.VENDOR_JSON]: 'govendor',
+  [SUPPORTED_MANIFEST_FILES.PROJECT_ASSETS_JSON]: 'nuget',
+  [SUPPORTED_MANIFEST_FILES.PACKAGES_CONFIG]: 'nuget',
+  [SUPPORTED_MANIFEST_FILES.PROJECT_JSON]: 'nuget',
+  [SUPPORTED_MANIFEST_FILES.PAKET_DEPENDENCIES]: 'paket',
+  [SUPPORTED_MANIFEST_FILES.COMPOSER_LOCK]: 'composer',
+  [SUPPORTED_MANIFEST_FILES.PODFILE_LOCK]: 'cocoapods',
+  [SUPPORTED_MANIFEST_FILES.COCOAPODS_PODFILE_YAML]: 'cocoapods',
+  [SUPPORTED_MANIFEST_FILES.COCOAPODS_PODFILE]: 'cocoapods',
+  [SUPPORTED_MANIFEST_FILES.PODFILE]: 'cocoapods',
+  [SUPPORTED_MANIFEST_FILES.POETRY_LOCK]: 'poetry',
+  [SUPPORTED_MANIFEST_FILES.MIX_EXS]: 'hex',
 };
 
 export function isPathToPackageFile(path) {
@@ -200,6 +201,7 @@ export function detectPackageManagerFromFile(
     // we throw and error here because the file was specified by the user
     throw new Error('Could not detect package manager for file: ' + file);
   }
+
   return DETECTABLE_PACKAGE_MANAGERS[key];
 }
 

src/lib/package-managers.ts

@@ -16,6 +16,38 @@ export type SupportedPackageManagers =
   | 'poetry'
   | 'hex';
 
+export enum SUPPORTED_MANIFEST_FILES {
+  GEMFILE = 'Gemfile',
+  GEMFILE_LOCK = 'Gemfile.lock',
+  GEMSPEC = '.gemspec',
+  PACKAGE_LOCK_JSON = 'package-lock.json',
+  POM_XML = 'pom.xml',
+  JAR = '.jar',
+  WAR = '.war',
+  BUILD_GRADLE = 'build.gradle',
+  BUILD_GRADLE_KTS = 'build.gradle.kts',
+  BUILD_SBT = 'build.sbt',
+  YARN_LOCK = 'yarn.lock',
+  PACKAGE_JSON = 'package.json',
+  PIPFILE = 'Pipfile',
+  SETUP_PY = 'setup.py',
+  REQUIREMENTS_TXT = 'requirements.txt',
+  GOPKG_LOCK = 'Gopkg.lock',
+  GO_MOD = 'go.mod',
+  VENDOR_JSON = 'vendor.json',
+  PROJECT_ASSETS_JSON = 'project.assets.json',
+  PACKAGES_CONFIG = 'packages.config',
+  PROJECT_JSON = 'project.json',
+  PAKET_DEPENDENCIES = 'paket.dependencies',
+  COMPOSER_LOCK = 'composer.lock',
+  PODFILE_LOCK = 'Podfile.lock',
+  COCOAPODS_PODFILE_YAML = 'CocoaPods.podfile.yaml',
+  COCOAPODS_PODFILE = 'CocoaPods.podfile',
+  PODFILE = 'Podfile',
+  POETRY_LOCK = 'poetry.lock',
+  MIX_EXS = 'mix.exs',
+}
+
 export const SUPPORTED_PACKAGE_MANAGER_NAME: {
   readonly [packageManager in SupportedPackageManagers]: string;
 } = {

test/acceptance/cli-monitor/cli-monitor.acceptance.test.ts

@@ -933,7 +933,7 @@ if (!isWindows) {
       'sends version number',
     );
     t.match(req.url, '/monitor/poetry/graph', 'puts at correct url');
-    t.equal(req.body.targetFile, 'pyproject.toml', 'sends targetFile');
+    t.equal(req.body.targetFile, 'poetry.lock', 'sends targetFile');
     const depGraphJSON = req.body.depGraphJSON;
     t.ok(depGraphJSON);
   });

test/acceptance/cli-test/cli-test.all-projects.spec.ts

@@ -1154,26 +1154,5 @@ export const AllProjectsTests: AcceptanceTests = {
         'Go dep package manager',
       );
     },
-    '`test mono-repo-poetry --all-projects`': (params, utils) => async (t) => {
-      utils.chdirWorkspaces();
-      const res: CommandResult = await params.cli.test('mono-repo-poetry', {
-        allProjects: true,
-      });
-      t.match(
-        res.getDisplayResults(),
-        /Tested 2 projects, no vulnerable paths were found./,
-        'Two projects tested',
-      );
-      t.match(
-        res.getDisplayResults(),
-        'Package manager:   npm',
-        'Npm package manager',
-      );
-      t.match(
-        res.getDisplayResults(),
-        'Package manager:   poetry',
-        'Poetry package manager',
-      );
-    },
   },
 };

test/acceptance/cli-test/cli-test.python.spec.ts

@@ -279,22 +279,5 @@ export const PythonTests: AcceptanceTests = {
         'calls python plugin',
       );
     },
-    '`test poetry-app with pyproject.toml and poetry.lock`': (
-      params,
-      utils,
-    ) => async (t) => {
-      utils.chdirWorkspaces();
-      await params.cli.test('poetry-app', {});
-      const req = params.server.popRequest();
-      t.equal(req.method, 'POST', 'makes POST request');
-      t.equal(
-        req.headers['x-snyk-cli-version'],
-        params.versionNumber,
-        'sends version number',
-      );
-      t.match(req.url, '/test-dep-graph', 'posts to correct url');
-      t.equal(req.body.targetFile, 'pyproject.toml', 'specifies target');
-      t.equal(req.body.depGraph.pkgManager.name, 'poetry');
-    },
   },
 };

test/jest/system/snyk-test/python/fixtures/pyproject-with-poetry/Pipfile

@@ -0,0 +1,12 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+flask = "*"
+
+[dev-packages]
+
+[requires]
+python_version = "3.8"

test/jest/system/snyk-test/python/fixtures/pyproject-with-poetry/Pipfile.lock

@@ -0,0 +1,12 @@
+[tool.poetry]
+name = "poetry-demo"
+version = "0.1.0"
+description = ""
+authors = []
+
+[tool.poetry.dependencies]
+flask = "*"
+
+[tool.poetry.dev-dependencies]
+pytest = "^3.4"
+

test/jest/system/snyk-test/python/fixtures/pyproject-with-poetry/poetry.lock

@@ -0,0 +1,12 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+flask = "*"
+
+[dev-packages]
+
+[requires]
+python_version = "3.8"

test/jest/system/snyk-test/python/fixtures/pyproject-with-poetry/pyproject.toml

@@ -0,0 +1,21 @@
+[tool.black]
+line-length = 119
+target-version = ['py38']
+include = '\.pyi?$'
+exclude = '''
+(
+  /(
+      \.eggs         # exclude a few common directories in the
+    | \.git          # root of the project
+    | \.hg
+    | \.mypy_cache
+    | \.tox
+    | \.venv
+    | _build
+    | buck-out
+    | build
+    | dist
+  )
+)
+'''
+

test/jest/system/snyk-test/python/fixtures/pyproject-without-poetry/Pipfile

@@ -0,0 +1,320 @@
+import { join } from 'path';
+import { mocked } from 'ts-jest/utils';
+import { NeedleResponse } from 'needle';
+import { test } from '../../../../../src/cli/commands';
+import { loadPlugin } from '../../../../../src/lib/plugins/index';
+import { CommandResult } from '../../../../../src/cli/commands/types';
+import makeRequest = require('../../../../../src/lib/request/request');
+
+jest.mock('../../../../../src/lib/plugins/index');
+jest.mock('../../../../../src/lib/request/request');
+
+const mockedLoadPlugin = mocked(loadPlugin, true);
+const mockedMakeRequest = mocked(makeRequest);
+
+describe('snyk test for python project', () => {
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('no flag is used', () => {
+    describe('project contains poetry.lock file', () => {
+      it('should scan poetry vulnerabilities', async (done) => {
+        const fixturePath = join(
+          __dirname,
+          '../../../../acceptance/workspaces',
+          'poetry-app',
+        );
+
+        const plugin = {
+          async inspect() {
+            return {
+              plugin: {
+                targetFile: 'poetry.lock',
+                name: 'snyk-python-plugin',
+                runtime: 'Python',
+              },
+              package: {},
+            };
+          },
+        };
+        mockedLoadPlugin.mockImplementationOnce(() => {
+          return plugin;
+        });
+        mockedMakeRequest.mockImplementationOnce(() => {
+          return Promise.resolve({
+            res: { statusCode: 200 } as NeedleResponse,
+            body: {
+              result: { issuesData: {}, affectedPkgs: {} },
+              meta: { org: 'test-org', isPublic: false },
+              filesystemPolicy: false,
+            },
+          });
+        });
+
+        const result: CommandResult = await test(fixturePath, {
+          json: true,
+        });
+
+        expect(mockedLoadPlugin).toHaveBeenCalledTimes(1);
+        expect(mockedLoadPlugin).toHaveBeenCalledWith('poetry');
+
+        expect(mockedMakeRequest).toHaveBeenCalledTimes(1);
+        expect(mockedMakeRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            body: expect.objectContaining({
+              displayTargetFile: 'poetry.lock',
+            }),
+          }),
+        );
+
+        const expectedResultObject = {
+          vulnerabilities: [],
+          ok: true,
+          dependencyCount: 0,
+          org: 'test-org',
+          policy: undefined,
+          isPrivate: true,
+          licensesPolicy: null,
+          packageManager: 'poetry',
+          projectId: undefined,
+          ignoreSettings: null,
+          docker: undefined,
+          summary: 'No known vulnerabilities',
+          severityThreshold: undefined,
+          remediation: undefined,
+          filesystemPolicy: false,
+          uniqueCount: 0,
+          targetFile: 'poetry.lock',
+          projectName: undefined,
+          foundProjectCount: undefined,
+          displayTargetFile: 'poetry.lock',
+          platform: undefined,
+          path: fixturePath,
+        };
+        expect(result).toMatchObject({
+          result: JSON.stringify(expectedResultObject, null, 2),
+        });
+
+        done();
+      });
+    });
+  });
+
+  describe('--all-projects flag is used to scan the project', () => {
+    describe('project does not contain poetry.lock file', () => {
+      it('should not attempt to scan poetry vulnerabilities', async (done) => {
+        const fixturePath = join(
+          __dirname,
+          'fixtures',
+          'pyproject-without-poetry',
+        );
+        const plugin = {
+          async inspect() {
+            return {
+              plugin: {
+                targetFile: 'Pipfile',
+                name: 'snyk-python-plugin',
+                runtime: 'Python',
+              },
+              package: {},
+            };
+          },
+        };
+        mockedLoadPlugin.mockImplementationOnce(() => {
+          return plugin;
+        });
+        mockedMakeRequest.mockImplementationOnce(() => {
+          return Promise.resolve({
+            res: { statusCode: 200 } as NeedleResponse,
+            body: {
+              result: { issuesData: {}, affectedPkgs: {} },
+              meta: { org: 'test-org', isPublic: false },
+              filesystemPolicy: false,
+            },
+          });
+        });
+
+        const result: CommandResult = await test(fixturePath, {
+          allProjects: true,
+          json: true,
+        });
+
+        expect(mockedLoadPlugin).toHaveBeenCalledTimes(1);
+        expect(mockedLoadPlugin).toHaveBeenCalledWith('pip');
+
+        expect(mockedMakeRequest).toHaveBeenCalledTimes(1);
+        expect(mockedMakeRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            body: expect.objectContaining({
+              displayTargetFile: 'Pipfile',
+            }),
+          }),
+        );
+
+        const expectedResultObject = {
+          vulnerabilities: [],
+          ok: true,
+          dependencyCount: 0,
+          org: 'test-org',
+          policy: undefined,
+          isPrivate: true,
+          licensesPolicy: null,
+          packageManager: 'pip',
+          projectId: undefined,
+          ignoreSettings: null,
+          docker: undefined,
+          summary: 'No known vulnerabilities',
+          severityThreshold: undefined,
+          remediation: undefined,
+          filesystemPolicy: false,
+          uniqueCount: 0,
+          targetFile: 'Pipfile',
+          projectName: undefined,
+          foundProjectCount: undefined,
+          displayTargetFile: 'Pipfile',
+          platform: undefined,
+          path: fixturePath,
+        };
+        expect(result).toMatchObject({
+          result: JSON.stringify(expectedResultObject, null, 2),
+        });
+
+        done();
+      });
+    });
+
+    describe('project does contain poetry.lock file', () => {
+      it('should scan poetry vulnerabilities', async (done) => {
+        const fixturePath = join(
+          __dirname,
+          'fixtures',
+          'pyproject-with-poetry',
+        );
+
+        const pipfilePythonPluginResponse = {
+          async inspect() {
+            return {
+              plugin: {
+                targetFile: 'Pipfile',
+                name: 'snyk-python-plugin',
+                runtime: 'Python',
+              },
+              package: {},
+            };
+          },
+        };
+        const pyprojectPythonPluginResponse = {
+          async inspect() {
+            return {
+              plugin: {
+                targetFile: 'poetry.lock',
+                name: 'snyk-python-plugin',
+                runtime: 'Python',
+              },
+              package: {},
+            };
+          },
+        };
+        mockedLoadPlugin
+          .mockImplementationOnce(() => pipfilePythonPluginResponse)
+          .mockImplementationOnce(() => pyprojectPythonPluginResponse);
+        mockedMakeRequest.mockImplementation(() => {
+          return Promise.resolve({
+            res: { statusCode: 200 } as NeedleResponse,
+            body: {
+              result: { issuesData: {}, affectedPkgs: {} },
+              meta: { org: 'test-org', isPublic: false },
+              filesystemPolicy: false,
+            },
+          });
+        });
+
+        const result: CommandResult = await test(fixturePath, {
+          allProjects: true,
+          json: true,
+        });
+
+        expect(mockedLoadPlugin).toHaveBeenCalledTimes(2);
+        expect(mockedLoadPlugin).toHaveBeenCalledWith('pip');
+        expect(mockedLoadPlugin).toHaveBeenCalledWith('poetry');
+
+        expect(mockedMakeRequest).toHaveBeenCalledTimes(2);
+        expect(mockedMakeRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            body: expect.objectContaining({
+              displayTargetFile: 'Pipfile',
+              foundProjectCount: 1,
+            }),
+          }),
+        );
+        expect(mockedMakeRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            body: expect.objectContaining({
+              displayTargetFile: 'poetry.lock',
+              foundProjectCount: 1,
+            }),
+          }),
+        );
+
+        const expectedPipfileResultObject = {
+          vulnerabilities: [],
+          ok: true,
+          dependencyCount: 0,
+          org: 'test-org',
+          policy: undefined,
+          isPrivate: true,
+          licensesPolicy: null,
+          packageManager: 'pip',
+          projectId: undefined,
+          ignoreSettings: null,
+          docker: undefined,
+          summary: 'No known vulnerabilities',
+          severityThreshold: undefined,
+          remediation: undefined,
+          filesystemPolicy: false,
+          uniqueCount: 0,
+          targetFile: 'Pipfile',
+          foundProjectCount: 1,
+          projectName: undefined,
+          displayTargetFile: 'Pipfile',
+          platform: undefined,
+          path: fixturePath,
+        };
+        const expectedPyprojectResultObject = {
+          vulnerabilities: [],
+          ok: true,
+          dependencyCount: 0,
+          org: 'test-org',
+          policy: undefined,
+          isPrivate: true,
+          licensesPolicy: null,
+          packageManager: 'poetry',
+          projectId: undefined,
+          ignoreSettings: null,
+          docker: undefined,
+          summary: 'No known vulnerabilities',
+          severityThreshold: undefined,
+          remediation: undefined,
+          filesystemPolicy: false,
+          uniqueCount: 0,
+          targetFile: 'poetry.lock',
+          foundProjectCount: 1,
+          projectName: undefined,
+          displayTargetFile: 'poetry.lock',
+          platform: undefined,
+          path: fixturePath,
+        };
+        expect(result).toMatchObject({
+          result: JSON.stringify(
+            [expectedPipfileResultObject, expectedPyprojectResultObject],
+            null,
+            2,
+          ),
+        });
+
+        done();
+      });
+    });
+  });
+});