Merge pull request #630 from snyk/feat/exclude-node-modules-scan

feat: add option to disable the node_modules scan for node.js images

Author: adrobuta

lib/analyzer/applications/node-modules-utils.ts

@@ -6,7 +6,12 @@ const debug = Debug("snyk");
 
 const nodeModulesRegex = /^(.*?)(?:[\\\/]node_modules)/;
 
-export { persistNodeModules, cleanupAppNodeModules, groupFilesByDirectory };
+export {
+  persistNodeModules,
+  cleanupAppNodeModules,
+  groupNodeAppFilesByDirectory,
+  groupNodeModulesFilesByDirectory,
+};
 
 interface ScanPaths {
   tempDir: string;
@@ -147,6 +152,11 @@ function isNpmCacheDependency(filePath: string): boolean {
   return false;
 }
 
+// TODO: Enable custom cache filtering if needed
+// function isCustomCache(filePath: string): boolean {
+//   return (filePath.includes("cache") || filePath.includes("Cache"));
+// }
+
 function isPnpmCacheDependency(filePath: string): boolean {
   if (
     filePath.includes("pnpm-store") ||
@@ -171,6 +181,23 @@ function getNodeModulesParentDir(filePath: string): string | null {
   return null;
 }
 
+function groupNodeAppFilesByDirectory(
+  filePathToContent: FilePathToContent,
+): FilesByDirMap {
+  const filesByDir: FilesByDirMap = new Map();
+  const filePaths = Object.keys(filePathToContent);
+
+  for (const filePath of filePaths) {
+    const directory = path.dirname(filePath);
+
+    if (!filesByDir.has(directory)) {
+      filesByDir.set(directory, new Set());
+    }
+    filesByDir.get(directory)?.add(filePath);
+  }
+  return filesByDir;
+}
+
 function getGroupingDir(filePath: string): string {
   const nodeModulesParentDir = getNodeModulesParentDir(filePath);
 
@@ -180,7 +207,7 @@ function getGroupingDir(filePath: string): string {
   return path.dirname(filePath);
 }
 
-function groupFilesByDirectory(
+function groupNodeModulesFilesByDirectory(
   filePathToContent: FilePathToContent,
 ): FilesByDirMap {
   const filesByDir: FilesByDirMap = new Map();

lib/analyzer/applications/node.ts

@@ -18,7 +18,8 @@ import {
 import { LogicalRoot } from "snyk-resolve-deps/dist/types";
 import {
   cleanupAppNodeModules,
-  groupFilesByDirectory,
+  groupNodeAppFilesByDirectory,
+  groupNodeModulesFilesByDirectory,
   persistNodeModules,
 } from "./node-modules-utils";
 import {
@@ -35,6 +36,7 @@ interface ManifestLockPathPair {
 
 export async function nodeFilesToScannedProjects(
   filePathToContent: FilePathToContent,
+  shouldIncludeNodeModules: boolean,
 ): Promise<AppDepsScanResultWithoutTarget[]> {
   const scanResults: AppDepsScanResultWithoutTarget[] = [];
   /**
@@ -51,8 +53,9 @@ export async function nodeFilesToScannedProjects(
     return [];
   }
 
-  const fileNamesGroupedByDirectory = groupFilesByDirectory(filePathToContent);
-  const [manifestFilePairs, nodeProjects] = findProjectsAndManifests(
+  const fileNamesGroupedByDirectory =
+    groupNodeAppFilesByDirectory(filePathToContent);
+  const manifestFilePairs = findManifestLockPairsInSameDirectory(
     fileNamesGroupedByDirectory,
   );
 
@@ -64,14 +67,22 @@ export async function nodeFilesToScannedProjects(
       )),
     );
   }
-  if (nodeProjects.length !== 0) {
-    scanResults.push(
-      ...(await depGraphFromNodeModules(
-        filePathToContent,
-        nodeProjects,
-        fileNamesGroupedByDirectory,
-      )),
+
+  if (shouldIncludeNodeModules) {
+    const appNodeModulesGroupedByDirectory =
+      groupNodeModulesFilesByDirectory(filePathToContent);
+    const nodeProjects = findManifestNodeModulesFilesInSameDirectory(
+      appNodeModulesGroupedByDirectory,
     );
+    if (nodeProjects.length !== 0) {
+      scanResults.push(
+        ...(await depGraphFromNodeModules(
+          filePathToContent,
+          nodeProjects,
+          appNodeModulesGroupedByDirectory,
+        )),
+      );
+    }
   }
 
   return scanResults;
@@ -109,7 +120,6 @@ async function depGraphFromNodeModules(
       );
 
       if ((pkgTree as LogicalRoot).numDependencies === 0) {
-        await cleanupAppNodeModules(tempDir);
         continue;
       }
 
@@ -197,13 +207,15 @@ async function depGraphFromManifestFiles(
   return scanResults;
 }
 
-function findProjectsAndManifests(
+function findManifestLockPairsInSameDirectory(
   fileNamesGroupedByDirectory: FilesByDirMap,
-): [ManifestLockPathPair[], string[]] {
+): ManifestLockPathPair[] {
   const manifestLockPathPairs: ManifestLockPathPair[] = [];
-  const nodeProjects: string[] = [];
 
   for (const directoryPath of fileNamesGroupedByDirectory.keys()) {
+    if (directoryPath.includes("node_modules")) {
+      continue;
+    }
     const filesInDirectory = fileNamesGroupedByDirectory.get(directoryPath);
     if (!filesInDirectory || filesInDirectory.size < 1) {
       // missing manifest files
@@ -230,12 +242,40 @@ function findProjectsAndManifests(
           ? lockFileParser.LockfileType.npm
           : lockFileParser.LockfileType.yarn,
       });
+    }
+  }
+
+  return manifestLockPathPairs;
+}
+
+function findManifestNodeModulesFilesInSameDirectory(
+  fileNamesGroupedByDirectory: FilesByDirMap,
+): string[] {
+  const nodeProjects: string[] = [];
+
+  for (const directoryPath of fileNamesGroupedByDirectory.keys()) {
+    const filesInDirectory = fileNamesGroupedByDirectory.get(directoryPath);
+    if (!filesInDirectory || filesInDirectory.size < 1) {
+      // missing manifest files
+      continue;
+    }
+
+    const expectedManifest = path.join(directoryPath, "package.json");
+    const expectedNpmLockFile = path.join(directoryPath, "package-lock.json");
+    const expectedYarnLockFile = path.join(directoryPath, "yarn.lock");
+
+    const hasManifestFile = filesInDirectory.has(expectedManifest);
+    const hasLockFile =
+      filesInDirectory.has(expectedNpmLockFile) ||
+      filesInDirectory.has(expectedYarnLockFile);
+
+    if (hasManifestFile && hasLockFile) {
       continue;
     }
     nodeProjects.push(directoryPath);
   }
 
-  return [manifestLockPathPairs, nodeProjects];
+  return nodeProjects;
 }
 
 function stripUndefinedLabels(

lib/analyzer/static-analyzer.ts

@@ -103,6 +103,7 @@ export async function analyze(
   }
 
   const appScan = !isTrue(options["exclude-app-vulns"]);
+  const nodeModulesScan = !isTrue(options["exclude-node-modules"]);
 
   if (appScan) {
     staticAnalysisActions.push(
@@ -194,6 +195,7 @@ export async function analyze(
   if (appScan) {
     const nodeDependenciesScanResults = await nodeFilesToScannedProjects(
       getFileContent(extractedLayers, getNodeAppFileContentAction.actionName),
+      nodeModulesScan,
     );
     const phpDependenciesScanResults = await phpFilesToScannedProjects(
       getFileContent(extractedLayers, getPhpAppFileContentAction.actionName),

lib/types.ts

@@ -195,7 +195,8 @@ export interface PluginOptions {
 
   /** Whether to disable application dependencies scanning. The default is "false" */
   "exclude-app-vulns": boolean | string;
-
+  /** Whether to disable node modules dependencies scanning. The default is "false" */
+  "exclude-node-modules": boolean | string;
   /**
    * How many levels of (nested) JARs we should unpack
    * If a JAR contains other JARs (AKA JAR of JARs), we send back only the children JARs, and don't look for vulns in the parent.