chore: merge branch 'main' into fix/dockerfile-attribution

Author: d3vco

.github/CODEOWNERS

@@ -1,5 +1,5 @@
 # This is a comment.
 # Each line is a file pattern followed by one or more owners.
 
-* @snyk/infrasec_container
+* @snyk/infrasec_container @snyk/container_container
 

lib/analyzer/applications/node-modules-utils.ts

@@ -1,5 +1,6 @@
 import * as Debug from "debug";
 import { mkdir, mkdtemp, rm, stat, writeFile } from "fs/promises";
+import * as os from "os";
 import * as path from "path";
 import { FilePathToContent, FilesByDirMap } from "./types";
 const debug = Debug("snyk");
@@ -22,7 +23,7 @@ interface ScanPaths {
 async function createTempProjectDir(
   projectDir: string,
 ): Promise<{ tmpDir: string; tempProjectRoot: string }> {
-  const tmpDir = await mkdtemp("snyk");
+  const tmpDir = await mkdtemp(path.join(os.tmpdir(), "snyk-"));
 
   const tempProjectRoot = path.join(tmpDir, projectDir);
 
@@ -76,20 +77,23 @@ async function persistNodeModules(
   fileNamesGroupedByDirectory: FilesByDirMap,
 ): Promise<ScanPaths> {
   const modules = fileNamesGroupedByDirectory.get(project);
-  const tmpDir: string = "";
-  const tempProjectRoot: string = "";
 
   if (!modules || modules.size === 0) {
     debug(`Empty application directory tree.`);
-
-    return {
-      tempDir: tmpDir,
-      tempProjectPath: tempProjectRoot,
-    };
+    return { tempDir: "", tempProjectPath: "" };
   }
 
+  // Create the temp directory first so we can return it in the catch block
+  // for cleanup. Previously, the outer tmpDir/tempProjectRoot were always
+  // empty strings, meaning any temp directory created before a failure in
+  // saveOnDisk or later steps would be leaked (caller couldn't clean it up).
+  let tmpDir = "";
+  let tempProjectRoot = "";
+
   try {
-    const { tmpDir, tempProjectRoot } = await createTempProjectDir(project);
+    const created = await createTempProjectDir(project);
+    tmpDir = created.tmpDir;
+    tempProjectRoot = created.tempProjectRoot;
 
     await saveOnDisk(tmpDir, modules, filePathToContent);
 
@@ -122,7 +126,10 @@ async function persistNodeModules(
   }
 }
 
-async function createFile(filePath, fileContent): Promise<void> {
+async function createFile(
+  filePath: string,
+  fileContent: string,
+): Promise<void> {
   try {
     await mkdir(path.dirname(filePath), { recursive: true });
     await writeFile(filePath, fileContent, "utf-8");

lib/analyzer/applications/node.ts

@@ -136,7 +136,7 @@ async function depGraphFromNodeModules(
       }
 
       const depGraph = await legacy.depTreeToGraph(
-        pkgTree,
+        pkgTree as any,
         pkgTree.type || "npm",
       );
 
@@ -417,7 +417,7 @@ function stripUndefinedLabels(
   parserResult: lockFileParser.PkgTree,
 ): lockFileParser.PkgTree {
   const optionalLabels = parserResult.labels;
-  const mandatoryLabels: Record<string, string> = {};
+  const mandatoryLabels: Record<string, any> = {};
   if (optionalLabels) {
     for (const currentLabelName of Object.keys(optionalLabels)) {
       if (optionalLabels[currentLabelName] !== undefined) {
@@ -428,7 +428,7 @@ function stripUndefinedLabels(
   const parserResultWithProperLabels = Object.assign({}, parserResult, {
     labels: mandatoryLabels,
   });
-  return parserResultWithProperLabels;
+  return parserResultWithProperLabels as lockFileParser.PkgTree;
 }
 
 async function buildDepGraph(
@@ -513,7 +513,10 @@ async function buildDepGraphFromDepTree(
     // Don't provide a default manifest file name, prefer the parser to infer it.
   );
   const strippedLabelsParserResult = stripUndefinedLabels(parserResult);
-  return await legacy.depTreeToGraph(strippedLabelsParserResult, lockfileType);
+  return await legacy.depTreeToGraph(
+    strippedLabelsParserResult as any,
+    lockfileType,
+  );
 }
 
 export function getLockFileVersion(

lib/analyzer/image-inspector.ts

@@ -1,6 +1,5 @@
 import * as Debug from "debug";
 import * as fs from "fs";
-import * as mkdirp from "mkdirp";
 import * as path from "path";
 
 import { Docker, DockerOptions } from "../docker";
@@ -200,7 +199,7 @@ async function getImageArchive(
   platform?: string,
 ): Promise<ArchiveResult> {
   const docker = new Docker();
-  mkdirp.sync(imageSavePath);
+  fs.mkdirSync(imageSavePath, { recursive: true });
   const destination: DestinationDir = {
     name: imageSavePath,
     removeCallback: cleanupCallback(imageSavePath, "image.tar"),

lib/image-save-path.ts

@@ -1,12 +1,12 @@
+import * as crypto from "crypto";
+import * as os from "os";
 import * as path from "path";
-import * as tmp from "tmp";
-import { v4 as uuidv4 } from "uuid";
 
 export function fullImageSavePath(imageSavePath: string | undefined): string {
-  let imagePath = tmp.dirSync().name;
+  let imagePath = os.tmpdir();
   if (imageSavePath) {
     imagePath = path.normalize(imageSavePath);
   }
 
-  return path.join(imagePath, uuidv4());
+  return path.join(imagePath, crypto.randomUUID());
 }

lib/scan.ts

@@ -259,6 +259,7 @@ export async function extractContent(
   switch (imageType) {
     case ImageType.DockerArchive:
     case ImageType.OciArchive:
+    case ImageType.KanikoArchive:
       imagePath = getAndValidateArchivePath(targetImage);
       break;
     case ImageType.Identifier:

package-lock.json

@@ -46,17 +46,14 @@
     "fzstd": "^0.1.1",
     "gunzip-maybe": "^1.4.2",
     "minimatch": "^9.0.0",
-    "mkdirp": "^1.0.4",
     "packageurl-js": "1.2.0",
     "semver": "^7.7.3",
     "shescape": "^2.1.7",
-    "snyk-nodejs-lockfile-parser": "^2.2.2",
+    "snyk-nodejs-lockfile-parser": "^2.7.0",
     "snyk-poetry-lockfile-parser": "1.9.1",
     "snyk-resolve-deps": "^4.9.1",
     "tar-stream": "^2.2.0",
-    "tmp": "^0.2.5",
     "tslib": "^1",
-    "uuid": "^8.2.0",
     "varint": "^6.0.0"
   },
   "devDependencies": {
@@ -70,7 +67,6 @@
     "@types/jest": "^29.5.5",
     "@types/node": "^20.19.1",
     "@types/tar-stream": "^1.6.1",
-    "@types/tmp": "^0.2.0",
     "jest": "^29.7.0",
     "npm-run-all": "^4.1.5",
     "prettier": "^2.7.1",