snyk-plugin: added --snyk-code-test-opts flag

Users are now able to use the introduced flag to pass new parameters to the snyk cli Resolves: https://issues.redhat.com/browse/OSH-307 Reproducer: csmock -t snyk --snyk-code-test-opts='--report --project-name=osbuild' -r rhel-8-x86_64 osbuild-99-1.el10+1.src.rpm
csutils · Nov 14, 2023 · 71fb44a · 71fb44a
1 parent 2e89ad7
commit 71fb44a
Showing 1 changed file with 15 additions and 4 deletions.
diff --git a/py/plugins/snyk.py b/py/plugins/snyk.py
@@ -33,7 +33,7 @@
 FILTER_CMD = f"csgrep '%s' --mode=json --prepend-path-prefix={SNYK_SCAN_DIR}/ > '%s'"
 
 # default value for the maximum amount of time taken by invocation of Snyk (5 hours)
-DEFAULT_SNYK_TIMEOUT=18000
+DEFAULT_SNYK_TIMEOUT = 18000
 
 
 class PluginProps:
@@ -74,6 +74,9 @@ def init_parser(self, parser):
             "--snyk-timeout", type=int, default=DEFAULT_SNYK_TIMEOUT,
             help="maximum amount of time taken by invocation of Snyk [s]")
 
+        parser.add_argument(
+            "--snyk-code-test-opts",
+            help="space-separated list of additional options passed to the 'snyk code test' command")
 
     def handle_args(self, parser, args, props):
         if not self.enabled:
@@ -103,7 +106,8 @@ def fetch_snyk_hook(results, props):
             self.snyk_bin = os.path.join(cache_dir, snyk_bin_name)
 
             if not args.snyk_refresh and os.path.exists(self.snyk_bin):
-                results.print_with_ts("reusing previously downloaded snyk executable: %s" % self.snyk_bin)
+                results.print_with_ts("reusing previously downloaded snyk executable: "
+                                      + self.snyk_bin)
             else:
                 # fetch the binary executable
                 ec = results.exec_cmd(['curl', '-Lfso', self.snyk_bin, url])
@@ -143,6 +147,7 @@ def fetch_snyk_hook(results, props):
         def copy_resolv_conf(results, mock):
             mock.copy_in_resolv_conf()
             return 0
+
         props.post_depinst_hooks += [copy_resolv_conf]
 
         def scan_hook(results, mock, props):
@@ -156,8 +161,13 @@ def scan_hook(results, mock, props):
                 return ec
 
             # command to run snyk code
-            cmd = "%s code test -d %s --sarif-file-output=%s >/dev/null 2>%s" \
-                    % (self.snyk_bin, SNYK_SCAN_DIR, SNYK_OUTPUT, SNYK_LOG)
+            cmd = f"{self.snyk_bin} code test -d {SNYK_SCAN_DIR}"
+
+            # if we use the --snyk-code-test-opts flags, we append the flags to the SNYK CLI code
+            if args.snyk_code_test_opts:
+                cmd += f" {args.snyk_code_test_opts}"
+
+            cmd += f" --sarif-file-output={SNYK_OUTPUT} >/dev/null 2>{SNYK_LOG}"
 
             if args.snyk_timeout:
                 # wrap snyk invocation by timeout(1)
@@ -194,4 +204,5 @@ def filter_hook(results):
             dst = "%s/snyk-results.json" % results.dbgdir_uni
             cmd = FILTER_CMD % (src, dst)
             return results.exec_cmd(cmd, shell=True)
+
         props.post_process_hooks += [filter_hook]