Configure snyk to monitor repo

[jasonjkeller]

This project uses the Kotlin DSL for the build.gradle.kts which means that Snyk needs to configured via the snyk cli tool. However it isn't working due to the error described in the summary below.

• Install snyk cli: npm install -g snyk
• Authenticate: snyk auth
• Check a repo for vulnerabilities: snyk test --all-sub-projects
• Take a snapshot and set up continuous monitoring of a repo: snyk monitor --org=java-agent

Summary

I can’t seem to add snyk to this repo because of the following error:

snyk test --all-sub-projects

Gradle Error (short):
> Could not resolve all dependencies for configuration ':snykMergedDepsConf'.
   > Could not resolve com.newrelic:jfr-mappers:0.3.0.
      > The consumer was configured to find a component compatible with Java 8, packaged as a jar. However we cannot choose between the following variants of com.newrelic:jfr-mappers:0.3.0:

===== DEBUG INFORMATION START =====
gradle command: '/Users/jkeller/code/newrelic-jfr-reporter/gradlew' snykResolvedDepsJson -q --build-file build.gradle.kts --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -I /var/folders/hp/dxbvtb094l977bx9zdhspnyc0000gn/T/tmp-80810-v6fUNFkn1L6Q--init.gradle

------------------------------------------------------------
Gradle 6.6.1
------------------------------------------------------------

Build time:   2020-08-25 16:29:12 UTC
Revision:     f2d1fb54a951d8b11d25748e4711bec8d128d7e3

Kotlin:       1.3.72
Groovy:       2.5.12
Ant:          Apache Ant(TM) version 1.10.8 compiled on May 10 2020
JVM:          14.0.2 (AdoptOpenJDK 14.0.2+12)
OS:           Mac OS X 10.15.6 x86_64

>>> command: '/Users/jkeller/code/newrelic-jfr-reporter/gradlew' snykResolvedDepsJson -q --build-file build.gradle.kts --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -I /var/folders/hp/dxbvtb094l977bx9zdhspnyc0000gn/T/tmp-80810-v6fUNFkn1L6Q--init.gradle
>>> exit code: 1
>>> stdout:
SNYKECHO snykResolvedDepsJson task is executing via doLast
JSONATTRS {"org.gradle.usage":["java-runtime","java-api"],"org.gradle.category":["library","documentation"],"org.gradle.libraryelements":["jar"],"org.gradle.dependency.bundling":["external","embedded"],"org.gradle.docstype":["javadoc","sources"],"org.gradle.jvm.version":["8"]}
SNYKECHO processing project: newrelic-jfr-reporter
SNYKECHO constructing merged configuration from [annotationProcessor, api, apiElements, archives, compile, compileClasspath, compileOnly, default, implementation, javadocElements, runtime, runtimeClasspath, runtimeElements, runtimeOnly, shadow, shadowRuntimeElements, signatures, sourcesElements, testAnnotationProcessor, testCompile, testCompileClasspath, testCompileOnly, testImplementation, testRuntime, testRuntimeClasspath, testRuntimeOnly]
SNYKECHO resolving configuration snykMergedDepsConf

>>> stderr:

FAILURE: Build failed with an exception.

* Where:
Initialization script '/var/folders/hp/dxbvtb094l977bx9zdhspnyc0000gn/T/tmp-80810-v6fUNFkn1L6Q--init.gradle' line: 258

* What went wrong:
Execution failed for task ':snykResolvedDepsJson'.
> Could not resolve all dependencies for configuration ':snykMergedDepsConf'.
   > Could not resolve com.newrelic:jfr-mappers:0.3.0.
     Required by:
         project :
      > The consumer was configured to find a component compatible with Java 8, packaged as a jar. However we cannot choose between the following variants of com.newrelic:jfr-mappers:0.3.0:
          - javadocElements
          - sourcesElements
        All of them match the consumer attributes:
          - Variant 'javadocElements' capability com.newrelic:jfr-mappers:0.3.0:
              - Unmatched attributes:
                  - Provides documentation but the consumer didn't ask for it
                  - Provides its dependencies declared externally but the consumer didn't ask for it
                  - Provides javadocs but the consumer didn't ask for it
                  - Doesn't say anything about its target Java version (required compatibility with Java 8)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a runtime but the consumer didn't ask for it
          - Variant 'sourcesElements' capability com.newrelic:jfr-mappers:0.3.0:
              - Unmatched attributes:
                  - Provides documentation but the consumer didn't ask for it
                  - Provides its dependencies declared externally but the consumer didn't ask for it
                  - Provides sources but the consumer didn't ask for it
                  - Doesn't say anything about its target Java version (required compatibility with Java 8)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a runtime but the consumer didn't ask for it
        The following variants were also considered but didn't match the requested attributes:
          - Variant 'apiElements' capability com.newrelic:jfr-mappers:0.3.0 declares a component, packaged as a jar:
              - Incompatible because this component declares a component compatible with Java 11 and the consumer needed a component compatible with Java 8
          - Variant 'runtimeElements' capability com.newrelic:jfr-mappers:0.3.0 declares a component, packaged as a jar:
              - Incompatible because this component declares a component compatible with Java 11 and the consumer needed a component compatible with Java 8

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 9s

===== DEBUG INFORMATION END =====

Error running Gradle dependency analysis.

Please ensure you are calling the `snyk` command with correct arguments.
If the problem persists, contact support@snyk.io, providing the full error
message from above, starting with ===== DEBUG INFORMATION START =====.

It’s a bit cryptic but I think the crucial part is this, where there appears to be an incompatible cyclic dependency due to the jfr-mappers library targeting Java 11:

The consumer was configured to find a component compatible with Java 8, packaged as a jar. However we cannot choose between the following variants of com.newrelic:jfr-mappers:0.3.0
          - javadocElements
          - sourcesElements

          ...

          - Variant 'apiElements' capability com.newrelic:jfr-mappers:0.3.0 declares a component, packaged as a jar:
              - Incompatible because this component declares a component compatible with Java 11 and the consumer needed a component compatible with Java 8
          - Variant 'runtimeElements' capability com.newrelic:jfr-mappers:0.3.0 declares a component, packaged as a jar:
              - Incompatible because this component declares a component compatible with Java 11 and the consumer needed a component compatible with Java 8

[breedx-nr]

Works on my box:

$ npx snyk test --all-sub-projects

Testing /Users/jplumb/code/jfr-reporter...

Organization:      jplumbnewrelic.com
Package manager:   npm
Target file:       package-lock.json
Project name:      jfr-reporter
Open source:       no
Project path:      /Users/jplumb/code/jfr-reporter
Licenses:          enabled

✓ Tested 390 dependencies for known issues, no vulnerable paths found.

Tip: Detected multiple supported manifests (1), use --all-projects to scan all of them at once.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

[Wed Sep 30 10:37:53] {~/code/jfr-reporter}
$ echo $?
0

I'll look at adding the github action.

[breedx-nr]

It's still failing. It also passes when run through the github actions tool act I was able to reproduce with act. So frustrating.

[breedx-nr]

I spent some time on this and could NOT get it to work. The snyk CLI does not yet support java 14 so we might not be able to resolve this in the short term. I'm going to reprioritize it for now.