snyk-labs / snyk-bulk

Collection of docker entrypoints that facilitate snyk '--all-projects'-style bulk scanning
Apache License 2.0
9 stars 12 forks source link

feat: yarn workspace support #47

Closed scott-es closed 2 years ago

scott-es commented 2 years ago

What does this PR do?

enables support for yarn workspace projects

How should this be manually tested?

docker build -t snyk-bulk:node -f Dockerfile-node .
docker run -it --rm --env SNYK_TOKEN --env SNYK_CFG_ORG=ie-playground  snyk-bulk:node --monitor --target . --remote-repo-url https://github.com/snyk-tech-services/snyk-bulk-yarn --debug -- "-target-reference=feat/yarn-workspace-support"

Any background context you want to provide?

previously, yarn workspace projects were not being tested successfully because the script would naively attempt npm install on any package.json file in a directory with no correspondingpackage-lock.json or node_modules/ folder. Instead the script now checks if we are in a workspace with yarn workspaces list.

In order to scan package.json files in sub packages within the workspace individually the way snyk-bulk needs to, while still using the locked dependencies from the yarn.lock file in the workspace root directory for accuracy, a bit of trickery is used for the snyk CLI to link the workspace yarn.lock file to the sub-package's package.json file. Because using --file loses the scope of the workspace, we can simply link the workspace yarn.lock file in each sub-package directory so that when snyk test runs it resolves the transitive dependencies and versions from the yarn.lock for those direct dependencies listed in each package.json. After the files are linked to each sub-package directory, the script can run as normal and scan each project accordingly.

What are the relevant tickets?

https://snyksec.atlassian.net/browse/CS-9

Screenshots

image