fix: correctly handle ignores even if limited to administrators

jlp-craigmorten · Sep 1, 2024 · 352553c · 352553c
1 parent 8002d29
commit 352553c
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 6 deletions.
diff --git a/.snyk b/.snyk
@@ -1,2 +1,7 @@
-ignore: {}
+ignore:
+  SNYK-JS-INFLIGHT-6095116:
+    - '*':
+        reason: None Given
+        expires: 2024-09-01T00:00:00.000Z
+        created: 2024-09-01T00:00:00.000Z
 patch: {}
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "snyker",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "description": "An opinionated, heavy-handed wrapper around Snyk.",
   "author": {
     "name": "Craig Morten",

diff --git a/src/index.js b/src/index.js
@@ -168,6 +168,44 @@ const updatePackageLock = async ({ lockFileName, depsToForceUpdate }) => {
   }
 };
 
+const created = new Date();
+created.setUTCHours(0, 0, 0, 0);
+
+const updateSnykPolicyWithIgnores = (vulnerabilityIds) => {
+  const snykPolicyFile = fs.existsSync(".snyk")
+    ? fs.readFileSync(".snyk", "utf8")
+    : "ignore: {}\npatch: {}";
+
+  const policy = yaml.load(snykPolicyFile);
+
+  const updatedPolicy = {
+    ...policy,
+    ignore: {
+      ...policy.ignore,
+      ...Object.fromEntries(
+        vulnerabilityIds.map((vulnerabilityId) => [
+          vulnerabilityId,
+          [
+            {
+              "*": {
+                // REF: https://github.com/snyk/cli/blob/main/src/cli/commands/ignore.ts#L59
+                reason: "None Given",
+                // REF: https://github.com/snyk/cli/blob/main/src/cli/commands/ignore.ts#L55
+                expires: new Date(created + 30 * 24 * 60 * 60 * 1000),
+                // REF: https://github.com/snyk/cli/blob/main/src/cli/commands/ignore.ts#L80
+                created,
+              },
+            },
+          ],
+        ]),
+      ),
+    },
+  };
+
+  const updatedPolicyFile = yaml.dump(updatedPolicy);
+  fs.writeFileSync(".snyk", updatedPolicyFile);
+};
+
 const updateSnykPolicyPatches = (patchablePackages) => {
   const snykPolicyFile = fs.existsSync(".snyk")
     ? fs.readFileSync(".snyk", "utf8")
@@ -388,13 +426,12 @@ const snyker = async () => {
 
     const uniqueVulnerabilityIds = unique(vulnerabilityIds);
     uniqueVulnerabilityIds.forEach((id) => console.log(`\t- ${id}`));
+
+    updateSnykPolicyWithIgnores(uniqueVulnerabilityIds);
+
     // Intentional newline
     console.log();
 
-    for (const id of uniqueVulnerabilityIds) {
-      await exec("npx", ["snyk", "ignore", `--id=${id}`]);
-    }
-
     if (upgradablePackages.length) {
       const installCommand = isYarn ? "yarn upgrade" : "npm install";
       const upgradablePackagesStr = unique(upgradablePackages).reduce(
@@ -413,6 +450,7 @@ const snyker = async () => {
       unique(patchablePackages.map(({ id }) => id)).forEach((id) =>
         console.log(`\t- ${id}`),
       );
+
       // Intentional newline
       console.log();
       updateSnykPolicyPatches(patchablePackages);