Skip to content

feat(ostest): auto-detect C/C++ artefacts, run unmanaged scan alongside managed [IDE-2089]#251

Open
acke wants to merge 1 commit into
mainfrom
feat/IDE-2089_autodetect-cpp-unmanaged
Open

feat(ostest): auto-detect C/C++ artefacts, run unmanaged scan alongside managed [IDE-2089]#251
acke wants to merge 1 commit into
mainfrom
feat/IDE-2089_autodetect-cpp-unmanaged

Conversation

@acke

@acke acke commented May 31, 2026

Copy link
Copy Markdown

Summary

Moves C/C++ project detection from snyk-ls into os-flows and wires it into OSWorkflow so a folder with both a manifest and C/C++ files gets scanned both ways automatically — eliminating the IDE's per-folder "switch to unmanaged mode?" prompt and toggle.

What lands here

  • pkg/unmanaged/detect.HasCPPArtefacts(root) bool — bounded directory walker (max 5000 entries, depth 6, skip-list for node_modules / vendor / cmake-build-* / VCS / common build outputs). Short-circuits on the first C/C++ source, header (.c / .cc / .cpp / .cxx / .h / .hpp / .hxx / .ipp / .tpp / .tcc / .inl …), recognised build-system filename (CMakeLists.txt, Makefile, meson.build, configure.ac …), or *.mk. Ported from snyk-ls/infrastructure/oss/unmanaged_detect.go so it lives next to the rest of the OSS routing.
  • internal/constants/constants.goAutodetectOSSEnvVar = "SNYK_AUTODETECT_OSS".
  • internal/commands/ostest/autodetect.goautoDetectEnabled() parses the env var, detectCPPDirs(dirs) filters input directories, invokeLegacyUnmanagedScan(ctx) clones the config, injects --unmanaged into RAW_CMD_ARGS, sets WORKFLOW_USE_STDIO=false, and invokes the legacycli workflow.
  • internal/commands/ostest/workflow.go — after the managed scan returns, if SNYK_AUTODETECT_OSS is truthy and --unmanaged wasn't already passed, runs the detector; on any C/C++ hit, runs the unmanaged scan via the legacy CLI and appends its workflow.Data to the managed output. Errors from the unmanaged scan are logged and swallowed — the managed result still ships.
  • Testspkg/unmanaged/detect/cpp_test.go covers positives, negatives, skip-dirs, case-insensitive extensions; internal/commands/ostest/autodetect_test.go covers env-var parsing, dir-filtering, arg dedup.

How the new flow looks

snyk test … (env: SNYK_AUTODETECT_OSS=1)
   │
   └─► OSWorkflow
         ├─► managed scan (processAllInputDirectories)  ◄── existing path, unchanged
         └─► detect.HasCPPArtefacts for each input dir
                  │
                  └─► any C/C++ artefacts AND --unmanaged not already set?
                          ├─ no  → return managed data
                          └─ yes → invoke legacycli with --unmanaged injected
                                   append its workflow.Data to managed output

Why off-by-default

Off unless SNYK_AUTODETECT_OSS is truthy. Lets us roll out without disturbing existing CLI users: direct snyk test against a folder with stray .cpp files (e.g. native node modules) keeps behaving exactly as today. snyk-ls opts every OSS scan in via the companion PR.

Limitation

A Go-native unmanaged.test workflow does not yet exist anywhere — the env-var gate in earlier WIP referenced an identifier that was never registered. This PR therefore invokes legacycli (TypeScript CLI) for the unmanaged half. The legacy CLI's workflow.Data carries its own content type, so for mixed manifest + C/C++ folders the unmanaged and managed results render as two separate sections rather than as one unified report. When a native unmanaged workflow lands, the swap is local — just point invokeLegacyUnmanagedScan at the new workflow identifier.

Companion PRs

  • snyk/snyk-ls#1311 — flips on SNYK_AUTODETECT_OSS=1 for every OSS CLI invocation from the LS, and deletes the now-redundant per-folder snyk_oss_unmanaged_enabled setting, prompt UX, panel toggle, and re-arm logic.
  • snyk/snyk-intellij-plugin#834closed; the per-folder setting it forwarded no longer exists.

Jira: IDE-2089

Test plan

  • go test ./pkg/unmanaged/detect/... ./internal/commands/ostest/... — green
  • go test ./... — full repo green
  • go vet ./... — clean
  • Manual: SNYK_AUTODETECT_OSS=1 snyk test against a folder with both package.json and .cpp files — confirm both managed and unmanaged results appear.
  • Manual: same env var on a pure-JS folder — confirm only managed output (no spurious unmanaged scan).
  • Manual: env var unset — confirm behaviour unchanged from main.

🤖 Generated with Claude Code

…gside managed [IDE-2089]

Adds `pkg/unmanaged/detect.HasCPPArtefacts` — a bounded directory walker
that short-circuits on the first C/C++ source, header, build file, or
*.mk file. Skip-list, file-count cap, and depth cap mirror the
detection that previously lived in snyk-ls so the cost stays in the
single-digit ms range on cold caches.

Wires that detector into `OSWorkflow` behind a new
`SNYK_AUTODETECT_OSS` env-var gate. When opted in and `--unmanaged`
was not already passed:

  - inspect each input directory for C/C++ artefacts
  - if any are found, invoke `legacycli` with `--unmanaged` after the
    managed scan and append its workflow.Data to the managed output

Off by default — flip to opt-in users (initially snyk-ls, via a
follow-up) without disturbing existing CLI flows.

Limitation called out in the file: the legacy CLI's workflow.Data
carries its own content type, so for mixed-content projects the
unmanaged and managed results render as separate sections rather than
a single unified report. A future native `unmanaged.test` workflow can
replace the legacy invocation and produce one merged structured
output.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@acke acke requested review from a team as code owners May 31, 2026 13:10
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@snyk-io

snyk-io Bot commented May 31, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants