Merge pull request #190 from docker/check-local-snyk-version

Use Snyk binary embedded with Docker Desktop if more recent than loca…

Author: StefanScherer

builder.Makefile

@@ -15,7 +15,8 @@ STATIC_FLAGS= CGO_ENABLED=0
 LDFLAGS := "-s -w \
   -X $(PKG_NAME)/internal.GitCommit=$(COMMIT) \
   -X $(PKG_NAME)/internal.Version=$(TAG_NAME) \
-  -X $(PKG_NAME)/internal/provider.ImageDigest=$(SNYK_IMAGE_DIGEST)"
+  -X $(PKG_NAME)/internal/provider.ImageDigest=$(SNYK_IMAGE_DIGEST) \
+  -X $(PKG_NAME)/internal/provider.SnykDesktopVersion=$(SNYK_DESKTOP_VERSION)"
 GO_BUILD = $(STATIC_FLAGS) go build -trimpath -ldflags=$(LDFLAGS)
 
 SNYK_DOWNLOAD_NAME:=snyk-linux
@@ -36,6 +37,7 @@ endif
 
 VARS:= SNYK_DESKTOP_VERSION=${SNYK_DESKTOP_VERSION}\
 	SNYK_USER_VERSION=${SNYK_USER_VERSION}\
+	SNYK_OLD_VERSION=${SNYK_OLD_VERSION}\
 	DOCKER_CONFIG=$(PWD)/docker-config\
 	SNYK_OLD_PATH=$(PWD)/docker-config/snyk-old\
 	SNYK_USER_PATH=$(PWD)/docker-config/snyk-user\

e2e/version_test.go

@@ -22,6 +22,7 @@ import (
 	"runtime"
 	"testing"
 
+	"github.com/docker/scan-cli-plugin/internal/provider"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/env"
@@ -67,11 +68,13 @@ func TestVersionSnykOldBinary(t *testing.T) {
 	cmd.Command = dockerCli.Command("scan", "--version")
 	output := icmd.RunCmd(cmd).Assert(t, icmd.Success).Combined()
 	expected := fmt.Sprintf(
-		`Version:    %s
+		`the Snyk version %s installed on your system is older as the one embedded by Docker Desktop (>=%s), using embedded Snyk version instead
+
+Version:    %s
 Git commit: %s
 Provider:   %s
-The Snyk version installed on your system does not match the docker scan requirements (>=1.385.0), using embedded Snyk version instead.
-`, internal.Version, internal.GitCommit, getProviderVersion("SNYK_DESKTOP_VERSION"))
+`, os.Getenv("SNYK_OLD_VERSION"), provider.SnykDesktopVersion,
+		internal.Version, internal.GitCommit, getProviderVersion("SNYK_DESKTOP_VERSION"))
 
 	assert.Equal(t, output, expected)
 }

internal/provider/provider.go

@@ -164,8 +164,12 @@ func WithAppVulns() Ops {
 // WithPath update the provider binary with the path from the configuration
 func WithPath(path string) Ops {
 	return func(provider *Options) error {
-		if p, err := exec.LookPath("snyk"); err == nil && checkUserSnykBinaryVersion(p) {
-			path = p
+		if p, err := exec.LookPath("snyk"); err == nil {
+			if ok, err := checkUserSnykBinaryVersion(p); ok {
+				path = p
+			} else {
+				fmt.Printf("%s\n\n", err.Error())
+			}
 		}
 		provider.path = path
 		return nil

internal/provider/snyk.go

@@ -31,8 +31,9 @@ import (
 	"github.com/mitchellh/go-homedir"
 )
 
-const (
-	minimalSnykVersion = ">=1.385.0"
+var (
+	// SnykDesktopVersion is the version of the Snyk CLI Binary embedded with Docker Desktop
+	SnykDesktopVersion = "unknown"
 )
 
 type snykProvider struct {
@@ -156,31 +157,36 @@ func isAuthenticatedOnSnyk() (string, error) {
 	return config.API, nil
 }
 
-func checkUserSnykBinaryVersion(path string) bool {
+func checkUserSnykBinaryVersion(path string) (bool, error) {
 	cmd := exec.Command(path, "--version")
 	buff := bytes.NewBuffer(nil)
 	cmd.Stdout = buff
 	cmd.Stderr = ioutil.Discard
 	if err := cmd.Run(); err != nil {
 		// an error occurred, so let's use the desktop binary
-		return false
+		return false, err
 	}
 	ver, err := semver.NewVersion(cleanVersion(buff.String()))
 	if err != nil {
-		return false
+		return false, err
 	}
-	constraint, err := semver.NewConstraint(minimalSnykVersion)
+	constraint, err := semver.NewConstraint(minimalSnykVersion())
 	if err != nil {
-		return false
+		return false, err
 	}
 	matchConstraint := constraint.Check(ver)
 	if !matchConstraint {
-		fmt.Fprintf(os.Stderr, "The Snyk version installed on your system does not match the docker scan requirements (%s), using embedded Snyk version instead.\n", minimalSnykVersion)
+		return matchConstraint, fmt.Errorf("the Snyk version %s installed on your system is older as the one embedded by Docker Desktop (%s), using embedded Snyk version instead",
+			ver, minimalSnykVersion())
 	}
-	return matchConstraint
+	return matchConstraint, nil
 }
 
 func cleanVersion(version string) string {
 	version = strings.TrimSpace(version)
 	return strings.Split(version, " ")[0]
 }
+
+func minimalSnykVersion() string {
+	return fmt.Sprintf(">=%s", SnykDesktopVersion)
+}

vars.mk

@@ -1,6 +1,6 @@
 # Pinned Versions
 SNYK_DESKTOP_VERSION=1.801.0
-SNYK_USER_VERSION=1.460.0
+SNYK_USER_VERSION=1.806.0
 SNYK_OLD_VERSION=1.382.1
 # Digest of the 1.801.0 snyk/snyk:docker image
 SNYK_IMAGE_DIGEST=sha256:bf3b57416af416edec358a184a01f2437f70502bebf0c7a8e787cf68bd6ba428