fix: snyk will now scan vscode project (#1136)

Author: himanshusinghs

package.json

@@ -64,7 +64,9 @@
     "check-vsix-size": "ts-node ./scripts/check-vsix-size.ts",
     "release-draft": "node ./scripts/release-draft.js",
     "reformat": "prettier --write .",
+    "presnyk-test": "echo \"Creating backup for package-lock.json.\"; cp package-lock.json original-package-lock.json",
     "snyk-test": "node scripts/snyk-test.js",
+    "postsnyk-test": "echo \"Restoring original package-lock.json.\"; mv original-package-lock.json package-lock.json",
     "generate-icon-font": "ts-node ./scripts/generate-icon-font.ts",
     "generate-vulnerability-report": "mongodb-sbom-tools generate-vulnerability-report --snyk-reports=.sbom/snyk-test-result.json --dependencies=.sbom/dependencies.json --fail-on=high",
     "create-vulnerability-tickets": "mongodb-sbom-tools generate-vulnerability-report --snyk-reports=.sbom/snyk-test-result.json --dependencies=.sbom/dependencies.json --create-jira-issues",

scripts/snyk-test.js

@@ -6,6 +6,56 @@ const { glob } = require('glob');
 const { promisify } = require('util');
 const execFile = promisify(childProcess.execFile);
 
+const PACKAGE_LOCK_PATH = path.join(__dirname, '..', 'package-lock.json');
+
+/**
+ * "node_modules/@vscode/vsce-sign" package which is a dev dependency used for
+ * publishing extension declares platform specific optionalDependencies, namely
+ * the following:
+ * - "@vscode/vsce-sign-alpine-arm64"
+ * - "@vscode/vsce-sign-alpine-x64"
+ * - "@vscode/vsce-sign-darwin-arm64"
+ * - "@vscode/vsce-sign-darwin-x64"
+ * - "@vscode/vsce-sign-linux-arm"
+ * - "@vscode/vsce-sign-linux-arm64"
+ * - "@vscode/vsce-sign-linux-x64"
+ * - "@vscode/vsce-sign-win32-arm64"
+ * - "@vscode/vsce-sign-win32-x64"
+ *
+ * Snyk requires what is declared in package-lock.json to be also present in
+ * installed node_modules but this will never happen because for any platform,
+ * other platform specific deps will always be missing which means Snyk will
+ * always fail in this case.
+ *
+ * Because we always install with `npm ci --omit=optional`, with this method we
+ * try to remove these identified problematic optionalDependencies before
+ * running the Snyk tests and once the tests are finished, we restore the
+ * original state back using npm hooks.
+ */
+async function removeProblematicOptionalDepsFromPackageLock() {
+  const packageLockContent = JSON.parse(
+    await fs.readFile(PACKAGE_LOCK_PATH, 'utf-8'),
+  );
+
+  const vsceSignPackage =
+    packageLockContent.packages?.['node_modules/@vscode/vsce-sign'];
+
+  if (!vsceSignPackage || !vsceSignPackage.optionalDependencies) {
+    console.info('No problematic optional dependencies to fix');
+    return;
+  }
+
+  // Temporarily remove the optional dependencies
+  vsceSignPackage['optionalDependencies'] = {};
+
+  // We write the actual package-lock path but restoring of the original file is
+  // handled by npm hooks.
+  await fs.writeFile(
+    PACKAGE_LOCK_PATH,
+    JSON.stringify(packageLockContent, null, 2),
+  );
+}
+
 async function snykTest(cwd) {
   const tmpPath = path.join(os.tmpdir(), 'tempfile-' + Date.now());
 
@@ -17,9 +67,8 @@ async function snykTest(cwd) {
       await execFile(
         'npx',
         [
-          'snyk',
+          'snyk@latest',
           'test',
-          '--all-projects',
           '--severity-threshold=low',
           '--dev',
           `--json-file-output=${tmpPath}`,
@@ -47,6 +96,7 @@ async function snykTest(cwd) {
 async function main() {
   const rootPath = path.resolve(__dirname, '..');
   await fs.mkdir(path.join(rootPath, `.sbom`), { recursive: true });
+  await removeProblematicOptionalDepsFromPackageLock();
   const results = await snykTest(rootPath);
 
   await fs.writeFile(