node -v: v10.15.2npm -v: 6.10.2snyk -v: 1.208.0stty cols 70 && snyk test --file=build.sbtโ stty cols 160 && snyk test --file=build.sbt
Testing /home/mat/pkgs/snyk-cli-bug...
Organisation: universityofwarwick
Package manager: sbt
Target file: build.sbt
Open source: no
Project path: /home/mat/pkgs/snyk-cli-bug
โ Tested 5 dependencies for known vulnerabilities, no vulnerable paths found.
Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.
โ stty cols 70 && snyk test --file=build.sbt
Testing /home/mat/pkgs/snyk-cli-bug...
โ High severity vulnerability found in com.fasterxml.jackson.datatype:jackson-datatype-jsr310
Description: Improper Input Validation
Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATATYPE-173759
Introduced through: com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2..
From: com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2..
Remediation:
Upgrade direct dependency com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2.. to com.fasterxml.jackson.datatype:[email protected] (triggers upgrades to com.fasterxml.jackson.datatype:[email protected])
Organisation: universityofwarwick
Package manager: sbt
Target file: build.sbt
Open source: no
Project path: /home/mat/pkgs/snyk-cli-bug
Tested 5 dependencies for known vulnerabilities, found 1 vulnerability, 1 vulnerable path.
sbt new scala/scala-seed.g8libraryDependencies as so:libraryDependencies ++= Seq(
"com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9.2",
"com.fasterxml.jackson.core" % "jackson-core" % "2.9.9",
"com.fasterxml.jackson.core" % "jackson-annotations" % "2.9.9",
"com.fasterxml.jackson.datatype" % "jackson-datatype-jdk8" % "2.9.9",
"com.fasterxml.jackson.datatype" % "jackson-datatype-jsr310" % "2.9.9"
),
These are all the latest versions and should not throw up any vulnerabilities with snyk test
sbt-dependency-graph either in project/plugins.sbt or ~/.sbt/1.0/plugins/plugins.sbt:addSbtPlugin("net.virtual-void" % "sbt-dependency-graph" % "0.10.0-RC1")snyk test --file=build.sbt - the output should show no known vulnerabilitiesstty cols 70snyk test --file=build.sbt again - this time a false positive vulnerability will be displayed, with the version as com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2.. - the version has been truncated in the terminal outputThe cause of this is due to the default setting of asciiGraphWidth being based on the terminal width in sbt. This can be overridden at the time the command is called, so my proposed fix would be to pass a large value for that at the time that dependencyTree is invoked, but:
โ stty cols 70 && sbt dependencyTree | grep jsr310
[info] +-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2..
โ stty cols 70 && sbt 'set asciiGraphWidth := 10000' dependencyTree | grep jsr310
[info] +-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2..
Unfortunately (as you can see) this doesn't work at present because it's waiting on https://github.com/jrudolph/sbt-dependency-graph/pull/174.
I was going to suggest using the dependencyTree::toFile variant of sbt-dependency-graph that's new in 0.10.0-RC1 to get around this, but that actually has the same problem:
โ stty cols 70 && sbt 'dependencyTree::toFile dependencies.txt'
...
[info] Wrote dependencyTree to 'dependencies.txt'
[success] Total time: 0 s, completed 05-Aug-2019 10:17:59
โ grep jsr310 dependencies.txt
+-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2..
The only fix that'll work with existing and older versions of sbt-dependency-graph is likely to be, unfortunately, setting the console width manually as part of the snyk test run. We've run into this as part of a CI integration with Atlassian Bamboo, where commands are run without an interactive terminal and the default 80-character output is truncating dependencies in the tree for a moderately complex project.
If applicable, please append the --debug flag on your command and include the output here **ensuring to remove any sensitive/personal details or tokens.
An example repo that displays this behaviour is at https://github.com/matmannion/snyk-cli-bug
๐ We have recently released a scala plugin instead of parsing the sbt output. Could you try it out? We hope this will become default soon. You can opt in via:
snyk test --sbt-graph --file=build.sbt
Hi @lili2311, I've tried using --sbt-graph with multiple column widths and it definitely resolves the problem for us - making that the default would definitely be a valid fix for this issue.
Most helpful comment
Hi @lili2311, I've tried using
--sbt-graphwith multiple column widths and it definitely resolves the problem for us - making that the default would definitely be a valid fix for this issue.