snyk test truncates dependency versions for SBT projects with small terminal widths

Created on 5 Aug 2019  ยท  3Comments  ยท  Source: snyk/snyk

  • node -v: v10.15.2
  • npm -v: 6.10.2
  • snyk -v: 1.208.0
  • Command run: stty cols 70 && snyk test --file=build.sbt

Expected behaviour

โžœ stty cols 160 && snyk test --file=build.sbt

Testing /home/mat/pkgs/snyk-cli-bug...

Organisation:      universityofwarwick
Package manager:   sbt
Target file:       build.sbt
Open source:       no
Project path:      /home/mat/pkgs/snyk-cli-bug

โœ“ Tested 5 dependencies for known vulnerabilities, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

Actual behaviour

โžœ  stty cols 70 && snyk test --file=build.sbt

Testing /home/mat/pkgs/snyk-cli-bug...

โœ— High severity vulnerability found in com.fasterxml.jackson.datatype:jackson-datatype-jsr310
  Description: Improper Input Validation
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATATYPE-173759
  Introduced through: com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2..
  From: com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2..
  Remediation: 
    Upgrade direct dependency com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2.. to com.fasterxml.jackson.datatype:[email protected] (triggers upgrades to com.fasterxml.jackson.datatype:[email protected])



Organisation:      universityofwarwick
Package manager:   sbt
Target file:       build.sbt
Open source:       no
Project path:      /home/mat/pkgs/snyk-cli-bug

Tested 5 dependencies for known vulnerabilities, found 1 vulnerability, 1 vulnerable path.

Steps to reproduce

  • Create a new Scala seed project with sbt new scala/scala-seed.g8
  • Add Jackson dependencies to libraryDependencies as so:
libraryDependencies ++= Seq(
  "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9.2",
  "com.fasterxml.jackson.core" % "jackson-core" % "2.9.9",
  "com.fasterxml.jackson.core" % "jackson-annotations" % "2.9.9",
  "com.fasterxml.jackson.datatype" % "jackson-datatype-jdk8" % "2.9.9",
  "com.fasterxml.jackson.datatype" % "jackson-datatype-jsr310" % "2.9.9"
),

These are all the latest versions and should not throw up any vulnerabilities with snyk test

  • Install sbt-dependency-graph either in project/plugins.sbt or ~/.sbt/1.0/plugins/plugins.sbt:
    addSbtPlugin("net.virtual-void" % "sbt-dependency-graph" % "0.10.0-RC1")
  • Run snyk test --file=build.sbt - the output should show no known vulnerabilities
  • Change the terminal width to be smaller by running stty cols 70
  • Run snyk test --file=build.sbt again - this time a false positive vulnerability will be displayed, with the version as com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2.. - the version has been truncated in the terminal output

The cause of this is due to the default setting of asciiGraphWidth being based on the terminal width in sbt. This can be overridden at the time the command is called, so my proposed fix would be to pass a large value for that at the time that dependencyTree is invoked, but:

โžœ  stty cols 70 && sbt dependencyTree | grep jsr310
[info]   +-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2..

โžœ  stty cols 70 && sbt 'set asciiGraphWidth := 10000' dependencyTree | grep jsr310
[info]   +-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2..

Unfortunately (as you can see) this doesn't work at present because it's waiting on https://github.com/jrudolph/sbt-dependency-graph/pull/174.

I was going to suggest using the dependencyTree::toFile variant of sbt-dependency-graph that's new in 0.10.0-RC1 to get around this, but that actually has the same problem:

โžœ  stty cols 70 && sbt 'dependencyTree::toFile dependencies.txt'
...
[info] Wrote dependencyTree to 'dependencies.txt'
[success] Total time: 0 s, completed 05-Aug-2019 10:17:59
โžœ  grep jsr310 dependencies.txt 
  +-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2..

The only fix that'll work with existing and older versions of sbt-dependency-graph is likely to be, unfortunately, setting the console width manually as part of the snyk test run. We've run into this as part of a CI integration with Atlassian Bamboo, where commands are run without an interactive terminal and the default 80-character output is truncating dependencies in the tree for a moderately complex project.


If applicable, please append the --debug flag on your command and include the output here **ensuring to remove any sensitive/personal details or tokens.

Beta Resolved

Most helpful comment

Hi @lili2311, I've tried using --sbt-graph with multiple column widths and it definitely resolves the problem for us - making that the default would definitely be a valid fix for this issue.

All 3 comments

An example repo that displays this behaviour is at https://github.com/matmannion/snyk-cli-bug

๐Ÿ‘‹ We have recently released a scala plugin instead of parsing the sbt output. Could you try it out? We hope this will become default soon. You can opt in via:

snyk test --sbt-graph --file=build.sbt

Hi @lili2311, I've tried using --sbt-graph with multiple column widths and it definitely resolves the problem for us - making that the default would definitely be a valid fix for this issue.

Was this page helpful?
0 / 5 - 0 ratings