Skip to content

fix: enforce strict input validation for container scanning when usin… #6461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ividalATSnyk wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix: enforce strict input validation for container scanning when usin… #6461

ividalATSnyk wants to merge 4 commits into from

Conversation

@ividalATSnyk
Copy link

@ividalATSnyk ividalATSnyk commented Jan 21, 2026
edited
Loading

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages
    are release-note ready, emphasizing
    what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • Highlights breaking API changes (if applicable)
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___)
  • Includes product update to be announced in the next stable release notes

What does this PR do?

Updates snyk-docker-plugin to v9.0.0 to fix issues where the --nested-jars-depth flag would accept non-numeric inputs and allowed conflicting usage with --shaded-jars-depth for snyk container test

Where should the reviewer start?

package.json and package-lock.json - single dependency version update

How should this be manually tested?

If you want to verify this locally, here are the commands to reproduce:

# Build the CLI with the updated dependency
npm install && npm run build

# Verify failure
# a) Invalid input
SNYK_API=https://app.snyk.io/api/v1 node index.js container test <CONTAINER_IMAGE> --platform=linux/amd64 --nested-jars-depth=[true/false/Infinity]

# b) Conflicting flags
SNYK_API=https://app.snyk.io/api/v1 node index.js container test node:6-stretch --platform=linux/amd64 --nested-jars-depth=5 --shaded-jars-depth=5

# Verify success
SNYK_API=https://app.snyk.io/api/v1 node index.js container test <CONTAINER_IMAGE> --platform=linux/amd64 --nested-jars-depth=5

For invalid inputs you should expect the following error message to manifest
--nested-jars-depth accepts only numbers bigger than or equal to 0

For conflicting flags you should expect the following error message to manifest
Cannot use --shaded-jars-depth together with --nested-jars-depth, please use the latter

For valid inputs you should expect the container scan to produce a complete scan

...
Tested 2 projects, 2 contained vulnerable paths.

What's the product update that needs to be communicated to CLI users?

Container Scanning
We have improved the reliability of the --nested-jars-depth flag to help you avoid ambiguous configurations in your container scanning pipelines. Previously, illogical inputs (like true or Infinity) were silently accepted, potentially leading to scans running with unintended depth settings.

  • Enforces explicit configuration by rejecting non-numeric inputs for --nested-jars-depth
  • Prevents conflicting arguments by disallowing the use of equivalent flags --nested-jars-depth and --shaded-jars-depth
  • Enforces parity between --nested-jars-depth and --shaded-jars-depth by fixing an issue where inputs were processed inconsistently across the two flags

Risk assessment (Low | Medium | High)?

Medium

  • Enforces stricter input validation to align with existing documentation
  • Covered by new and updated unit and e2e tests in snyk-docker-plugin
  • As a bug-fix, this disallows previously possible (albeit incorrect) behavior

Any background context you want to provide?

What are the relevant tickets?

Screenshots (if appropriate)

You can find screenshots of my manual tests in this comment and this comment on the JIRA ticket.

@ividalATSnyk ividalATSnyk requested review from a team as code owners January 21, 2026 15:36
@ividalATSnyk
fix: enforce strict input validation for container scanning when usin…
aa07ae9 
…g --nested-jars-depth

- Fix bug where `nested-jars-depth` would accept non-numeric input
- Add test fixtures for input validation functions
- Update integration tests to account for new fail states
- Fix asymmetric behavior between `nested-jars-depth` and `shaded-jars-depth`
- You can no longer pass values of true, false, or Infinity as arguments for `nested-jars-depth`
- `nested-jars-depth` and `shaded-jars-depth` flags can no longer be used simultaneously
@ividalATSnyk ividalATSnyk force-pushed the CN-270-container-nested-jars-validation branch from a4f7597 to aa07ae9 Compare January 21, 2026 15:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ividalATSnyk