-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
snyk-to-html should calculate a return code #130
Comments
Thanks @sebsnyk, this helped me understand a few things regarding how snyk-to-html works. That feature --set-return-code should be added, it is a must. In my case I will add a code snippet that might be helpful for others. I needed to scan only the modified files on the current Merge Request. I'm using Gitlab.
Please note that, at the moment of writing this message, the following error is produced:
The report is generated, the artefact is stored correctly, but unfortunately, the report is not useful at this time since it cannot relate the issues to the right path. According to the support team: The tool snyk-to-html runs from the location of the json file, which should be at the root of the code test, and as such there is no way to change that location by design. Please add a feature to change the base path of the files in the report. |
At the moment,
snyk-to-html
"eats" the return code ofsnyk
. This prevents a easy solution to the usecase of generating a HTML artifact for a failed snyk run within a CI/CD process, for example.Given this invocation in a repo like juice-shop:
Then we can see JSON output and the return code
$?
is correctly set (to1
).If you now add
snyk-to-html
:Then the return code is
0
.In a sense, this is correct.
snyk-to-html
did not fail to do its job. However, during the above mentioned CI/CD usecase, more code is needed:First, typically in a
before_script
area, aset +e
is needed to prevent the CI from aborting the step when a command failed. Then, code like this is required:Using this approach, the
snyk
exit code is captured in$RESULT
and used to exit the step.Depending on the CI system, you can then see the step failed AND see the reason in a HTML file artifact.
IMHO, there are different approaches to solving this:
snyk
include the return code in the JSON file, so thatsnyk-to-html
can reuse it. This is helpful as we support more than 1 exit code https://docs.snyk.io/snyk-cli/cli-reference#exit-codessnyk-to-html
perform a simple calculation and exit with1
if vulnerabilities are foundFor 1 & 2, I could see a new
--set-return-code
argument which (if specified) would perform the logic so that we don't break backwards compatibility.CC @alexeisnyk @patricia-v
The text was updated successfully, but these errors were encountered: