chore: Merge pull request #5185 from snyk/tmp/1713542475-release-cand…

…idate

chore: Update release candidate

.circleci/config.yml

@@ -36,18 +36,28 @@ executors:
   alpine:
     docker:
       - image: alpine:3.17
+    resource_class: xlarge
   generic-ubuntu:
     docker:
       - image: ubuntu:latest
     resource_class: small
+  circle-go:
+    docker:
+      - image: cimg/go:1.20
+    resource_class: medium+
   docker-amd64:
     docker:
-      - image: bastiandoetsch209/cli-build:20240214-145818
+      - image: snyklabs/cli-build:20240319-123447
     working_directory: /mnt/ramdisk/snyk
     resource_class: large
+  docker-amd64-xl:
+    docker:
+      - image: bastiandoetsch209/cli-build:20240214-145818
+    working_directory: /mnt/ramdisk/snyk
+    resource_class: xlarge
   docker-arm64:
     docker:
-      - image: bastiandoetsch209/cli-build-arm64:20240214-145818
+      - image: snyklabs/cli-build-arm64:20240319-123447
     working_directory: /mnt/ramdisk/snyk
     resource_class: arm.large
   linux-ubuntu-mantic-amd64:
@@ -107,7 +117,7 @@ executors:
     shell: powershell
   cbl-mariner:
     docker:
-      - image: mcr.microsoft.com/cbl-mariner/base/python:3.9.14-6-cm2.0.20230805-arm64
+      - image: mcr.microsoft.com/cbl-mariner/base/python:3.9.14-8-cm2.0.20240301-arm64
     resource_class: arm.medium
 
 commands:
@@ -377,6 +387,10 @@ workflows:
             - secrets-scan
 
       - code-analysis:
+          go_target_os: linux
+          go_os: linux
+          go_arch: amd64
+          go_download_base_url: << pipeline.parameters.go_download_base_url >>
           context: devex_cli
           requires:
             - prepare-build
@@ -395,11 +409,15 @@ workflows:
               ignore: main
 
       - test-go:
+          go_target_os: linux
+          go_os: linux
+          go_arch: amd64
+          go_download_base_url: << pipeline.parameters.go_download_base_url >>
           context:
             - nodejs-install
             - team_hammerhead-cli
           requires:
-            - prepare-build
+            - secrets-scan
           filters:
             branches:
               ignore: main
@@ -508,7 +526,7 @@ workflows:
               ignore: main
           requires:
             - build linux amd64
-          executor: docker-amd64
+          executor: docker-amd64-xl
           test_snyk_command: ./binary-releases/snyk-linux
 
       - acceptance-tests:
@@ -581,6 +599,7 @@ workflows:
           test_snyk_command: binary-releases\\snyk-win.exe
           install_deps_extension: windows-full
           dont_skip_tests: 0
+          shards: 4
           pre_test_cmds: Import-Module $env:ChocolateyInstall\helpers\chocolateyProfile.psm1; RefreshEnv
 
       - sign:
@@ -850,9 +869,19 @@ jobs:
     executor: docker-amd64
     steps:
       - checkout
+      - restore_cache:
+          name: Restore npm cache
+          keys:
+            - prepare-build-npm-deps-{{ checksum "package-lock.json" }}
+            - prepare-build-npm-deps
       - run:
           name: Installing dependencies
-          command: npm ci
+          command: npm ci --no-audit --no-progress --cache .npm --prefer-offline
+      - save_cache:
+          name: Save npm cache
+          key: prepare-build-npm-deps-{{ checksum "package-lock.json" }}
+          paths:
+            - .npm
       - run:
           name: Set version
           command: |
@@ -878,25 +907,40 @@ jobs:
             - packages/*
 
   code-analysis:
+    parameters:
+      go_os:
+        type: string
+      go_target_os:
+        type: string
+      go_arch:
+        type: string
+      go_download_base_url:
+        type: string
+      install_path:
+        type: string
+        default: '/tmp'
     executor: docker-amd64
     steps:
       - prepare-workspace
+      - install-go:
+          go_os: << parameters.go_os >>
+          go_target_os: << parameters.go_target_os >>
+          go_arch: << parameters.go_arch >>
+          base_url: << parameters.go_download_base_url >>
+          extraction_path: << parameters.install_path >>
       - run:
           name: Linting project
           command: |
             npm run lint
             pushd cliv2
-            make lint
+              export CGO_ENABLED=1
+              make lint
             popd
-      - snyk/scan:
-          fail-on-issues: true
-          severity-threshold: critical
-          additional-arguments: --all-projects --exclude=test,dist
-      - snyk/scan:
-          command: code test
-          fail-on-issues: true
-          monitor-on-build: true
-          severity-threshold: high
+      - prodsec/security_scans:
+          mode: auto
+          open-source-additional-arguments: --exclude=test,dist
+          iac-scan: disabled
+          release-branch: main
 
   test-node:
     executor: docker-amd64
@@ -912,8 +956,26 @@ jobs:
 
   test-go:
     executor: docker-amd64
+    parameters:
+      go_os:
+        type: string
+      go_target_os:
+        type: string
+      go_arch:
+        type: string
+      go_download_base_url:
+        type: string
+      install_path:
+        type: string
+        default: '.'
     steps:
       - prepare-workspace
+      - install-go:
+          go_os: << parameters.go_os >>
+          go_target_os: << parameters.go_target_os >>
+          go_arch: << parameters.go_arch >>
+          base_url: << parameters.go_download_base_url >>
+          extraction_path: << parameters.install_path >>
       - run:
           name: Running Go unit tests
           working_directory: ./cliv2
@@ -1024,7 +1086,11 @@ jobs:
       pre_test_cmds:
         type: string
         default: 'echo Running tests'
+      shards:
+        type: integer
+        default: 3
     executor: << parameters.executor >>
+    parallelism: << parameters.shards >>
     steps:
       - prepare-workspace
       - install-deps-<< parameters.install_deps_extension >>
@@ -1035,12 +1101,13 @@ jobs:
           no_output_timeout: 30m
           command: |
             << parameters.pre_test_cmds >>
-            npm run test:acceptance -- --selectProjects coreCli
+            npm run test:acceptance -- --selectProjects coreCli --shard=$(expr $CIRCLE_NODE_INDEX + 1)/<< parameters.shards >>
           environment:
             TEST_SNYK_FIPS: << parameters.fips >>
             TEST_SNYK_COMMAND: << parameters.test_snyk_command >>
             TEST_SNYK_DONT_SKIP_ANYTHING: << parameters.dont_skip_tests >>
             JEST_JUNIT_OUTPUT_DIR: test/reports
+            NODE_OPTIONS: --max-old-space-size=4096
       - store_test_results:
           path: test/reports
       - store_artifacts:

.github/workflows/create-build-image.yml

@@ -13,7 +13,8 @@ jobs:
       - uses: docker/setup-buildx-action@v2
       - name: Build Docker image
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CLI_BUILD_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_CLI_BUILD_PASSWORD }}
+          DOCKER_REPO: snyklabs
           DOCKER_BUILDKIT: 1
         run: scripts/create-build-image.sh

.github/workflows/danger-zone.yml

@@ -1,6 +1,7 @@
 name: 'Danger Zone'
 on:
   pull_request:
+    types: [opened, synchronize, reopened, edited]
     branches: [master, main]
 
 jobs:
@@ -11,7 +12,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v2
         with:
-          node-version: '16.16.0'
+          node-version: '18.19.1'
           cache: 'npm'
       - run: npm ci
       - run: npx danger ci

.github/workflows/iac-cli-alert.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v2
         with:
-          node-version: '16.16.0'
+          node-version: '18.19.1'
           cache: 'npm'
       - run: npm ci
       - run: npm start

.github/workflows/synchronize-readme.yml

@@ -2,8 +2,8 @@ name: Synchronize Readme
 
 on:
   workflow_dispatch:
-  schedule:
-    - cron: '0 12 * * 1-5' # Mon-Fri at 12
+  #schedule:
+  #  - cron: '0 12 * * 1-5' # Mon-Fri at 12
 
 jobs:
   build:

.gitignore

@@ -47,4 +47,6 @@ tap-output
 # Jest
 coverage
 test/fixtures/basic-swift/.build
-test/fixtures/basic-swift/Package.resolved
+test/fixtures/basic-swift/Package.resolved
+scripts/Brewfile.lock.json
+test/fixtures/**/go.sum

.prettierignore

@@ -9,7 +9,7 @@ test-output
 test-results
 test/**/workspaces
 .iac-data
-
+.tap
 src/cli/commands/test/iac/local-execution/parsers/hcl-to-json/parser.js
 src/cli/commands/test/iac/local-execution/parsers/hcl-to-json-v2/parser.js
 

CONTRIBUTING.md

@@ -4,18 +4,11 @@
 
 ## Prerequisites
 
-You will need the following software installed:
-
-- Git
-- Node.js (and bundled npm)
-  - Use whichever version is in [`.nvmrc`](./.nvmrc).
-
-Open a terminal and make sure they are available.
+To install the required development dependencies in homebrew based environments, execute the following script from the root directory.
+The only additional prerequisite is having [homebrew](https://brew.sh/) installed.
 
 ```sh
-git --version
-node --version
-npm --version
+./scripts/install-dev-dependencies.sh
 ```
 
 ## Setting up
@@ -62,6 +55,12 @@ You can run tests using standard Jest commands. See: [Jest CLI docs](https://jes
 npx jest --runInBand <path>
 ```
 
+For closed box tests (like User Journey tests, acceptance tests, ...) you will have to specify the binary under test by setting the environment variable **TEST_SNYK_COMMAND**.
+
+```
+TEST_SNYK_COMMAND=./binary-releases/snyk-macos npx jest --runInBand <path>
+```
+
 If you are working on a specific project, you can filter by project.
 
 ```

Makefile

@@ -96,6 +96,10 @@ $(BINARY_OUTPUT_FOLDER)/release.json:
 $(BINARY_OUTPUT_FOLDER)/RELEASE_NOTES.md: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI)
 	npx conventional-changelog-cli -p angular -l -r 1 > $(BINARY_OUTPUT_FOLDER)/RELEASE_NOTES.md
 
+	# if the releease notes are generated locally, the version contains something like X.Y.Z-dev.hash
+	# the replacement below ensures that the version in the RELEASE_NOTES.md is X.Y.Z
+	sed -i -e "s/$(shell cat $(BINARY_OUTPUT_FOLDER)/version)/$(shell npx semver --coerce $(shell cat $(BINARY_OUTPUT_FOLDER)/version))/g" $(BINARY_OUTPUT_FOLDER)/RELEASE_NOTES.md
+
 # Generates a shasum of a target with the same name.
 # See "Automatic Variables" in GNU Make docs (linked at the top)
 %.sha256:
@@ -263,6 +267,16 @@ release-pre:
 	@echo "-- Publishing to S3 /version"
 	@./release-scripts/upload-artifacts.sh version
 
+.PHONY: release-mgt-prepare
+release-mgt-prepare:
+	@echo "-- Preparing release"
+	@./release-scripts/prepare-release.sh
+
+.PHONY: release-mgt-create
+release-mgt-create:
+	@echo "-- Creating stable release"
+	@./release-scripts/create-release.sh
+
 .PHONY: format
 format:
 	@echo "-- Formatting code"

README.md

@@ -15,7 +15,11 @@ The **Snyk CLI brings the functionality of Snyk into your development workflow**
 
 <figure><img src="https://github.com/snyk/user-docs/raw/HEAD/docs/.gitbook/assets/snyk-cli-screenshot.png" alt="Snyk CLI test command output example"><figcaption><p>Snyk CLI test command output</p></figcaption></figure>
 
-Snyk CLI scanning **supports many languages and tools.** For detailed information, see the [summary of supported environments](https://docs.snyk.io/getting-started/introducing-snyk#how-can-snyk-work-in-my-environment).
+Snyk CLI scanning **supports many languages and tools.** For detailed information, see the following:
+
+- [Supported languages and frameworks for Open Source and Code](https://docs.snyk.io/getting-started/supported-languages-frameworks-and-feature-availability-overview)
+- [Supported operating system distributions for Container](https://docs.snyk.io/scan-with-snyk/snyk-container/how-snyk-container-works/supported-operating-system-distributions)
+- [Supported IaC Lanuages and cloud providers](https://docs.snyk.io/scan-with-snyk/snyk-iac/supported-iac-languages-cloud-providers-and-cloud-resources)
 
 This page explains how to install, authenticate, and start scanning using the CLI. Snyk also has an onboarding wizard to guide you through these steps. For a demonstration, view [Starting with Snyk: an overview of the CLI onboarding flow](https://www.youtube.com/watch?v=adj3VF82-v8).
 
@@ -37,7 +41,7 @@ Look at the `test` command **report** in your terminal. The report shows the vul
 
 ## Scan your development Project
 
-**Note:** Before using the Snyk CLI to test your Open Source Project for vulnerabilities, with limited exceptions, you must **build your Project**. For details, see [Which Projects must be built before testing with CLI?](https://support.snyk.io/hc/en-us/articles/360015552617-Which-projects-must-be-built-before-testing-with-CLI-)
+**Note:** Before using the Snyk CLI to test your Open Source Project for vulnerabilities, with limited exceptions, you must **build your Project**. For details, see [Open Source Projects that must be built before testing](https://docs.snyk.io/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-open-source/open-source-projects-that-must-be-built-before-testing-with-the-snyk-cli).
 
 In addition, depending on the language of your open-source Project, you may need to **set up your language environment** before using the Snyk CLI. For details, refer to [Supported languages, frameworks, and feature availability overview.](https://docs.snyk.io/scan-using-snyk/supported-languages-and-frameworks/supported-languages-frameworks-and-feature-availability-overview)
 
@@ -115,6 +119,10 @@ For detailed information about the CLI, see the [CLI docs](https://docs.snyk.io/
 
 The Snyk CLI project is open-source, but Snyk does not encourage outside contributors.
 
+You may look into [design decisions for the Snyk CLI](https://github.com/snyk/snyk/blob/master/help/_about-this-project/README.md).
+
+The Snyk CLI repository is a monorepo that also covers other projects and tools, such as [@snyk/protect](https://github.com/snyk/snyk/tree/master/packages/snyk-protect), also available at [npm package for snyk-protect command](https://www.npmjs.com/package/@snyk/protect).
+
 ## Security
 
-For any security issues or concerns, see the [SECURITY.md](https://github.com/snyk/snyk/blob/main/SECURITY.md) file in the GitHub repository.
+For any security issues or concerns, see the [SECURITY.md](https://github.com/snyk/snyk/blob/master/SECURITY.md) file in the GitHub repository.

binary-releases/RELEASE_NOTES.md

@@ -0,0 +1,9 @@
+# [1.1291.0](https://github.com/snyk/snyk/compare/v1.1290.0...v1.1291.0) (2024-04-19)
+
+### Bug Fixes
+
+- **ci:** Adapt script to work on different environments ([#5182](https://github.com/snyk/snyk/issues/5182)) ([e54b227](https://github.com/snyk/snyk/commit/e54b227a4a05de78d3a210f099da93693f77fdc4))
+
+### Features
+
+- **ci:** First release on stable channel ([#5183](https://github.com/snyk/snyk/issues/5183)) ([f18cbce](https://github.com/snyk/snyk/commit/f18cbcec7466b4ea1de9632fa2cef1aa68ff5f4b))

check-dependencies.config.ts

@@ -11,6 +11,7 @@ export const config: Options = {
     'conventional-changelog-cli', // used for generating release notes
     'ts-node', // used for various scripts to avoid separate compile step
     'jest-junit', // used for CI test reporting
+    '@types/node', // node types used for alerts
   ],
   ignoreDirs: ['node_modules', 'dist', 'fixtures', 'test-output'],
 };