feat: Adds experimental support for package provenance in test/sbom

calhar-snyk · calhar-snyk · commit 73ce97c8dfb8 · 2025-10-20T09:55:02.000+01:00
diff --git a/cliv2/go.mod b/cliv2/go.mod
@@ -11,11 +11,11 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/rs/zerolog v1.34.0
 	github.com/snyk/cli-extension-ai-bom v0.0.0-20251017132403-1df5f92a72ae
-	github.com/snyk/cli-extension-dep-graph v0.0.0-20250321153619-9390ab5e348e
+	github.com/snyk/cli-extension-dep-graph v0.0.0-20251015130327-019666738659
 	github.com/snyk/cli-extension-iac v0.0.0-20250829110702-b41ac109dab0
 	github.com/snyk/cli-extension-iac-rules v0.0.0-20250829110455-1260348bc188
 	github.com/snyk/cli-extension-os-flows v0.0.0-20250915102829-6a59c2ef7e88
-	github.com/snyk/cli-extension-sbom v0.0.0-20250801142135-ae472dafa4cd
+	github.com/snyk/cli-extension-sbom v0.0.0-20251015130320-94416bf727b1
 	github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7
 	github.com/snyk/error-catalog-golang-public v0.0.0-20251008132755-b542bb643649
 	github.com/snyk/go-application-framework v0.0.0-20251016104433-d98d8780ade2
diff --git a/cliv2/go.sum b/cliv2/go.sum
@@ -1266,6 +1266,8 @@ github.com/snyk/cli-extension-ai-bom v0.0.0-20251017132403-1df5f92a72ae h1:GVXq0
 github.com/snyk/cli-extension-ai-bom v0.0.0-20251017132403-1df5f92a72ae/go.mod h1:YvlGYA6i/aXDY68ps/X/XvkN8JGZ8T6eKFNdPE2y3oI=
 github.com/snyk/cli-extension-dep-graph v0.0.0-20250321153619-9390ab5e348e h1:lYBeDqyAmb7NPfcLZJb1rcc+BrWhX5Ct9isQO1O4mSc=
 github.com/snyk/cli-extension-dep-graph v0.0.0-20250321153619-9390ab5e348e/go.mod h1:9Zpe+B8SCkWFjpDR3ckFJl1XuMyxysWebKhyAIj7EyI=
+github.com/snyk/cli-extension-dep-graph v0.0.0-20251015130327-019666738659 h1:8dOsSZ2t56CXJCTQCf/r8CQ2+SwmIFa1YNq1pZ/Sqks=
+github.com/snyk/cli-extension-dep-graph v0.0.0-20251015130327-019666738659/go.mod h1:9Zpe+B8SCkWFjpDR3ckFJl1XuMyxysWebKhyAIj7EyI=
 github.com/snyk/cli-extension-iac v0.0.0-20250829110702-b41ac109dab0 h1:ecGoMisVTnz5xRnt9yXW2hlRrIyYM123yMt1NeNEo6s=
 github.com/snyk/cli-extension-iac v0.0.0-20250829110702-b41ac109dab0/go.mod h1:tLxyhtrRiEvbSLQ6PbCsl29ZXK6s2aunRuL6cSe/8cE=
 github.com/snyk/cli-extension-iac-rules v0.0.0-20250829110455-1260348bc188 h1:UoyD7cB9XZVHPTRugsmCt6rBvAw5IoiBjI8go2qj1pk=
@@ -1274,6 +1276,8 @@ github.com/snyk/cli-extension-os-flows v0.0.0-20250915102829-6a59c2ef7e88 h1:m6k
 github.com/snyk/cli-extension-os-flows v0.0.0-20250915102829-6a59c2ef7e88/go.mod h1:dFrXORRzFNF+tJ/Z51MPEeWi3IU5MuLWkt1L3dxDMG4=
 github.com/snyk/cli-extension-sbom v0.0.0-20250801142135-ae472dafa4cd h1:bZg7Zkctm2tvaznI8A4/0fFOZMgglNAIFmIIlRz16W0=
 github.com/snyk/cli-extension-sbom v0.0.0-20250801142135-ae472dafa4cd/go.mod h1:zyKDBaETfZyI7BfIjPnezH3QX2seQrR/d7NM5W6LV9s=
+github.com/snyk/cli-extension-sbom v0.0.0-20251015130320-94416bf727b1 h1:PgO1Cz/VSFN2RIHz/MDQU25wjf8rSrwTW6lX6D+j8HI=
+github.com/snyk/cli-extension-sbom v0.0.0-20251015130320-94416bf727b1/go.mod h1:zyKDBaETfZyI7BfIjPnezH3QX2seQrR/d7NM5W6LV9s=
 github.com/snyk/code-client-go v1.24.1 h1:FTCVxRq8kNryq0xKOW8vqEU6s1iWwyaq7zvEN7q0Gn0=
 github.com/snyk/code-client-go v1.24.1/go.mod h1:uMlmMToe4uuNhNLs+yxjM3WFbytna+ytDWhpbnNwTSk=
 github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7 h1:/2+2piwQtB9fEJCkXEOjboZjY+77lQfnvqBZ/60xNHk=
diff --git a/help/cli-commands/sbom.md b/help/cli-commands/sbom.md
@@ -10,7 +10,7 @@ The `snyk sbom` feature requires an internet connection.
 
 ## Usage
 
-`$ snyk sbom --format=<cyclonedx1.4+json|cyclonedx1.4+xml|cyclonedx1.5+json|cyclonedx1.5+xml|cyclonedx1.6+json|cyclonedx1.6+xml|spdx2.3+json> [--org=<ORG_ID>] [--file=<FILE>] [--unmanaged] [--dev] [--all-projects] [--name=<NAME>] [--version=<VERSION>] [--exclude=<NAME>[,<NAME>...]] [--detection-depth=<DEPTH>] [--prune-repeated-subdependencies|-p] [--maven-aggregate-project] [--scan-unmanaged] [--scan-all-unmanaged] [--sub-project=<NAME>] [--gradle-sub-project=<NAME>] [--all-sub-projects] [--configuration-matching=<CONFIGURATION_REGEX>] [--configuration-attributes=<ATTRIBUTE>[,<ATTRIBUTE>]] [--init-script=<FILE>] [--json-file-output=<OUTPUT_FILE_PATH>] [<TARGET_DIRECTORY>]`
+`$ snyk sbom --format=<cyclonedx1.4+json|cyclonedx1.4+xml|cyclonedx1.5+json|cyclonedx1.5+xml|cyclonedx1.6+json|cyclonedx1.6+xml|spdx2.3+json> [--org=<ORG_ID>] [--file=<FILE>] [--unmanaged] [--dev] [--all-projects] [--name=<NAME>] [--version=<VERSION>] [--exclude=<NAME>[,<NAME>...]] [--detection-depth=<DEPTH>] [--prune-repeated-subdependencies|-p] [--maven-aggregate-project] [--scan-unmanaged] [--scan-all-unmanaged] [--sub-project=<NAME>] [--gradle-sub-project=<NAME>] [--all-sub-projects] [--configuration-matching=<CONFIGURATION_REGEX>] [--configuration-attributes=<ATTRIBUTE>[,<ATTRIBUTE>]] [--init-script=<FILE>] [--json-file-output=<OUTPUT_FILE_PATH>] [--include-provenance] [<TARGET_DIRECTORY>]`
 
 ## Description
 
@@ -146,6 +146,14 @@ Auto-detect Maven, JAR, WAR, and AAR files recursively from the current folder.
 
 **Note**: Custom-built JAR files, even with open-source dependencies, are not supported.
 
+### `--include-provenance`
+
+**Experimental:** Enable provenance generation for Maven artifacts during analysis. This generates cryptographic fingerprints for scanned artifacts to help with vulnerability matching and supply chain security.
+
+**Note:** This requires the dependency artifacts to be present in your local Maven repository, via `mvn clean install` or similar commands.
+
+Default: false
+
 ## Options for Gradle projects
 
 ### `--sub-project=<NAME>`, `--gradle-sub-project=<NAME>`
diff --git a/help/cli-commands/test.md b/help/cli-commands/test.md
@@ -250,6 +250,14 @@ Auto-detect Maven, JAR, WAR, and AAR files recursively from the current folder.
 
 **Note**: Custom-built JAR files, even with open-source dependencies, are not supported.
 
+### `--include-provenance`
+
+**Experimental:** Enable provenance generation for Maven artifacts during analysis. This generates cryptographic fingerprints for scanned artifacts to help with vulnerability matching and supply chain security.
+
+**Note:** This requires the dependency artifacts to be present in your local Maven repository, via `mvn clean install` or similar commands.
+
+Default: false
+
 ## Options for Gradle projects
 
 **Note:** If you see the invalid string length error, refer to [Invalid string length error when scanning projects](https://docs.snyk.io/snyk-cli/scan-and-maintain-projects-using-the-cli/invalid-string-length-error-when-scanning-projects)
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -121,7 +121,7 @@
     "snyk-go-plugin": "1.23.0",
     "snyk-gradle-plugin": "5.1.0",
     "snyk-module": "3.1.0",
-    "snyk-mvn-plugin": "4.3.1",
+    "snyk-mvn-plugin": "4.3.2",
     "snyk-nodejs-lockfile-parser": "2.3.1",
     "snyk-nodejs-plugin": "1.4.4",
     "snyk-nuget-plugin": "2.11.3",
diff --git a/src/cli/args.ts b/src/cli/args.ts
@@ -213,6 +213,8 @@ export function args(rawArgv: string[]): Args {
     'all-projects',
     'yarn-workspaces',
     'maven-aggregate-project',
+    'include-provenance',
+    'fingerprint-algorithm',
     'detection-depth',
     'init-script',
     'integration-name',
diff --git a/src/lib/types.ts b/src/lib/types.ts
@@ -55,6 +55,8 @@ export interface Options {
   allSubProjects?: boolean;
   mavenAggregateProject?: boolean;
   mavenVerboseIncludeAllVersions?: boolean;
+  includeProvenance?: boolean;
+  fingerprintAlgorithm?: string;
   'project-name'?: string;
   'show-vulnerable-paths'?: string;
   packageManager?: SupportedPackageManagers;
@@ -273,6 +275,8 @@ export type SupportedUserReachableFacingCliArgs =
   | 'trust-policies'
   | 'yarn-workspaces'
   | 'maven-aggregate-project'
+  | 'include-provenance'
+  | 'fingerprint-algorithm'
   | 'gradle-normalize-deps';
 
 export enum SupportedCliCommands {
diff --git a/test/jest/acceptance/snyk-sbom/maven-options.spec.ts b/test/jest/acceptance/snyk-sbom/maven-options.spec.ts
@@ -89,6 +89,29 @@ describe('snyk sbom: maven options (mocked server only)', () => {
     );
   });
 
+  // This is only testing that the flag is accepted and passed through,
+  // provenance data requires artifacts to be present in the local repository.
+  test('`sbom --include-provenance` flag is accepted and passed through', async () => {
+    server.setFeatureFlag('enableMavenDverboseExhaustiveDeps', false);
+    const sbom = await runSnykSbomCliCycloneDxJsonForFixture(
+      'maven-print-graph',
+      '--file=pom.xml',
+      env,
+    );
+
+    expect(sbom.metadata.component.name).toEqual(
+      'io.snyk.example:test-project',
+    );
+    expect(sbom.dependencies.length).toBeGreaterThanOrEqual(7);
+    expect(sbom.dependencies[2].ref).toEqual(
+      'commons-discovery:commons-discovery@0.2',
+    );
+    expect(sbom.dependencies[2].dependsOn.length).toEqual(1);
+    expect(sbom.dependencies[2].dependsOn[0]).toEqual(
+      'commons-logging:commons-logging@1.0.4',
+    );
+  });
+
   test('`sbom --scan-unmanaged --file=<NAME>` fails to generate an SBOM for user defined JAR file', async () => {
     const sbom = await runSnykSbomCliCycloneDxJsonForFixture(
       'maven-jars',
diff --git a/test/jest/acceptance/snyk-test/print-graph.spec.ts b/test/jest/acceptance/snyk-test/print-graph.spec.ts
@@ -78,6 +78,42 @@ describe('print graph', () => {
     expect(depGraph.pkgs.length).toBeGreaterThanOrEqual(3);
   });
 
+  test('`snyk test --print-graph --include-provenance` includes purl in package info for Maven projects', async () => {
+    // Note: --include-provenance triggers purl generation for Maven artifacts.
+    // If artifacts are present in the local Maven repository, checksums would be
+    // included in the purl (e.g., pkg:maven/group/artifact@version?checksum=sha256:...).
+    // This test verifies purl generation without requiring artifacts to be installed,
+    // so we only check for the presence of purls, not checksum qualifiers.
+    const project = await createProjectFromFixture('maven-print-graph');
+
+    const { code, stdout } = await runSnykCLI(
+      'test --print-graph --include-provenance',
+      {
+        cwd: project.path(),
+      },
+    );
+
+    expect(code).toEqual(0);
+
+    const depGraph = JSON.parse(
+      stdout.split('DepGraph data:')[1]?.split('DepGraph target:')[0],
+    );
+
+    // Verify all packages have a purl
+    for (const pkg of depGraph.pkgs) {
+      expect(pkg.info.purl).toBeDefined();
+      expect(pkg.info.purl).toMatch(/^pkg:maven\//);
+    }
+
+    // Find packages with known dependencies from maven-print-graph fixture
+    const axisPackage = depGraph.pkgs.find((pkg) => pkg.id === 'axis:axis@1.4');
+
+    // Verify axis package has purl -- using toMatch in case dependency _has_ been
+    // resolved by some other fixture.
+    expect(axisPackage).toBeDefined();
+    expect(axisPackage.info.purl).toMatch(/^pkg:maven\/axis\/axis@1\.4/);
+  });
+
   test('`snyk test --print-graph --all-projects` should not prune dependencies', async () => {
     const project = await createProjectFromWorkspace('maven-many-paths');
 
