feat: add sbom monitor command

Author: snyk-tim

cliv2/go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/snyk/cli-extension-dep-graph v0.0.0-20250321153619-9390ab5e348e
 	github.com/snyk/cli-extension-iac v0.0.0-20250417092850-bfa35aacddfc
 	github.com/snyk/cli-extension-iac-rules v0.0.0-20250227121450-6e14346dbd1a
-	github.com/snyk/cli-extension-sbom v0.0.0-20241016065306-0df2be5b3b8f
+	github.com/snyk/cli-extension-sbom v0.0.0-20250422133603-a5ae6fdf0934
 	github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7
 	github.com/snyk/error-catalog-golang-public v0.0.0-20250310083934-7ac627e3451f
 	github.com/snyk/go-application-framework v0.0.0-20250423203408-8884fd0a504f

cliv2/go.sum

@@ -800,8 +800,8 @@ github.com/snyk/cli-extension-iac v0.0.0-20250417092850-bfa35aacddfc h1:Kg1f+GX1
 github.com/snyk/cli-extension-iac v0.0.0-20250417092850-bfa35aacddfc/go.mod h1:7O90So5PPqTRMpcs8BY14+jX+J8BixqZQyXQiRZW7ws=
 github.com/snyk/cli-extension-iac-rules v0.0.0-20250227121450-6e14346dbd1a h1:SJ+Ts7e1EYcGJXeENR5inTGwPNRlNVgmMN2itO3+yj8=
 github.com/snyk/cli-extension-iac-rules v0.0.0-20250227121450-6e14346dbd1a/go.mod h1:IqfQCIkyC26mkwa+aM6d6yxIh5+tCm4fSQG+Ogq3Qbc=
-github.com/snyk/cli-extension-sbom v0.0.0-20241016065306-0df2be5b3b8f h1:dlL+f+5sjHj4JCzW/Evl1x9UREXLyc3M4KjoZvQx0Bs=
-github.com/snyk/cli-extension-sbom v0.0.0-20241016065306-0df2be5b3b8f/go.mod h1:5CaY1bgvJY/uoG/1plLOf8T8o9AkwoBIGvw34RfRLZw=
+github.com/snyk/cli-extension-sbom v0.0.0-20250422133603-a5ae6fdf0934 h1:0RCTH9C0zaTrnqpKLaLXTmP7suwWEHBNVwQSaR8Aifo=
+github.com/snyk/cli-extension-sbom v0.0.0-20250422133603-a5ae6fdf0934/go.mod h1:Q8dmRgcpHTk711dkLVtpkTF5RvLkQVcExGuv1cyx/zU=
 github.com/snyk/code-client-go v1.20.1 h1:38nEGzrQIh/aVLjR99jiTUQM0sL9SQAvhMfZGmd9G0w=
 github.com/snyk/code-client-go v1.20.1/go.mod h1:WH6lNkJc785hfXmwhixxWHix3O6z+1zwz40oK8vl/zg=
 github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7 h1:/2+2piwQtB9fEJCkXEOjboZjY+77lQfnvqBZ/60xNHk=

test/acceptance/fake-server.ts

@@ -15,6 +15,7 @@ const featureFlagDefaults = (): Map<string, boolean> => {
     ['iacNewEngine', false],
     ['containerCliAppVulnsEnabled', true],
     ['enablePnpmCli', false],
+    ['sbomMonitorBeta', false],
   ]);
 };
 
@@ -791,6 +792,20 @@ export const fakeServer = (basePath: string, snykToken: string): FakeServer => {
     res.send(JSON.parse(body));
   });
 
+  app.post(`/hidden/orgs/:orgId/sboms/convert`, (req, res) => {
+    if (req.url.includes('/orgs/badaabad-badb-badb-badb-badbadbadbad/')) {
+      res
+        .status(400)
+        .send(`{"errors":[{"title":"Bad Request","detail":"invalid SBOM"}]}`);
+    }
+
+    const body = fs.readFileSync(
+      path.resolve(getFixturePath('sbom'), 'sbom-convert-response.json'),
+      'utf8',
+    );
+    res.send(JSON.parse(body));
+  });
+
   app.post(
     basePath.replace('v1', 'hidden') + '/orgs/:org/sbom',
     express.json(),

test/fixtures/sbom/sbom-convert-response.json

@@ -0,0 +1 @@
+{"scanResults":[{"name":"npm:development","facts":[{"type":"depGraph","data":{"graph":{"nodes":[{"deps":[{"nodeId":"[email protected]"}],"nodeId":"[email protected]","pkgId":"[email protected]"},{"deps":[{"nodeId":"[email protected]"},{"nodeId":"[email protected]"}],"nodeId":"[email protected]","pkgId":"[email protected]"},{"deps":[],"nodeId":"[email protected]","pkgId":"[email protected]"},{"deps":[],"nodeId":"[email protected]","pkgId":"[email protected]"},{"deps":[],"nodeId":"[email protected]","pkgId":"[email protected]"},{"deps":[{"nodeId":"[email protected]"},{"nodeId":"[email protected]"},{"nodeId":"[email protected]"}],"nodeId":"root-node","pkgId":"[email protected]"},{"deps":[{"nodeId":"[email protected]"}],"nodeId":"[email protected]","pkgId":"[email protected]"},{"deps":[{"nodeId":"[email protected]"}],"nodeId":"[email protected]","pkgId":"[email protected]"},{"deps":[],"nodeId":"[email protected]","pkgId":"[email protected]"}],"rootNodeId":"root-node"},"pkgManager":{"name":"npm"},"pkgs":[{"id":"[email protected]","info":{"name":"development","version":"1.0.0"}},{"id":"[email protected]","info":{"name":"brace-expansion","version":"1.1.11"}},{"id":"[email protected]","info":{"name":"yallist","version":"4.0.0"}},{"id":"[email protected]","info":{"name":"minimatch","version":"3.0.4"}},{"id":"[email protected]","info":{"name":"balanced-match","version":"1.0.2"}},{"id":"[email protected]","info":{"name":"concat-map","version":"0.0.1"}},{"id":"[email protected]","info":{"name":"semver","version":"7.3.5"}},{"id":"[email protected]","info":{"name":"lru-cache","version":"6.0.0"}},{"id":"[email protected]","info":{"name":"fuzzball","version":"1.4.0"}}],"schemaVersion":"1.3.0"}}],"target":{"remoteUrl":""},"identity":{"type":"npm"}}],"warnings":null}

test/jest/acceptance/snyk-sbom-monitor/all-projects.spec.ts

@@ -0,0 +1,134 @@
+import { runSnykCLI } from '../../util/runSnykCLI';
+import { fakeServer } from '../../../acceptance/fake-server';
+import { getServerPort } from '../../util/getServerPort';
+import { getFixturePath } from '../../util/getFixturePath';
+import * as path from 'path';
+
+jest.setTimeout(1000 * 60);
+
+describe('snyk sbom monitor (mocked server only)', () => {
+  let server: ReturnType<typeof fakeServer>;
+  let env: Record<string, string>;
+
+  beforeAll((done) => {
+    const port = getServerPort(process);
+    const baseApi = '/v1';
+    env = {
+      ...process.env,
+      SNYK_API: 'http://localhost:' + port + baseApi,
+      SNYK_API_REST_URL: 'http://localhost:' + port + baseApi,
+      SNYK_HOST: 'http://localhost:' + port,
+      SNYK_TOKEN: '123456789',
+      SNYK_DISABLE_ANALYTICS: '1',
+    };
+    server = fakeServer(baseApi, env.SNYK_TOKEN);
+    server.listen(port, () => {
+      done();
+    });
+  });
+
+  beforeEach(() => {
+    server.setFeatureFlag('sbomMonitorBeta', true);
+  });
+
+  afterEach(() => {
+    jest.resetAllMocks();
+    server.restore();
+  });
+
+  afterAll((done) => {
+    server.close(() => {
+      done();
+    });
+  });
+
+  test('monitor success', async () => {
+    const fileToTest = path.resolve(
+      getFixturePath('sbom'),
+      'npm-sbom-cdx15.json',
+    );
+
+    const { code, stdout, stderr } = await runSnykCLI(
+      `sbom monitor --org aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee --experimental --file ${fileToTest}`,
+      { env },
+    );
+
+    expect(code).toEqual(0);
+
+    expect(stderr).toEqual('');
+    expect(stdout).toContain(`Monitoring 'test-project'...`);
+    expect(stdout).toContain(
+      `Explore this snapshot at http://example-url/project/project-public-id/history/snapshot-public-id`,
+    );
+    expect(stdout).toContain(
+      `Notifications about newly disclosed issues related to these dependencies will be emailed to you.`,
+    );
+  });
+
+  test('monitor bad SBOM', async () => {
+    const fileToTest = path.resolve(getFixturePath('sbom'), 'bad-sbom.json');
+
+    const { code, stdout, stderr } = await runSnykCLI(
+      `sbom monitor --org badaabad-badb-badb-badb-badbadbadbad --experimental --file ${fileToTest}`,
+      { env },
+    );
+
+    expect(code).toEqual(2);
+
+    expect(stderr).toEqual('');
+    expect(stdout).toContain(`Bad Request (SNYK-0003)`);
+    expect(stdout).toContain(`invalid SBOM`);
+  });
+
+  test('missing experimental flag', async () => {
+    const fileToTest = path.resolve(
+      getFixturePath('sbom'),
+      'npm-sbom-cdx15.json',
+    );
+
+    const { stdout, stderr } = await runSnykCLI(
+      `sbom monitor --org aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee --file ${fileToTest}`,
+      { env },
+    );
+
+    expect(stdout).toMatch(
+      'Flag `--experimental` is required to execute this command.',
+    );
+
+    expect(stderr).toEqual('');
+  });
+
+  test('missing file flag', async () => {
+    const { stdout, stderr } = await runSnykCLI(
+      `sbom monitor --org aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee --experimental`,
+      { env },
+    );
+
+    expect(stdout).toContainText(
+      'Flag `--file` is required to execute this command. Value should point to a valid SBOM document.',
+    );
+
+    expect(stderr).toEqual('');
+  });
+
+  test('feature flag sbomMonitorBeta is disabled', async () => {
+    const fileToTest = path.resolve(
+      getFixturePath('sbom'),
+      'npm-sbom-cdx15.json',
+    );
+
+    server.setFeatureFlag('sbomMonitorBeta', false);
+
+    const { code, stdout, stderr } = await runSnykCLI(
+      `sbom monitor --org aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee --experimental --file ${fileToTest}`,
+      { env },
+    );
+
+    expect(code).toEqual(2);
+
+    expect(stderr).toEqual('');
+    expect(stdout).toContain(
+      `The feature you are trying to use is not available for your organization.`,
+    );
+  });
+});