fix: --skip-unresolved flag and no files being uploaded

[paulrosca-snyk]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

--skip-unresolved

Fixes the behaviour of the --skip-unresolved flag in snyk test/snyk monitor.

In the current implementation the flag is registered as a string, which breaks the use case of plainly passing --skip-unresolved and instead requires the user to pass --skip-unresolved=true.

With this change, the flag will be registered as boolean, which will fix the aforementioned issue.

--reachability code upload

If during the code upload phase of snyk test --reachability/snyk monitor --reachability no files end up being uploaded (e.g they were skipped due to: issues opening them, being .gitignored/.snyk ignored, not supported by the code engine) we will now render a warning, to stdout for the human readable output or to stderr for --json/--sarif.

Where should the reviewer start?

How should this be manually tested?

--skip-unresolved

Running snyk test --reachability --skip-unresolved --severity-threshold=high should only return issues with severity high.
In the previous version of the CLI, the --severity-threshold flag was ignored due to the parsing bug in the --skip-unresolved flag.

--reachability code upload

Running snyk test --reachability in a directory with a broken symlink should render a warning but run the test and return vulnerabilities successfully.

What's the product update that needs to be communicated to CLI users?

Users enlisted in the CLI Test w/ Reachability EA will now:

• get the correct behaviour when passing the --skip-unresolved flag
• get partial results (no reachability signals on vulnerabilities) if the reachability part failed

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[PeterSchafer]

I left a comment on the last change. Extensions should be application agnostic and therefore not assume anything like stderr ... we might need to fix this in the CLI so that errors can be still rendered via the UI even with --json

[attriaayush]

That makes sense! How do you recommend we do this? Does GAF provide an interface for this that we could use where CLI can infer whether to use stderr or something?