Add artifact property to indicate reason for blocking the package

Author: samsnyk

.gitignore

@@ -31,3 +31,6 @@ target/
 Thumbs.db
 .directory
 .DS_Store
+
+# Snyk Security Extension - AI Rules (auto-generated)
+.cursor/rules/snyk_rules.mdc

README.md

@@ -59,6 +59,9 @@ unzip -p distribution/target/artifactory-snyk-security-plugin-LOCAL-SNAPSHOT.zip
 unzip -p distribution/target/artifactory-snyk-security-plugin-LOCAL-SNAPSHOT.zip plugins/snykSecurityPlugin.groovy > distribution/docker/etc/artifactory/plugins/snykSecurityPlugin.groovy
 ```
 
+## Artifact property: block reason
+When a download is blocked (policy violation or Snyk API failure with `snyk.scanner.block-on-api-failure=true`), the plugin sets **`snyk.block.reason`** on the artifact to the same message returned to the client (truncated if very long). The property is removed when a new Snyk scan completes successfully (`storage.afterCreate`) or when a download is allowed after validation (each download attempt clears it before re-checking).
+
 ## Inspecting plugin logs
 In order to see the logs, set the log level for Snyk by inserting this line: `<logger name="io.snyk" level="debug"/>`
 into this file: `distribution/docker/etc/artifactory/logback.xml`.

core/src/main/groovy/io/snyk/plugins/artifactory/snykSecurityPlugin.properties

@@ -77,6 +77,7 @@ snyk.api.organization=
 #snyk.scanner.lastModified.remoteOnly=true
 
 # By default, if Snyk API fails while scanning an artifact for any reason, the download will be allowed.
+# When a download is blocked, artifact property "snyk.block.reason" records the message (see README).
 # Setting this property to "true" will block downloads when Snyk API fails.
 # Accepts: "true", "false"
 # Default: "false"

core/src/main/java/io/snyk/plugins/artifactory/SnykPlugin.java

@@ -4,6 +4,8 @@
 import io.snyk.plugins.artifactory.configuration.BaseUrlSanitiser;
 import io.snyk.plugins.artifactory.configuration.UserAgent;
 import io.snyk.plugins.artifactory.configuration.properties.ArtifactProperty;
+import io.snyk.plugins.artifactory.configuration.properties.BlockReasonProperty;
+import io.snyk.plugins.artifactory.configuration.properties.RepositoryArtifactProperties;
 import io.snyk.plugins.artifactory.configuration.ConfigurationModule;
 import io.snyk.plugins.artifactory.exception.CannotScanException;
 import io.snyk.plugins.artifactory.exception.SnykAPIFailureException;
@@ -30,6 +32,7 @@
 import java.util.Properties;
 
 import static io.snyk.plugins.artifactory.configuration.PluginConfiguration.*;
+import static io.snyk.plugins.artifactory.configuration.properties.ArtifactProperty.BLOCK_REASON;
 import static java.lang.String.format;
 
 public class SnykPlugin {
@@ -39,6 +42,7 @@ public class SnykPlugin {
   private ConfigurationModule configurationModule;
   private AuditModule auditModule;
   private ScannerModule scannerModule;
+  private Repositories repositories;
 
   SnykPlugin() {
   }
@@ -65,6 +69,7 @@ public SnykPlugin(@Nonnull Repositories repositories, File pluginsDirectory) {
 
       auditModule = new AuditModule();
       ScannerResolver scannerResolver = ScannerResolver.setup(configurationModule, snykClient);
+      this.repositories = repositories;
       scannerModule = new ScannerModule(configurationModule, repositories, scannerResolver);
 
       LOG.info("Plugin version: {}", pluginVersion);
@@ -131,6 +136,14 @@ public void handleBeforeDownloadEvent(RepoPath repoPath) {
       LOG.debug(message);
       if ("true".equals(blockOnApiFailure)) {
         LOG.debug("Blocking download. Plugin Property \"{}\" is \"true\". {}", blockOnApiFailurePropertyKey, repoPath);
+        try {
+          new RepositoryArtifactProperties(repoPath, repositories).set(
+            BLOCK_REASON,
+            BlockReasonProperty.truncateForStorage(message)
+          );
+        } catch (Exception ex) {
+          LOG.warn("Could not set {} for {}: {}", BLOCK_REASON.propertyKey(), repoPath, ex.getMessage());
+        }
         throw new CancelException(message, 500);
       }
     }

core/src/main/java/io/snyk/plugins/artifactory/configuration/properties/ArtifactProperties.java

@@ -11,4 +11,7 @@ public interface ArtifactProperties {
   void set(ArtifactProperty property, String value);
 
   boolean has(ArtifactProperty property);
+
+  /** Removes the property from the artifact if present. */
+  void remove(ArtifactProperty property);
 }

core/src/main/java/io/snyk/plugins/artifactory/configuration/properties/ArtifactProperty.java

@@ -9,7 +9,9 @@ public enum ArtifactProperty {
   ISSUE_VULNERABILITIES_FORCE_DOWNLOAD_INFO("snyk.issue.vulnerabilities.forceDownload.info"),
   ISSUE_LICENSES("snyk.issue.licenses"),
   ISSUE_LICENSES_FORCE_DOWNLOAD("snyk.issue.licenses.forceDownload"),
-  ISSUE_LICENSES_FORCE_DOWNLOAD_INFO("snyk.issue.licenses.forceDownload.info");
+  ISSUE_LICENSES_FORCE_DOWNLOAD_INFO("snyk.issue.licenses.forceDownload.info"),
+  /** Set when a download is blocked; cleared on successful scan or allowed download. */
+  BLOCK_REASON("snyk.block.reason");
 
   private final String propertyKey;
 

core/src/main/java/io/snyk/plugins/artifactory/configuration/properties/BlockReasonProperty.java

@@ -0,0 +1,20 @@
+package io.snyk.plugins.artifactory.configuration.properties;
+
+public final class BlockReasonProperty {
+
+  /** Max length for a single property value. */
+  public static final int MAX_STORED_LENGTH = 2400;
+
+  private BlockReasonProperty() {
+  }
+
+  public static String truncateForStorage(String message) {
+    if (message == null || message.isEmpty()) {
+      return "";
+    }
+    if (message.length() <= MAX_STORED_LENGTH) {
+      return message;
+    }
+    return message.substring(0, MAX_STORED_LENGTH - 3) + "...";
+  }
+}

core/src/main/java/io/snyk/plugins/artifactory/configuration/properties/RepositoryArtifactProperties.java

@@ -35,4 +35,12 @@ public void set(ArtifactProperty property, String value) {
   public boolean has(ArtifactProperty property) {
     return repositories.hasProperty(repoPath, property.propertyKey());
   }
+
+  @Override
+  public void remove(ArtifactProperty property) {
+    if (!repositories.hasProperty(repoPath, property.propertyKey())) {
+      return;
+    }
+    repositories.deleteProperty(repoPath, property.propertyKey());
+  }
 }

core/src/main/java/io/snyk/plugins/artifactory/model/MonitoredArtifact.java

@@ -63,6 +63,8 @@ public MonitoredArtifact write(ArtifactProperties properties) {
     setDefaultArtifactProperty(properties, ISSUE_LICENSES_FORCE_DOWNLOAD, "false");
     setDefaultArtifactProperty(properties, ISSUE_LICENSES_FORCE_DOWNLOAD_INFO, "");
 
+    properties.remove(BLOCK_REASON);
+
     return this;
   }
 

core/src/main/java/io/snyk/plugins/artifactory/scanner/ScannerModule.java

@@ -3,6 +3,7 @@
 import io.snyk.plugins.artifactory.configuration.ConfigurationModule;
 import io.snyk.plugins.artifactory.configuration.PluginConfiguration;
 import io.snyk.plugins.artifactory.configuration.properties.ArtifactProperties;
+import io.snyk.plugins.artifactory.configuration.properties.BlockReasonProperty;
 import io.snyk.plugins.artifactory.configuration.properties.RepositoryArtifactProperties;
 import io.snyk.plugins.artifactory.ecosystem.EcosystemResolver;
 import io.snyk.plugins.artifactory.ecosystem.RepositoryMetadataEcosystemResolver;
@@ -12,6 +13,7 @@
 import io.snyk.plugins.artifactory.model.ValidationSettings;
 import org.artifactory.fs.FileLayoutInfo;
 import org.artifactory.fs.ItemInfo;
+import org.artifactory.exception.CancelException;
 import org.artifactory.repo.RepoPath;
 import org.artifactory.repo.Repositories;
 import org.artifactory.repo.RepositoryConfiguration;
@@ -24,6 +26,7 @@
 import java.time.Instant;
 import java.util.Optional;
 
+import static io.snyk.plugins.artifactory.configuration.properties.ArtifactProperty.BLOCK_REASON;
 import static java.util.Objects.requireNonNull;
 
 public class ScannerModule {
@@ -64,7 +67,7 @@ public void filterAccess(@Nonnull RepoPath repoPath) {
 
     resolveArtifact(repoPath)
       .ifPresentOrElse(
-        this::filter,
+        artifact -> filter(repoPath, artifact),
         () -> LOG.info("No vulnerability info found for {}", repoPath)
       );
   }
@@ -92,10 +95,26 @@ private MonitoredArtifact runTestWith(PackageScanner scanner, RepoPath repoPath)
     return toMonitoredArtifact(testResult, repoPath);
   }
 
-  private void filter(MonitoredArtifact artifact) {
+  private void filter(RepoPath repoPath, MonitoredArtifact artifact) {
+    ArtifactProperties props = properties(repoPath);
+    try {
+      props.remove(BLOCK_REASON);
+    } catch (Exception e) {
+      LOG.debug("Could not clear block reason for {}: {}", repoPath, e.getMessage());
+    }
+
     ValidationSettings validationSettings = ValidationSettings.from(configurationModule);
     PackageValidator validator = new PackageValidator(validationSettings);
-    validator.validate(artifact);
+    try {
+      validator.validate(artifact);
+    } catch (CancelException e) {
+      try {
+        props.set(BLOCK_REASON, BlockReasonProperty.truncateForStorage(e.getMessage()));
+      } catch (Exception ex) {
+        LOG.warn("Could not set {} for {}: {}", BLOCK_REASON.propertyKey(), repoPath, ex.getMessage());
+      }
+      throw e;
+    }
   }
 
   private @NotNull MonitoredArtifact toMonitoredArtifact(TestResult testResult, @NotNull RepoPath repoPath) {