feat: Add feature to differentiate between local and remote repositories using repo name string matching

Author: samsnyk

core/src/main/groovy/io/snyk/plugins/artifactory/snykSecurityPlugin.properties

@@ -76,6 +76,16 @@ snyk.api.organization=
 # Default: true
 #snyk.scanner.lastModified.remoteOnly=true
 
+# Optional: treat repositories whose key contains any of the given comma-separated substrings as local (not remote)
+# for lastModified.remoteOnly behavior, regardless of Artifactory's repository type.
+# Matching is case-insensitive. When enabled but no pattern matches the repo key, classification falls back to
+# Artifactory's repository type (remote vs local).
+# Accepts: "true", "false"
+# Default: "false"
+#snyk.scanner.repository.local.nameMatch.enabled=false
+# Comma-separated substrings; empty entries are ignored. Example: libs-release,internal-local
+#snyk.scanner.repository.local.nameMatch.patterns=
+
 # By default, if Snyk API fails while scanning an artifact for any reason, the download will be allowed.
 # When a download is blocked, artifact property "snyk.block.reason" records the message (see README).
 # Setting this property to "true" will block downloads when Snyk API fails.

core/src/main/java/io/snyk/plugins/artifactory/configuration/PluginConfiguration.java

@@ -34,7 +34,9 @@ public enum PluginConfiguration implements Configuration {
   TEST_FREQUENCY_HOURS("snyk.scanner.frequency.hours", "168"),
   EXTEND_TEST_DEADLINE_HOURS("snyk.scanner.extendTestDeadline.hours", "24"),
   SCANNER_LAST_MODIFIED_DELAY_DAYS("snyk.scanner.lastModified.days", "0"),
-  SCANNER_LAST_MODIFIED_CHECK_ONLY_REMOTE("snyk.scanner.lastModified.remoteOnly", "true");
+  SCANNER_LAST_MODIFIED_CHECK_ONLY_REMOTE("snyk.scanner.lastModified.remoteOnly", "true"),
+  SCANNER_REPOSITORY_LOCAL_NAME_MATCH_ENABLED("snyk.scanner.repository.local.nameMatch.enabled", "false"),
+  SCANNER_REPOSITORY_LOCAL_NAME_MATCH_PATTERNS("snyk.scanner.repository.local.nameMatch.patterns", "");
 
   private final String propertyKey;
   private final String defaultValue;

core/src/main/java/io/snyk/plugins/artifactory/scanner/RepositoryRemoteClassifier.java

@@ -0,0 +1,64 @@
+package io.snyk.plugins.artifactory.scanner;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Locale;
+
+/**
+ * Classifies whether a repository is treated as remote for last-modified checks, combining optional
+ * substring matching on the repository key with Artifactory's configured repository type.
+ */
+public final class RepositoryRemoteClassifier {
+
+  private RepositoryRemoteClassifier() {}
+
+  static List<String> parseCommaSeparatedPatterns(String raw) {
+    if (raw == null || raw.isBlank()) {
+      return List.of();
+    }
+    List<String> lowered = new ArrayList<>();
+    for (String part : raw.split(",")) {
+      String trimmed = part.trim();
+      if (!trimmed.isEmpty()) {
+        lowered.add(trimmed.toLowerCase(Locale.ROOT));
+      }
+    }
+    return Collections.unmodifiableList(lowered);
+  }
+
+  /**
+   * @return true if {@code repoKey} contains any of the patterns (case-insensitive substring match).
+   */
+  static boolean repoKeyContainsAnyPattern(String repoKey, List<String> patternsLowercase) {
+    if (repoKey == null || patternsLowercase.isEmpty()) {
+      return false;
+    }
+    String keyLower = repoKey.toLowerCase(Locale.ROOT);
+    for (String pattern : patternsLowercase) {
+      if (keyLower.contains(pattern)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  /**
+   * When local name matching is enabled and a pattern matches, the repository is not treated as remote.
+   * Otherwise {@code artifactoryTypeIsRemote} is used.
+   */
+  static boolean isRemoteRepository(
+    String repoKey,
+    boolean localNameMatchEnabled,
+    String patternsRaw,
+    boolean artifactoryTypeIsRemote
+  ) {
+    if (localNameMatchEnabled) {
+      List<String> patterns = parseCommaSeparatedPatterns(patternsRaw);
+      if (!patterns.isEmpty() && repoKeyContainsAnyPattern(repoKey, patterns)) {
+        return false;
+      }
+    }
+    return artifactoryTypeIsRemote;
+  }
+}

core/src/main/java/io/snyk/plugins/artifactory/scanner/ScannerModule.java

@@ -151,12 +151,25 @@ private Instant getLastModifiedDate(RepoPath repoPath) {
 
   private boolean isRemoteRepository(RepoPath repoPath) {
     String repoKey = repoPath.getRepoKey();
+    String patternsRaw = configurationModule.getPropertyOrDefault(PluginConfiguration.SCANNER_REPOSITORY_LOCAL_NAME_MATCH_PATTERNS);
+    boolean localNameMatchEnabled = localNameMatchEnabled();
+
     RepositoryConfiguration repoConfig = repositories.getRepositoryConfiguration(repoKey);
-    String repoType = repoConfig.getType();
+    boolean artifactoryTypeIsRemote;
+    if (repoConfig == null) {
+      LOG.debug("No repository configuration for {}, cannot read repository type", repoKey);
+      artifactoryTypeIsRemote = false;
+    } else {
+      String repoType = repoConfig.getType();
+      LOG.debug("Found repository type: {}", repoType);
+      artifactoryTypeIsRemote = repoType != null && repoType.equalsIgnoreCase("remote");
+    }
 
-    LOG.debug("Found repository type: {}", repoType);
+    return RepositoryRemoteClassifier.isRemoteRepository(repoKey, localNameMatchEnabled, patternsRaw, artifactoryTypeIsRemote);
+  }
 
-    return repoType.toLowerCase().equals("remote");
+  private boolean localNameMatchEnabled() {
+    return configurationModule.getPropertyOrDefault(PluginConfiguration.SCANNER_REPOSITORY_LOCAL_NAME_MATCH_ENABLED).equals("true");
   }
 
   private boolean shouldTestContinuously() {

core/src/test/java/io/snyk/plugins/artifactory/scanner/RepositoryRemoteClassifierTest.java

@@ -0,0 +1,72 @@
+package io.snyk.plugins.artifactory.scanner;
+
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertAll;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+@DisplayName("RepositoryRemoteClassifier")
+class RepositoryRemoteClassifierTest {
+
+  @DisplayName("parseCommaSeparatedPatterns trims, ignores empties, lowercases")
+  @Test
+  void parseCommaSeparatedPatterns() {
+    assertAll(
+      () -> assertTrue(RepositoryRemoteClassifier.parseCommaSeparatedPatterns("").isEmpty()),
+      () -> assertTrue(RepositoryRemoteClassifier.parseCommaSeparatedPatterns("  ,  ").isEmpty()),
+      () -> assertEquals(
+        List.of("a", "bc"),
+        RepositoryRemoteClassifier.parseCommaSeparatedPatterns(" a , bc ")
+      ),
+      () -> assertEquals(
+        List.of("libs-release", "internal"),
+        RepositoryRemoteClassifier.parseCommaSeparatedPatterns("Libs-Release, INTERNAL")
+      )
+    );
+  }
+
+  @DisplayName("repoKeyContainsAnyPattern is case-insensitive substring match")
+  @Test
+  void repoKeyContainsAnyPattern() {
+    List<String> p = List.of("remote", "cache");
+    assertAll(
+      () -> assertFalse(RepositoryRemoteClassifier.repoKeyContainsAnyPattern(null, p)),
+      () -> assertFalse(RepositoryRemoteClassifier.repoKeyContainsAnyPattern("my-local", List.of())),
+      () -> assertTrue(RepositoryRemoteClassifier.repoKeyContainsAnyPattern("MY-REMOTE-REPO", p)),
+      () -> assertTrue(RepositoryRemoteClassifier.repoKeyContainsAnyPattern("pypi-cache", p)),
+      () -> assertFalse(RepositoryRemoteClassifier.repoKeyContainsAnyPattern("clean", p))
+    );
+  }
+
+  @DisplayName("isRemoteRepository: feature off uses Artifactory type only")
+  @Test
+  void featureOffUsesArtifactoryOnly() {
+    assertTrue(RepositoryRemoteClassifier.isRemoteRepository("any", false, "local", true));
+    assertFalse(RepositoryRemoteClassifier.isRemoteRepository("any", false, "local", false));
+  }
+
+  @DisplayName("isRemoteRepository: enabled with empty patterns falls back to Artifactory type")
+  @Test
+  void enabledEmptyPatternsFallsBack() {
+    assertTrue(RepositoryRemoteClassifier.isRemoteRepository("my-local", true, "", true));
+    assertFalse(RepositoryRemoteClassifier.isRemoteRepository("my-local", true, " , ", false));
+  }
+
+  @DisplayName("isRemoteRepository: pattern match forces non-remote")
+  @Test
+  void patternMatchForcesLocal() {
+    assertFalse(RepositoryRemoteClassifier.isRemoteRepository("company-local-repo", true, "local", true));
+  }
+
+  @DisplayName("isRemoteRepository: no pattern match falls back to Artifactory type")
+  @Test
+  void noPatternMatchFallsBack() {
+    assertTrue(RepositoryRemoteClassifier.isRemoteRepository("remote-npm", true, "local-only", true));
+    assertFalse(RepositoryRemoteClassifier.isRemoteRepository("remote-npm", true, "local-only", false));
+  }
+}