Merge pull request #142 from snyk/feat/SLS-709-created-delay-download

feat: Add handling for a optional configurable delay in days to prevent package downloads

Author: samsnyk

.snyk

@@ -46,4 +46,4 @@ ignore:
   'SNYK-JAVA-ORGGLASSFISHJERSEYCORE-14049172':
     - '*':
         reason: Transitive dep of artifactory-papi. Actual papi is provided by artifactory env at runtime so this is a false positive.
-        created: 2025-11-19T00:00:00.000Z
+        created: 2025-11-19T00:00:00.000Z

core/src/main/groovy/io/snyk/plugins/artifactory/snykSecurityPlugin.properties

@@ -66,6 +66,16 @@ snyk.api.organization=
 # Default: 24 hours (1 day)
 #snyk.scanner.extendTestDeadline.hours=24
 
+# A delay in number of days since the package was last modified in Artifactory. Any packages that were modified more recently
+# than the current time minus the number of days in this configuration will be blocked from download. The use case is to prevent
+# packages that may contain zero-day vulnerabilities from being introduced to a consumer. 
+# Default: 0
+#snyk.scanner.lastModified.days=0
+
+# If remoteOnly is set to true, only check lastModified for packages contained in remote repositories.
+# Default: true
+#snyk.scanner.lastModified.remoteOnly=true
+
 # By default, if Snyk API fails while scanning an artifact for any reason, the download will be allowed.
 # Setting this property to "true" will block downloads when Snyk API fails.
 # Accepts: "true", "false"

core/src/main/java/io/snyk/plugins/artifactory/configuration/PluginConfiguration.java

@@ -32,7 +32,9 @@ public enum PluginConfiguration implements Configuration {
   SCANNER_PACKAGE_TYPE_COCOAPODS("snyk.scanner.packageType.cocoapods", "false"),
   TEST_CONTINUOUSLY("snyk.scanner.test.continuously","false"),
   TEST_FREQUENCY_HOURS("snyk.scanner.frequency.hours", "168"),
-  EXTEND_TEST_DEADLINE_HOURS("snyk.scanner.extendTestDeadline.hours", "24");
+  EXTEND_TEST_DEADLINE_HOURS("snyk.scanner.extendTestDeadline.hours", "24"),
+  SCANNER_LAST_MODIFIED_DELAY_DAYS("snyk.scanner.lastModified.days", "0"),
+  SCANNER_LAST_MODIFIED_CHECK_ONLY_REMOTE("snyk.scanner.lastModified.remoteOnly", "true");
 
   private final String propertyKey;
   private final String defaultValue;

core/src/main/java/io/snyk/plugins/artifactory/model/MonitoredArtifact.java

@@ -10,6 +10,8 @@
 import static io.snyk.plugins.artifactory.configuration.properties.ArtifactProperty.*;
 import static org.slf4j.LoggerFactory.getLogger;
 
+import java.time.Instant;
+
 public class MonitoredArtifact {
 
   private static final Logger LOG = getLogger(MonitoredArtifact.class);
@@ -20,10 +22,17 @@ public class MonitoredArtifact {
 
   private final Ignores ignores;
 
+  private final Instant lastModifiedDate;
+
   public MonitoredArtifact(String path, TestResult testResult, Ignores ignores) {
+    this(path, testResult, ignores, null);
+  }
+
+  public MonitoredArtifact(String path, TestResult testResult, Ignores ignores, Instant lastModifiedDate) {
     this.path = path;
     this.testResult = testResult;
     this.ignores = ignores;
+    this.lastModifiedDate = lastModifiedDate;
   }
 
   public String getPath() {
@@ -38,6 +47,10 @@ public Ignores getIgnores() {
     return ignores;
   }
 
+  public Optional<Instant> getLastModifiedDate() {
+   return Optional.ofNullable(lastModifiedDate);
+  }
+
   public MonitoredArtifact write(ArtifactProperties properties) {
     testResult.write(properties);
 
@@ -61,7 +74,8 @@ public static Optional<MonitoredArtifact> read(ArtifactProperties properties) {
         new MonitoredArtifact(
           properties.getArtifactPath(),
           testResult,
-          Ignores.read(properties)
+          Ignores.read(properties),
+          null // Created date not stored in properties
         )
       );
     } catch (RuntimeException e) {
@@ -75,12 +89,12 @@ public boolean equals(Object o) {
     if (this == o) return true;
     if (o == null || getClass() != o.getClass()) return false;
     MonitoredArtifact artifact = (MonitoredArtifact) o;
-    return Objects.equals(path, artifact.path) && Objects.equals(testResult, artifact.testResult) && Objects.equals(ignores, artifact.ignores);
+    return Objects.equals(path, artifact.path) && Objects.equals(testResult, artifact.testResult) && Objects.equals(ignores, artifact.ignores) && Objects.equals(lastModifiedDate, artifact.lastModifiedDate);
   }
 
   @Override
   public int hashCode() {
-    return Objects.hash(path, testResult, ignores);
+    return Objects.hash(path, testResult, ignores, lastModifiedDate);
   }
 
   @Override
@@ -89,6 +103,7 @@ public String toString() {
       "path='" + path + '\'' +
       ", testResult=" + testResult +
       ", ignores=" + ignores +
+      ", lastModifiedDate=" + lastModifiedDate +
       '}';
   }
 }

core/src/main/java/io/snyk/plugins/artifactory/model/ValidationSettings.java

@@ -5,30 +5,36 @@
 
 import java.util.Optional;
 
+import static io.snyk.plugins.artifactory.configuration.PluginConfiguration.SCANNER_LAST_MODIFIED_DELAY_DAYS;
 import static io.snyk.plugins.artifactory.configuration.PluginConfiguration.SCANNER_LICENSE_THRESHOLD;
 import static io.snyk.plugins.artifactory.configuration.PluginConfiguration.SCANNER_VULNERABILITY_THRESHOLD;
 
 public class ValidationSettings {
 
   private final Optional<Severity> vulnSeverityThreshold;
-
   private final Optional<Severity> licenseSeverityThreshold;
+  private final Optional<Integer> lastModifiedDelayDays;
 
   public ValidationSettings() {
-    this(Optional.of(Severity.HIGH), Optional.of(Severity.HIGH));
+    this(Optional.of(Severity.HIGH), Optional.of(Severity.HIGH), Optional.of(0));
   }
 
-  private ValidationSettings(Optional<Severity> vulnSeverityThreshold, Optional<Severity> licenseSeverityThreshold) {
+  private ValidationSettings(Optional<Severity> vulnSeverityThreshold, Optional<Severity> licenseSeverityThreshold, Optional<Integer> lastModifiedDelayDays) {
     this.vulnSeverityThreshold = vulnSeverityThreshold;
     this.licenseSeverityThreshold = licenseSeverityThreshold;
+    this.lastModifiedDelayDays = lastModifiedDelayDays;
   }
 
   public ValidationSettings withVulnSeverityThreshold(Optional<Severity> threshold) {
-    return new ValidationSettings(threshold, licenseSeverityThreshold);
+    return new ValidationSettings(threshold, licenseSeverityThreshold, lastModifiedDelayDays);
   }
 
   public ValidationSettings withLicenseSeverityThreshold(Optional<Severity> threshold) {
-    return new ValidationSettings(vulnSeverityThreshold, threshold);
+    return new ValidationSettings(vulnSeverityThreshold, threshold, lastModifiedDelayDays);
+  }
+
+  public ValidationSettings withLastModifiedDelayDays(Optional<Integer> days) {
+    return new ValidationSettings(vulnSeverityThreshold, licenseSeverityThreshold, days);
   }
 
   public Optional<Severity> getVulnSeverityThreshold() {
@@ -39,18 +45,37 @@ public Optional<Severity> getLicenseSeverityThreshold() {
     return licenseSeverityThreshold;
   }
 
+  public Optional<Integer> getLastModifiedDelayDays() {
+    return lastModifiedDelayDays;
+  }
+
   public static ValidationSettings from(ConfigurationModule config) {
     return from(
       config.getPropertyOrDefault(SCANNER_VULNERABILITY_THRESHOLD),
-      config.getPropertyOrDefault(SCANNER_LICENSE_THRESHOLD)
+      config.getPropertyOrDefault(SCANNER_LICENSE_THRESHOLD),
+      config.getPropertyOrDefault(SCANNER_LAST_MODIFIED_DELAY_DAYS)
     );
   }
 
   public static ValidationSettings from(String vulnThreshold, String licenseThreshold) {
+    return from(vulnThreshold, licenseThreshold, "0");
+  }
+
+  public static ValidationSettings from(String vulnThreshold, String licenseThreshold, String lastModifiedDelayDaysStr) {
     return new ValidationSettings(
       parseSeverity(vulnThreshold),
-      parseSeverity(licenseThreshold)
+      parseSeverity(licenseThreshold),
+      parseLastModifiedDelayDays(lastModifiedDelayDaysStr)
     );
+  } 
+
+  private static Optional<Integer> parseLastModifiedDelayDays(String lastModifiedDelayDaysStr) {
+    try {
+      Integer lastModifiedDelayDays = Integer.parseInt(lastModifiedDelayDaysStr);
+      return Optional.of(lastModifiedDelayDays);
+    } catch(NumberFormatException e) {
+      throw new IllegalArgumentException("Invalid value for last modified delay days: " + lastModifiedDelayDaysStr);
+    }
   }
 
   private static Optional<Severity> parseSeverity(String severityStr) {

core/src/main/java/io/snyk/plugins/artifactory/scanner/PackageValidator.java

@@ -8,6 +8,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.Optional;
 
 import static java.lang.String.format;
@@ -23,10 +25,40 @@ public PackageValidator(ValidationSettings settings) {
   }
 
   public void validate(MonitoredArtifact artifact) {
+    validateLastModifiedDelay(artifact);
     validateVulnerabilityIssues(artifact);
     validateLicenseIssues(artifact);
   }
 
+  private void validateLastModifiedDelay(MonitoredArtifact artifact) {
+    Integer delayDays = settings.getLastModifiedDelayDays().get();
+    if (delayDays == null || delayDays <= 0) {
+      LOG.debug("Created delay is disabled ({} days)", delayDays);
+      return;
+    }
+
+    Optional<Instant> lastModifiedDate = artifact.getLastModifiedDate();
+    if (lastModifiedDate.isEmpty()) {
+      LOG.debug("Created date not available for {}, skipping created delay check", artifact.getPath());
+      return;
+    }
+
+    Instant now = Instant.now();
+    long daysSinceLastModified = ChronoUnit.DAYS.between(lastModifiedDate.get(), now);
+    
+    if (daysSinceLastModified < delayDays) {
+      LOG.debug("Package created {} days ago, which is less than the delay of {} days: {}", 
+                daysSinceLastModified, delayDays, artifact.getPath());
+      throw new CancelException(format(
+        "Artifact was created %d days ago, which is less than the configured delay of %d days: %s",
+        daysSinceLastModified, delayDays, artifact.getPath()
+      ), 403);
+    }
+
+    LOG.debug("Package created {} days ago, which exceeds the delay of {} days: {}", 
+              daysSinceLastModified, delayDays, artifact.getPath());
+  }
+
   private void validateVulnerabilityIssues(MonitoredArtifact artifact) {
     validateIssues(
       artifact.getTestResult().getVulnSummary(),

core/src/main/java/io/snyk/plugins/artifactory/scanner/ScannerModule.java

@@ -11,14 +11,17 @@
 import io.snyk.plugins.artifactory.model.TestResult;
 import io.snyk.plugins.artifactory.model.ValidationSettings;
 import org.artifactory.fs.FileLayoutInfo;
+import org.artifactory.fs.ItemInfo;
 import org.artifactory.repo.RepoPath;
 import org.artifactory.repo.Repositories;
+import org.artifactory.repo.RepositoryConfiguration;
 import org.jetbrains.annotations.NotNull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.annotation.Nonnull;
 import java.time.Duration;
+import java.time.Instant;
 import java.util.Optional;
 
 import static java.util.Objects.requireNonNull;
@@ -94,13 +97,46 @@ private void filter(MonitoredArtifact artifact) {
 
   private @NotNull MonitoredArtifact toMonitoredArtifact(TestResult testResult, @NotNull RepoPath repoPath) {
     Ignores ignores = Ignores.read(new RepositoryArtifactProperties(repoPath, repositories));
-    return new MonitoredArtifact(repoPath.toString(), testResult, ignores);
+    Instant lastModifiedDate = getLastModifiedDate(repoPath);
+    
+    // Only apply lastModifiedDate to packages from remote repositories.
+    if(lastModifiedDateRemoteOnly() && !isRemoteRepository(repoPath)) {
+      lastModifiedDate = null;
+    }
+    return new MonitoredArtifact(repoPath.toString(), testResult, ignores, lastModifiedDate);
+  }
+
+  private Instant getLastModifiedDate(RepoPath repoPath) {
+    try {
+      ItemInfo itemInfo = repositories.getItemInfo(repoPath);
+      if (itemInfo != null) {
+        Instant lastModified = Instant.ofEpochMilli(itemInfo.getLastModified());
+        return lastModified;
+      }
+    } catch (Exception e) {
+      LOG.debug("Could not retrieve last modified date for {}: {}", repoPath, e);
+    }
+    return null;
+  }
+
+  private boolean isRemoteRepository(RepoPath repoPath) {
+    String repoKey = repoPath.getRepoKey();
+    RepositoryConfiguration repoConfig = repositories.getRepositoryConfiguration(repoKey);
+    String repoType = repoConfig.getType();
+
+    LOG.debug("Found repository type: {}", repoType);
+
+    return repoType.toLowerCase().equals("remote");
   }
 
   private boolean shouldTestContinuously() {
     return configurationModule.getPropertyOrDefault(PluginConfiguration.TEST_CONTINUOUSLY).equals("true");
   }
 
+  private boolean lastModifiedDateRemoteOnly() {
+    return configurationModule.getPropertyOrDefault(PluginConfiguration.SCANNER_LAST_MODIFIED_CHECK_ONLY_REMOTE).equals("true");
+  }
+
   private Duration durationHoursProperty(PluginConfiguration property, ConfigurationModule configurationModule) {
     return Duration.ofHours(Integer.parseInt(configurationModule.getPropertyOrDefault(property)));
   }

core/src/test/java/io/snyk/plugins/artifactory/scanner/PackageValidatorTest.java

@@ -6,6 +6,7 @@
 import org.junit.jupiter.api.Test;
 
 import java.net.URI;
+import java.time.Instant;
 import java.util.Optional;
 import java.util.stream.Stream;
 
@@ -141,4 +142,29 @@ void validate_includesSnykDetailsUrlInCancelException() {
       .isExactlyInstanceOf(CancelException.class)
       .hasMessageContaining("https://snyk.io/package/details");
   }
+
+  @Test
+  void validate_includesLastModifiedDateDelay() {
+    Integer lastModifiedDelayDays = 14;
+    ValidationSettings settings = new ValidationSettings()
+    .withLastModifiedDelayDays(Optional.of(lastModifiedDelayDays))
+    .withVulnSeverityThreshold(Optional.empty())
+    .withLicenseSeverityThreshold(Optional.empty());
+
+    PackageValidator validator = new PackageValidator(settings);
+    
+    MonitoredArtifact artifact = new MonitoredArtifact("",
+      new TestResult(
+        IssueSummary.from(Stream.of(Severity.LOW)),
+        IssueSummary.from(Stream.empty()),
+        URI.create("https://snyk.io/package/details")
+      ),
+      new Ignores(),
+      Instant.now()
+    );
+
+    assertThatThrownBy(() -> validator.validate(artifact))
+    .isExactlyInstanceOf(CancelException.class)
+    .hasMessageContaining("Artifact was created 0 days ago, which is less than the configured delay of 14 days");
+  }
 }