From fa454aa35a152c2e0211176d6c6e7d5facc75124 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maximilian=20Comb=C3=BCchen?= <max.combuchen@snyk.io>
Date: Fri, 15 Nov 2024 03:34:24 +0100
Subject: [PATCH] feat: add support for alternative Snyk API URLs (#268)

Closes #215.
---
 doc/providers/snyk.md       |  6 ++++++
 providers/snyk/orgid.go     |  3 +--
 providers/snyk/snyk.go      | 10 +++++++++-
 providers/snyk/snyk_test.go | 10 ++++++++++
 providers/snyk/vulns.go     |  4 ++--
 5 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/doc/providers/snyk.md b/doc/providers/snyk.md
index 16da540..600b39f 100644
--- a/doc/providers/snyk.md
+++ b/doc/providers/snyk.md
@@ -16,6 +16,12 @@ bomber scan --provider snyk --token xxx sbom.json
 
 Note rather than passing the API token explicitly, you can also set this as an environment variable, either as `SNYK_TOKEN` or the generic `BOMBER_PROVIDER_TOKEN`.
 
+By default, `bomber` will use Snyk's global API (https://api.snyk.io). To use a different Snyk API, you can specify its base URL on the `SNYK_API` environment variable.
+
+```
+SNYK_API=https://api.eu.snyk.io bomber scan --provider snyk sbom.json
+```
+
 
 ## Supported ecosystems
 
diff --git a/providers/snyk/orgid.go b/providers/snyk/orgid.go
index f1ed200..360f21f 100644
--- a/providers/snyk/orgid.go
+++ b/providers/snyk/orgid.go
@@ -25,14 +25,13 @@ type selfDocument struct {
 }
 
 func getOrgID(token string) (orgID string, err error) {
-
 	client := resty.New()
 	client.Debug = true
 
 	resp, err := client.R().
 		SetHeader("User-Agent", "bomber").
 		SetAuthToken(token).
-		Get(SnykURL + "/self" + SnykAPIVersion)
+		Get(getSnykAPIURL() + "/rest/self" + SnykAPIVersion)
 
 	if err != nil {
 		log.Print(err)
diff --git a/providers/snyk/snyk.go b/providers/snyk/snyk.go
index eb27722..d7e8294 100644
--- a/providers/snyk/snyk.go
+++ b/providers/snyk/snyk.go
@@ -13,7 +13,7 @@ import (
 )
 
 const (
-	SnykURL        = "https://api.snyk.io/rest"
+	SnykURL        = "https://api.snyk.io"
 	SnykAPIVersion = "?version=2022-09-15~experimental"
 	Concurrency    = 10
 )
@@ -102,3 +102,11 @@ func validateCredentials(credentials *models.Credentials) error {
 
 	return nil
 }
+
+func getSnykAPIURL() string {
+	u := os.Getenv("SNYK_API")
+	if u != "" {
+		return u
+	}
+	return SnykURL
+}
diff --git a/providers/snyk/snyk_test.go b/providers/snyk/snyk_test.go
index 69cfd5c..95073e4 100644
--- a/providers/snyk/snyk_test.go
+++ b/providers/snyk/snyk_test.go
@@ -62,6 +62,16 @@ func Test_validateCredentials(t *testing.T) {
 	os.Setenv("SNYK_TOKEN", snykToken)
 }
 
+func Test_getSnykAPIURL_default(t *testing.T) {
+	assert.Equal(t, "https://api.snyk.io", getSnykAPIURL())
+}
+
+func Test_getSnykAPIURL_override(t *testing.T) {
+	os.Setenv("SNYK_API", "http://example.com")
+	defer os.Unsetenv("SNYK_API")
+	assert.Equal(t, "http://example.com", getSnykAPIURL())
+}
+
 // func TestProvider_Scan_FakeCredentials(t *testing.T) {
 // 	httpmock.Activate()
 // 	defer httpmock.DeactivateAndReset()
diff --git a/providers/snyk/vulns.go b/providers/snyk/vulns.go
index 1e5ce3d..671194c 100644
--- a/providers/snyk/vulns.go
+++ b/providers/snyk/vulns.go
@@ -150,8 +150,8 @@ func getVulnsForPurl(
 	}
 
 	issuesURL := fmt.Sprintf(
-		"%s/orgs/%s/packages/%s/issues%s",
-		SnykURL, orgID, url.QueryEscape(purl), SnykAPIVersion,
+		"%s/rest/orgs/%s/packages/%s/issues%s",
+		getSnykAPIURL(), orgID, url.QueryEscape(purl), SnykAPIVersion,
 	)
 
 	client := resty.New()