snyk · attriaayush · Dec 19, 2025
@@ -15,8 +15,8 @@ require (
 	github.com/snyk/cli-extension-iac v0.0.0-20250829110702-b41ac109dab0
 	github.com/snyk/cli-extension-iac-rules v0.0.0-20250829110455-1260348bc188
 	github.com/snyk/cli-extension-mcp-scan v0.0.0-20251217093101-0705cbe3593b
-	github.com/snyk/cli-extension-os-flows v0.0.0-20251218084622-1754d1ef9945
-	github.com/snyk/cli-extension-sbom v0.0.0-20251113132837-5f6cc6d0cb26
+	github.com/snyk/cli-extension-os-flows v0.0.0-20251219081448-8c21f334b274
+	github.com/snyk/cli-extension-sbom v0.0.0-20251219081320-1e63de9188b4
 	github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7
 	github.com/snyk/error-catalog-golang-public v0.0.0-20251205100923-e93b06d4a6c6
 	github.com/snyk/go-application-framework v0.0.0-20251218080318-c938eac5f436

@@ -1306,10 +1306,10 @@ github.com/snyk/cli-extension-iac-rules v0.0.0-20250829110455-1260348bc188 h1:Uo
 github.com/snyk/cli-extension-iac-rules v0.0.0-20250829110455-1260348bc188/go.mod h1:qUc1yjKJe6tt/8/MJasnog3VBXd/b619MSFVfKAlDxE=
 github.com/snyk/cli-extension-mcp-scan v0.0.0-20251217093101-0705cbe3593b h1:d8s+TntutaQlPcB+5I2781ALWEgGfQh2XQjPrt0oRy8=
 github.com/snyk/cli-extension-mcp-scan v0.0.0-20251217093101-0705cbe3593b/go.mod h1:dRgGvQssSQ1U//nQ0D+H8JXnjz1ZhG9GWbz8GEaFRMQ=
-github.com/snyk/cli-extension-os-flows v0.0.0-20251218084622-1754d1ef9945 h1:c/x1CGajnt9/sTcZ3IxGS9vnaN/SIwCsaMz7o4WmW1A=
-github.com/snyk/cli-extension-os-flows v0.0.0-20251218084622-1754d1ef9945/go.mod h1:TWWxoMwavH+jAluWZtaaDbdOuwt8C5n51xnEuWvrv1g=
-github.com/snyk/cli-extension-sbom v0.0.0-20251113132837-5f6cc6d0cb26 h1:KEiRBMdOJHefM4GKL3C3FfvH4J2G/vBFnwkonylV5+o=
-github.com/snyk/cli-extension-sbom v0.0.0-20251113132837-5f6cc6d0cb26/go.mod h1:zyKDBaETfZyI7BfIjPnezH3QX2seQrR/d7NM5W6LV9s=
+github.com/snyk/cli-extension-os-flows v0.0.0-20251219081448-8c21f334b274 h1:Yr94SawqzCCQZOoNpul2SWHVeqIkQKSrcaQDRFQph1M=
+github.com/snyk/cli-extension-os-flows v0.0.0-20251219081448-8c21f334b274/go.mod h1:TWWxoMwavH+jAluWZtaaDbdOuwt8C5n51xnEuWvrv1g=
+github.com/snyk/cli-extension-sbom v0.0.0-20251219081320-1e63de9188b4 h1:cHS8ckjwvPfClDLSNEswh3qXvuwkQcu/LL/x+DM7g9A=
+github.com/snyk/cli-extension-sbom v0.0.0-20251219081320-1e63de9188b4/go.mod h1:zyKDBaETfZyI7BfIjPnezH3QX2seQrR/d7NM5W6LV9s=
 github.com/snyk/code-client-go v1.24.4 h1:19rmeqZFvjQMKaAmSZ0CdYZb1d0ENsDad2Cp32jeWOA=
 github.com/snyk/code-client-go v1.24.4/go.mod h1:uMlmMToe4uuNhNLs+yxjM3WFbytna+ytDWhpbnNwTSk=
 github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7 h1:/2+2piwQtB9fEJCkXEOjboZjY+77lQfnvqBZ/60xNHk=

@@ -16,7 +16,6 @@ const SBOM_FILE_PATH = getFixturePath('sbom/snyk-goof-sbom.json');
 const reachabilityEnv = {
   ...process.env,
   INTERNAL_SNYK_CLI_REACHABILITY_ENABLED: 'true',
-  INTERNAL_SNYK_CLI_SBOM_TEST_REACHABILITY: 'true',
 };
 
 beforeAll(() => {
@@ -50,49 +49,116 @@ afterAll(() => {
   }
 });
 
-describe('snyk sbom test --reachability', () => {
-  it('should display human-readable output with test summary', async () => {
-    const { code, stdout, stderr } = await runSnykCLI(
-      `sbom test --experimental --file=${SBOM_FILE_PATH} --reachability --source-dir=${TEMP_LOCAL_PATH}`,
-      { env: reachabilityEnv },
-    );
+describe('snyk sbom test', () => {
+  describe('basic functionality', () => {
+    it('should display human-readable output with test summary', async () => {
+      const { code, stdout, stderr } = await runSnykCLI(
+        `sbom test --file=${SBOM_FILE_PATH}`,
+      );
+
+      expect(stderr).toBe('');
+      expect(stdout).toContain('Test Summary');
+      expect(stdout).toContain('Issues to fix by upgrading');
+      expect(code).toBe(EXIT_CODES.VULNS_FOUND);
+    });
+
+    it('should output valid JSON with vulnerability data', async () => {
+      const { code, stdout, stderr } = await runSnykCLI(
+        `sbom test --file=${SBOM_FILE_PATH} --json`,
+      );
+
+      expect(stderr).toBe('');
+      expect(stdout).not.toBe('');
+
+      const jsonOutput = JSON.parse(stdout);
 
-    expect(stderr).toBe('');
-    expect(stdout).toContain('Test Summary');
-    expect(code).toBe(EXIT_CODES.VULNS_FOUND);
+      expect(jsonOutput.dependencyCount).toBeGreaterThan(0);
+      expect(jsonOutput.vulnerabilities).toBeInstanceOf(Array);
+      expect(jsonOutput.vulnerabilities.length).toBeGreaterThanOrEqual(1);
+      expect(
+        Object.keys(jsonOutput.remediation.upgrade).length,
+      ).toBeGreaterThanOrEqual(1);
+
+      const vuln = jsonOutput.vulnerabilities[0];
+      expect(vuln).toHaveProperty('id');
+      expect(vuln).toHaveProperty('title');
+      expect(vuln).toHaveProperty('severity');
+
+      expect(code).toBe(EXIT_CODES.VULNS_FOUND);
+    });
+
+    it('should show error when --file flag is missing', async () => {
+      const { code, stdout } = await runSnykCLI(`sbom test`);
+
+      expect(stdout).toContain('--file');
+      expect(code).toBe(EXIT_CODES.ERROR);
+    });
   });
 
-  it('should output valid JSON with reachability data', async () => {
-    const { code, stdout, stderr } = await runSnykCLI(
-      `sbom test --experimental --file=${SBOM_FILE_PATH} --reachability --source-dir=${TEMP_LOCAL_PATH} --json`,
-      { env: reachabilityEnv },
-    );
+  describe('with reachability', () => {
+    it('should display human-readable output with test summary', async () => {
+      const { code, stdout, stderr } = await runSnykCLI(
+        `sbom test --file=${SBOM_FILE_PATH} --reachability --source-dir=${TEMP_LOCAL_PATH}`,
+        { env: reachabilityEnv },
+      );
 
-    expect(stderr).toBe('');
-    expect(stdout).not.toBe('');
+      expect(stderr).toBe('');
+      expect(stdout).toContain('Test Summary');
+      expect(code).toBe(EXIT_CODES.VULNS_FOUND);
+    });
 
-    const jsonOutput = JSON.parse(stdout);
+    it('should emit valid json output with filtering only reachable vulnerabilities', async () => {
+      const { code, stdout, stderr } = await runSnykCLI(
+        `sbom test --file=${SBOM_FILE_PATH} --reachability --source-dir=${TEMP_LOCAL_PATH} --reachability-filter=reachable --json`,
+        { env: reachabilityEnv },
+      );
 
-    expect(jsonOutput.dependencyCount).toBeGreaterThan(0);
-    expect(jsonOutput.vulnerabilities).toBeInstanceOf(Array);
-    expect(jsonOutput.vulnerabilities.length).toBeGreaterThanOrEqual(1);
+      expect(stdout).not.toBe('');
+      expect(stderr).toBe('');
 
-    const vulnsWithReachability = jsonOutput.vulnerabilities.filter(
-      (vuln: any) => vuln.reachability !== undefined,
-    );
-    expect(vulnsWithReachability.length).toBeGreaterThan(0);
+      const jsonOutput = JSON.parse(stdout);
 
-    const reachableVulns = jsonOutput.vulnerabilities.filter(
-      (vuln: any) => vuln.reachability === 'reachable',
-    );
+      const areAllVulnsReachable = jsonOutput.vulnerabilities.every(
+        (vuln: { reachability: string }) => vuln.reachability === 'reachable',
+      );
+
+      expect(jsonOutput.vulnerabilities.length).toBeGreaterThanOrEqual(1);
+      expect(areAllVulnsReachable).toBeTruthy();
+      expect(code).toBe(EXIT_CODES.VULNS_FOUND);
+    });
+
+    it('should output valid JSON with reachability data', async () => {
+      const { code, stdout, stderr } = await runSnykCLI(
+        `sbom test --file=${SBOM_FILE_PATH} --reachability --source-dir=${TEMP_LOCAL_PATH} --json`,
+        { env: reachabilityEnv },
+      );
+
+      expect(stderr).toBe('');
+      expect(stdout).not.toBe('');
+
+      const jsonOutput = JSON.parse(stdout);
+
+      expect(jsonOutput.dependencyCount).toBeGreaterThan(0);
+      expect(jsonOutput.vulnerabilities).toBeInstanceOf(Array);
+      expect(jsonOutput.vulnerabilities.length).toBeGreaterThanOrEqual(1);
+
+      const vulnsWithReachability = jsonOutput.vulnerabilities.filter(
+        (vuln: any) => vuln.reachability !== undefined,
+      );
+      expect(vulnsWithReachability.length).toBeGreaterThan(0);
+
+      const reachableVulns = jsonOutput.vulnerabilities.filter(
+        (vuln: any) => vuln.reachability === 'reachable',
+      );
 
-    expect(reachableVulns.length).toBeGreaterThan(0);
+      expect(reachableVulns.length).toBeGreaterThan(0);
 
-    expect(reachableVulns[0]).toHaveProperty('id');
-    expect(reachableVulns[0]).toHaveProperty('title');
-    expect(reachableVulns[0]).toHaveProperty('severity');
-    expect(reachableVulns[0]).toHaveProperty('reachability', 'reachable');
+      expect(reachableVulns[0]).toHaveProperty('id');
+      expect(reachableVulns[0]).toHaveProperty('title');
+      expect(reachableVulns[0]).toHaveProperty('severity');
+      expect(reachableVulns[0]).toHaveProperty('reachability', 'reachable');
 
-    expect(code).toBe(EXIT_CODES.VULNS_FOUND);
+      expect(code).toBe(EXIT_CODES.VULNS_FOUND);
+    });
   });
 });