-
Notifications
You must be signed in to change notification settings - Fork 530
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add support for npm lockfile version 3 (#1206)
This PR adds support for npm lockfile version 3, which drops the "dependencies" key and uses "packages" instead. I've refactored the lockfile parser to make the distinction between the versions explicit rather than the implicit behaviour before. It _might_ be worth splitting into separate files at some point, but the logic is so minimal that I haven't done it. Fixes #1203 Signed-off-by: Rob Cresswell <robcresswell@users.noreply.github.com>
- Loading branch information
1 parent
67888ee
commit 9d8244b
Showing
4 changed files
with
137 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -32,10 +32,11 @@ type lockDependency struct { | |
} | ||
|
||
type lockPackage struct { | ||
Name string `json:"name"` // only present in the root package entry (named "") | ||
Version string `json:"version"` | ||
Resolved string `json:"resolved"` | ||
Integrity string `json:"integrity"` | ||
License string `json:""` | ||
License string `json:"license"` | ||
} | ||
|
||
// parsePackageLock parses a package-lock.json and returns the discovered JavaScript packages. | ||
|
@@ -49,27 +50,41 @@ func parsePackageLock(resolver source.FileResolver, _ *generic.Environment, read | |
var pkgs []pkg.Package | ||
dec := json.NewDecoder(reader) | ||
|
||
var lock packageLock | ||
for { | ||
var lock packageLock | ||
if err := dec.Decode(&lock); errors.Is(err, io.EOF) { | ||
break | ||
} else if err != nil { | ||
return nil, nil, fmt.Errorf("failed to parse package-lock.json file: %w", err) | ||
} | ||
licenseMap := make(map[string]string) | ||
for _, pkgMeta := range lock.Packages { | ||
var sb strings.Builder | ||
sb.WriteString(pkgMeta.Resolved) | ||
sb.WriteString(pkgMeta.Integrity) | ||
licenseMap[sb.String()] = pkgMeta.License | ||
} | ||
} | ||
|
||
if lock.LockfileVersion == 1 { | ||
for name, pkgMeta := range lock.Dependencies { | ||
pkgs = append(pkgs, newPackageLockPackage(resolver, reader.Location, name, pkgMeta, licenseMap)) | ||
pkgs = append(pkgs, newPackageLockV1Package(resolver, reader.Location, name, pkgMeta)) | ||
} | ||
} | ||
|
||
if lock.LockfileVersion == 2 || lock.LockfileVersion == 3 { | ||
for name, pkgMeta := range lock.Packages { | ||
if name == "" { | ||
if pkgMeta.Name == "" { | ||
continue | ||
} else { | ||
name = pkgMeta.Name | ||
} | ||
} | ||
|
||
This comment has been minimized.
Sorry, something went wrong.
Mikcl
Contributor
|
||
pkgs = append(pkgs, newPackageLockV2Package(resolver, reader.Location, getNameFromPath(name), pkgMeta)) | ||
} | ||
} | ||
|
||
pkg.Sort(pkgs) | ||
|
||
return pkgs, nil, nil | ||
} | ||
|
||
func getNameFromPath(path string) string { | ||
parts := strings.Split(path, "node_modules/") | ||
return parts[len(parts)-1] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
40 changes: 40 additions & 0 deletions
40
syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-3.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
{ | ||
"name": "lock-v3-fixture", | ||
"version": "1.0.0", | ||
"lockfileVersion": 3, | ||
"requires": true, | ||
"packages": { | ||
"": { | ||
"name": "lock-v3-fixture", | ||
"version": "1.0.0", | ||
"dependencies": { | ||
"@types/react": "^18.0.9" | ||
} | ||
}, | ||
"node_modules/@types/prop-types": { | ||
"version": "15.7.5", | ||
"resolved": "https://registry.npmjs.org/@types/prop-types/-/prop-types-15.7.5.tgz", | ||
"integrity": "sha512-JCB8C6SnDoQf0cNycqd/35A7MjcnK+ZTqE7judS6o7utxUCg6imJg3QK2qzHKszlTjcj2cn+NwMB2i96ubpj7w==" | ||
}, | ||
"node_modules/@types/react": { | ||
"version": "18.0.20", | ||
"resolved": "https://registry.npmjs.org/@types/react/-/react-18.0.20.tgz", | ||
"integrity": "sha512-MWul1teSPxujEHVwZl4a5HxQ9vVNsjTchVA+xRqv/VYGCuKGAU6UhfrTdF5aBefwD1BHUD8i/zq+O/vyCm/FrA==", | ||
"dependencies": { | ||
"@types/prop-types": "*", | ||
"@types/scheduler": "*", | ||
"csstype": "^3.0.2" | ||
} | ||
}, | ||
"node_modules/@types/scheduler": { | ||
"version": "0.16.2", | ||
"resolved": "https://registry.npmjs.org/@types/scheduler/-/scheduler-0.16.2.tgz", | ||
"integrity": "sha512-hppQEBDmlwhFAXKJX2KnWLYu5yMfi91yazPb2l+lbJiwW+wdo1gNeRA+3RgNSO39WYX2euey41KEwnqesU2Jew==" | ||
}, | ||
"node_modules/csstype": { | ||
"version": "3.1.1", | ||
"resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.1.tgz", | ||
"integrity": "sha512-DJR/VvkAvSZW9bTouZue2sSxDwdTN92uHjqeKVm+0dAqdfNykRzQ95tay8aXMBAAPpUiq4Qcug2L7neoRh2Egw==" | ||
} | ||
} | ||
} |
iiuc, this function handles both V2 and V3, do we want to name it accordingly?