Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(npm): improvement logic for lockfile v2-v3 #196

Merged
merged 3 commits into from
Mar 20, 2023
Merged

fix(npm): improvement logic for lockfile v2-v3 #196

merged 3 commits into from
Mar 20, 2023
+180 −66

Conversation

DmitriyLewen
Copy link
Collaborator

Description

  1. npm includes optional dependencies in dependency list, graph and node_modules folder. We also need to include them.
    e.g.
    graph: 
    3840@ /home/dmitriy/work/temp/3840
└─┬ cra-append-sw@2.7.0
  └─┬ webpack@4.46.0
    └─┬ watchpack@1.7.5
      ├─┬ chokidar@3.5.3
      │ └── glob-parent@5.1.2
      └─┬ watchpack-chokidar2@2.0.1
        └─┬ chokidar@2.1.8
          └── glob-parent@3.1.0
    package-lock.json file: 
    ...
    "node_modules/watchpack": {
      "version": "1.7.5",
      "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-1.7.5.tgz",
      "integrity": "sha512-9P3MWk6SrKjHsGkLT2KHXdQ/9SNkyoJbabxnKOoJepsvJjJG8uYTR3yTPxPQvNDI3w4Nz1xnE0TLHK4RIVe/MQ==",
      "dependencies": {
        "graceful-fs": "^4.1.2",
        "neo-async": "^2.5.0"
      },
      "optionalDependencies": {
        "chokidar": "^3.4.1",
        "watchpack-chokidar2": "^2.0.1"
      }
    },
...
    folders: 
    ➜  3840 ls -hl ./node_modules | grep watchpack
drwxrwxr-x  3 dmitriy dmitriy 4,0K мар 15 11:41 watchpack
  1. there are dependencies with / in package name.
    e.g. @babel/plugin-transform-classes
    these dependencies start from @. We need to parse them properly.

@DmitriyLewen DmitriyLewen marked this pull request as ready for review March 17, 2023 07:29
@DmitriyLewen DmitriyLewen self-assigned this Mar 17, 2023
knqyf263
knqyf263 reviewed Mar 20, 2023
View reviewed changes
pkg/nodejs/npm/parse.go
// └─┬ watchpack@1.7.5
// ├─┬ chokidar@3.5.3 - optional dependency
// │ └── glob-parent@5.1.
dependencies := lo.Assign(pkg.Dependencies, pkg.OptionalDependencies)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you add a test for optional dependencies?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can update the existing test case.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added optional deps to testcases

pkg/nodejs/npm/parse.go Outdated
@@ -253,6 +260,11 @@ func pkgNameFromPath(path string) string {
// node_modules/string-width
// node_modules/string-width/node_modules/strip-ansi
paths := strings.Split(path, "/")
// deps starting from `@` have pgkName with one `/`
// e.g. path == `node_modules/@babel/plugin-transform-classes` => pkgName == `@babel/plugin-transform-classes`
if strings.HasPrefix(paths[len(paths)-2], "@") {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should not happen, but I think we should check the length just in case.

Suggested change
if strings.HasPrefix(paths[len(paths)-2], "@") {
if len(paths) >= 2 && strings.HasPrefix(paths[len(paths)-2], "@") {

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@knqyf263 knqyf263 merged commit 1e9e2fb into aquasecurity:main Mar 20, 2023
@DmitriyLewen DmitriyLewen deleted the fix/npm-optional-deps branch March 21, 2023 02:30
@DmitriyLewen DmitriyLewen mentioned this pull request Mar 21, 2023
Merged
8 tasks
@knqyf263 knqyf263 mentioned this pull request May 14, 2023
Closed
Sq34sy pushed a commit to Sq34sy/go-dep-parser that referenced this pull request Jul 28, 2023
@DmitriyLewen @Sq34sy
fix(npm): improvement logic for lockfile v2-v3 (aquasecurity#196)
27cc6bd
Sq34sy pushed a commit to Sq34sy/go-dep-parser that referenced this pull request Jul 28, 2023
@DmitriyLewen @Sq34sy
fix(npm): improvement logic for lockfile v2-v3 (aquasecurity#196)
16fcb21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@DmitriyLewen @knqyf263