feat(deps): add yarn lock dependency tree (#3348)

aquasecurity · Dec 29, 2022 · 025e509 · 025e509
1 parent 4d59a1e
commit 025e509
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 14 deletions.
diff --git a/docs/docs/vulnerability/examples/report.md b/docs/docs/vulnerability/examples/report.md
@@ -20,7 +20,7 @@ This flag is only available with the `--format table` flag.
 The following packages/languages are currently supported:
 
 - OS packages (apk, dpkg and rpm)
-- Node.js (package-lock.json) 
+- Node.js (package-lock.json and yarn.lock) 
 - Nuget lock files (packages.lock.json)
 - Rust Binaries built with [cargo-auditable][cargo-auditable]
 

diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/alicebob/miniredis/v2 v2.23.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/defsec v0.82.7-0.20221229120130-2bc18528da1c
-	github.com/aquasecurity/go-dep-parser v0.0.0-20221227140654-09a64a5d9b51
+	github.com/aquasecurity/go-dep-parser v0.0.0-20221229114138-e380bc98c4ea
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -73,7 +73,7 @@ require (
 	github.com/twitchtv/twirp v8.1.2+incompatible
 	github.com/xlab/treeprint v1.1.0
 	go.etcd.io/bbolt v1.3.6
-	go.uber.org/zap v1.23.0
+	go.uber.org/zap v1.24.0
 	golang.org/x/exp v0.0.0-20220823124025-807a23277127
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
 	google.golang.org/protobuf v1.28.1

diff --git a/go.sum b/go.sum
@@ -195,8 +195,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.82.7-0.20221229120130-2bc18528da1c h1:Z7Uj3+zo6NJa9SFtMgGItZSqDMT3F7fPfCfXTdS3hKI=
 github.com/aquasecurity/defsec v0.82.7-0.20221229120130-2bc18528da1c/go.mod h1:sUdW6pzASralDcs+CDOE+QpWfBJt3/PY1Qbg8CS5flg=
-github.com/aquasecurity/go-dep-parser v0.0.0-20221227140654-09a64a5d9b51 h1:1mbTWnP/NzDrbyYaDzS2xIxuoAuhY3N62qZCTuSqfSo=
-github.com/aquasecurity/go-dep-parser v0.0.0-20221227140654-09a64a5d9b51/go.mod h1:ZCiGJgdQxCateSw3nPMwZvp9J/+nU8/3DcGY/NO71e4=
+github.com/aquasecurity/go-dep-parser v0.0.0-20221229114138-e380bc98c4ea h1:/CRzdg2jhJYMWS08xjocn3UgaXMuQl/TwjTZfz4HhbM=
+github.com/aquasecurity/go-dep-parser v0.0.0-20221229114138-e380bc98c4ea/go.mod h1:sVaiFgCEAOD3REZ8yamINqBf+BKiV/jt60DhG2rvKEo=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20220726154943-99847deb62b0 h1:tihCUjLWkF0b1SAjAKcFltUs3SpsqGrLtI+Frye0D10=
@@ -1618,8 +1618,8 @@ go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8=
 go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY=
-go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY=
+go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
+go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
 golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=

diff --git a/integration/testdata/yarn.json.golden b/integration/testdata/yarn.json.golden
@@ -21,42 +21,49 @@
       "Type": "yarn",
       "Packages": [
         {
+          "ID": "asap@2.0.6",
           "Name": "asap",
           "Version": "2.0.6",
           "Layer": {},
           "Locations": [
             {
               "StartLine": 5,
-              "EndLine": 5
+              "EndLine": 8
             }
           ]
         },
         {
+          "ID": "jquery@3.2.1",
           "Name": "jquery",
           "Version": "3.2.1",
           "Layer": {},
           "Locations": [
             {
               "StartLine": 10,
-              "EndLine": 10
+              "EndLine": 13
             }
           ]
         },
         {
+          "ID": "promise@8.0.3",
           "Name": "promise",
           "Version": "8.0.3",
+          "DependsOn": [
+            "asap@2.0.6"
+          ],
           "Layer": {},
           "Locations": [
             {
               "StartLine": 15,
-              "EndLine": 15
+              "EndLine": 20
             }
           ]
         }
       ],
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2019-11358",
+          "PkgId": "jquery@3.2.1",
           "PkgName": "jquery",
           "InstalledVersion": "3.2.1",
           "FixedVersion": "3.4.0",

diff --git a/pkg/fanal/analyzer/language/nodejs/yarn/testdata/wrong_yarn.lock b/pkg/fanal/analyzer/language/nodejs/yarn/testdata/wrong_yarn.lock
@@ -1,2 +1,2 @@
-  asap@~2.0.6:
+  asap@unsupported:~2.0.6:
   version "2.0.6"
diff --git a/pkg/fanal/analyzer/language/nodejs/yarn/yarn_test.go b/pkg/fanal/analyzer/language/nodejs/yarn/yarn_test.go
@@ -29,34 +29,40 @@ func Test_yarnLibraryAnalyzer_Analyze(t *testing.T) {
 						FilePath: "testdata/happy_yarn.lock",
 						Libraries: []types.Package{
 							{
+								ID:      "asap@2.0.6",
 								Name:    "asap",
 								Version: "2.0.6",
 								Locations: []types.Location{
 									{
 										StartLine: 5,
-										EndLine:   5,
+										EndLine:   8,
 									},
 								},
 							},
 							{
+								ID:      "jquery@3.4.1",
 								Name:    "jquery",
 								Version: "3.4.1",
 								Locations: []types.Location{
 									{
 										StartLine: 10,
-										EndLine:   10,
+										EndLine:   13,
 									},
 								},
 							},
 							{
+								ID:      "promise@8.0.3",
 								Name:    "promise",
 								Version: "8.0.3",
 								Locations: []types.Location{
 									{
 										StartLine: 15,
-										EndLine:   15,
+										EndLine:   20,
 									},
 								},
+								DependsOn: []string{
+									"asap@2.0.6",
+								},
 							},
 						},
 					},