Skip to content

Commit

Permalink
chore(deps): merge go-dep-parser into Trivy (#6094)
Browse files Browse the repository at this point in the history
Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: Masahiro <mur4m4s4.331@gmail.com>
Co-authored-by: Tomoya Amachi <tomoya.amachi@gmail.com>
Co-authored-by: Masahiro <lomycisw@gmail.com>
Co-authored-by: Liz Rice <liz@lizrice.com>
Co-authored-by: Johannes <johannes@jitesoft.com>
Co-authored-by: aprp <doelaudi@gmail.com>
Co-authored-by: rahul2393 <rahulyadavsep92@gmail.com>
Co-authored-by: Arunprasad Rajkumar <ar.arunprasad@gmail.com>
Co-authored-by: Emrecan BATI <emrecanbati@gmail.com>
Co-authored-by: sherif84 <12298259+sherif84@users.noreply.github.com>
Co-authored-by: Sherif Fathalla <sfathall@akamai.com>
Co-authored-by: sherif <sherif.mailbox@gmail.com>
Co-authored-by: Sam Lane <samuel.lane@hotmail.com>
Co-authored-by: Ankush K <akhobragade@gmail.com>
Co-authored-by: Ankush K <akhobragade42@gmail.com>
Co-authored-by: Tauseef <tauseefmlk@gmail.com>
Co-authored-by: Daniel <danfaizer@gmail.com>
Co-authored-by: Matthieu MOREL <mmorel-35@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: afdesk <work@afdesk.com>
Co-authored-by: AndreyLevchenko <levchenko.andrey@gmail.com>
Co-authored-by: Kobus van Schoor <10784365+kobus-v-schoor@users.noreply.github.com>
Co-authored-by: Jan-Otto Kröpke <github@jkroepke.de>
Co-authored-by: jerbob92 <jerbob92@users.noreply.github.com>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Co-authored-by: Shira Cohen <97398476+ShiraCohen33@users.noreply.github.com>
Co-authored-by: astevenson-microsoft <78623826+astevenson-microsoft@users.noreply.github.com>
Co-authored-by: Kyriakos Georgiou <kgeorgiou@users.noreply.github.com>
Co-authored-by: mycodeself <mycodeself@users.noreply.github.com>
Co-authored-by: DavidSalame <75929252+davidsalame1@users.noreply.github.com>
Co-authored-by: Tom Fay <tom@teamfay.co.uk>
Co-authored-by: Tom Fay <tomfay@microsoft.com>
Co-authored-by: François Poirotte <fpoirotte@users.noreply.github.com>
Co-authored-by: Guy Ben-Aharon <baguy3@gmail.com>
Co-authored-by: Catminusminus <37803616+Catminusminus@users.noreply.github.com>
Co-authored-by: Lior Vaisman Argon <97836016+VaismanLior@users.noreply.github.com>
Co-authored-by: Matthieu Maitre <mmaitre@microsoft.com>
Co-authored-by: Andrea Scarpino <andrea@scarpino.dev>
Co-authored-by: MorAlon1 <101275199+MorAlon1@users.noreply.github.com>
Co-authored-by: liorj-orca <96177663+liorj-orca@users.noreply.github.com>
Co-authored-by: Nikita Pivkin <100182843+nikpivkin@users.noreply.github.com>
Co-authored-by: guangwu <guoguangwu@magic-shield.com>
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
Co-authored-by: yuriShafet <5830215+yuriShafet@users.noreply.github.com>
Co-authored-by: Octogonapus <firey45@gmail.com>
  • Loading branch information
Show file tree
Hide file tree
Showing 384 changed files with 63,319 additions and 79 deletions.
1 change: 1 addition & 0 deletions .golangci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ linters-settings:
locale: US
ignore-words:
- licence
- optimise
gosec:
excludes:
- G101
Expand Down
12 changes: 6 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ require (
github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.31.1
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/go-dep-parser v0.0.0-20240208080026-8cc7d408bce4
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
Expand All @@ -35,6 +34,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/ecr v1.24.6
github.com/aws/aws-sdk-go-v2/service/s3 v1.48.1
github.com/aws/aws-sdk-go-v2/service/sts v1.26.7
github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
github.com/bmatcuk/doublestar/v4 v4.6.1
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.1.4
Expand All @@ -55,6 +55,7 @@ require (
github.com/google/wire v0.5.0
github.com/hashicorp/go-getter v1.7.3
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/go-retryablehttp v0.7.5
github.com/hashicorp/golang-lru/v2 v2.0.6
github.com/in-toto/in-toto-golang v0.9.0
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
Expand All @@ -63,6 +64,7 @@ require (
github.com/knqyf263/go-rpmdb v0.0.0-20231008124120-ac49267ab4e1
github.com/knqyf263/nested v0.0.1
github.com/kylelemons/godebug v1.1.0
github.com/liamg/jfather v0.0.7
github.com/magefile/mage v1.15.0
github.com/mailru/easyjson v0.7.7
github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
Expand All @@ -72,6 +74,7 @@ require (
github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70
github.com/mattn/go-shellwords v1.0.12
github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/mitchellh/mapstructure v1.5.0
github.com/moby/buildkit v0.12.5
Expand Down Expand Up @@ -104,6 +107,7 @@ require (
go.uber.org/zap v1.26.0
golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
golang.org/x/mod v0.14.0
golang.org/x/net v0.20.0
golang.org/x/sync v0.6.0
golang.org/x/term v0.16.0
golang.org/x/text v0.14.0
Expand All @@ -120,19 +124,16 @@ require (
github.com/antchfx/htmlquery v1.3.0
github.com/apparentlymart/go-cidr v1.1.0
github.com/aws/smithy-go v1.19.0
github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
github.com/hashicorp/go-uuid v1.0.3
github.com/hashicorp/go-uuid v1.0.1
github.com/hashicorp/hcl/v2 v2.19.1
github.com/liamg/iamgo v0.0.9
github.com/liamg/jfather v0.0.7
github.com/liamg/memoryfs v1.6.0
github.com/mitchellh/go-homedir v1.1.0
github.com/olekukonko/tablewriter v0.0.5
github.com/owenrumney/squealer v1.2.1
github.com/zclconf/go-cty v1.13.0
github.com/zclconf/go-cty-yaml v1.0.3
golang.org/x/crypto v0.18.0
golang.org/x/net v0.20.0
helm.sh/helm/v3 v3.14.1
)

Expand Down Expand Up @@ -318,7 +319,6 @@ require (
github.com/mattn/go-isatty v0.0.19 // indirect
github.com/mattn/go-runewidth v0.0.14 // indirect
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
github.com/miekg/dns v1.1.53 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
Expand Down
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -325,8 +325,6 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew
github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/go-dep-parser v0.0.0-20240208080026-8cc7d408bce4 h1:6qs80w4qPbPnF6GhbIifSANqfCrq90CKtSUBaw6p0z0=
github.com/aquasecurity/go-dep-parser v0.0.0-20240208080026-8cc7d408bce4/go.mod h1:P0PmelcN1ABKJrDzRbPnn6hK7RvgI+xmjiV/9uPaNnY=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
github.com/aquasecurity/go-mock-aws v0.0.0-20240109054747-49e4b5da33cb h1:dNxUB2bSbiLGNYcXkbBKrrfuY96+dXhA9FahEFZ4THQ=
Expand Down Expand Up @@ -1084,6 +1082,9 @@ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9n
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
github.com/hashicorp/go-getter v1.7.3 h1:bN2+Fw9XPFvOCjB0UOevFIMICZ7G2XSQHzfvLUyOM5E=
github.com/hashicorp/go-getter v1.7.3/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744=
github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
Expand All @@ -1098,9 +1099,8 @@ github.com/hashicorp/go-safetemp v1.0.0/go.mod h1:oaerMy3BhqiTbVye6QuFhFtIceqFoD
github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/go-uuid v1.0.1 h1:fv1ep09latC32wFoVwnqcnKJGnMSdBanPczbHAYm1BE=
github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
Expand Down
133 changes: 133 additions & 0 deletions pkg/dependency/parser/c/conan/parse.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
package conan

import (
"fmt"
"io"
"strings"

"github.com/liamg/jfather"
"golang.org/x/exp/slices"
"golang.org/x/xerrors"

dio "github.com/aquasecurity/trivy/pkg/dependency/parser/io"
"github.com/aquasecurity/trivy/pkg/dependency/parser/log"
"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
)

type LockFile struct {
GraphLock GraphLock `json:"graph_lock"`
}

type GraphLock struct {
Nodes map[string]Node `json:"nodes"`
}

type Node struct {
Ref string `json:"ref"`
Requires []string `json:"requires"`
StartLine int
EndLine int
}

type Parser struct{}

func NewParser() types.Parser {
return &Parser{}
}

func (p *Parser) Parse(r dio.ReadSeekerAt) ([]types.Library, []types.Dependency, error) {
var lock LockFile
input, err := io.ReadAll(r)
if err != nil {
return nil, nil, xerrors.Errorf("failed to read canon lock file: %w", err)
}
if err := jfather.Unmarshal(input, &lock); err != nil {
return nil, nil, xerrors.Errorf("failed to decode canon lock file: %w", err)
}

// Get a list of direct dependencies
var directDeps []string
if root, ok := lock.GraphLock.Nodes["0"]; ok {
directDeps = root.Requires
}

// Parse packages
parsed := make(map[string]types.Library)
for i, node := range lock.GraphLock.Nodes {
if node.Ref == "" {
continue
}
lib, err := parseRef(node)
if err != nil {
log.Logger.Debug(err)
continue
}

// Determine if the package is a direct dependency or not
direct := slices.Contains(directDeps, i)
lib.Indirect = !direct

parsed[i] = lib
}

// Parse dependency graph
var libs []types.Library
var deps []types.Dependency
for i, node := range lock.GraphLock.Nodes {
lib, ok := parsed[i]
if !ok {
continue
}

var childDeps []string
for _, req := range node.Requires {
if child, ok := parsed[req]; ok {
childDeps = append(childDeps, child.ID)
}
}
if len(childDeps) != 0 {
deps = append(deps, types.Dependency{
ID: lib.ID,
DependsOn: childDeps,
})
}

libs = append(libs, lib)
}
return libs, deps, nil
}

func parseRef(node Node) (types.Library, error) {
// full ref format: package/version@user/channel#rrev:package_id#prev
// various examples:
// 'pkga/0.1@user/testing'
// 'pkgb/0.1.0'
// 'pkgc/system'
// 'pkgd/0.1.0#7dcb50c43a5a50d984c2e8fa5898bf18'
ss := strings.Split(strings.Split(strings.Split(node.Ref, "@")[0], "#")[0], "/")
if len(ss) != 2 {
return types.Library{}, xerrors.Errorf("Unable to determine conan dependency: %q", node.Ref)
}
return types.Library{
ID: fmt.Sprintf("%s/%s", ss[0], ss[1]),
Name: ss[0],
Version: ss[1],
Locations: []types.Location{
{
StartLine: node.StartLine,
EndLine: node.EndLine,
},
},
}, nil
}

// UnmarshalJSONWithMetadata needed to detect start and end lines of deps
func (n *Node) UnmarshalJSONWithMetadata(node jfather.Node) error {
if err := node.Decode(&n); err != nil {
return err
}
// Decode func will overwrite line numbers if we save them first
n.StartLine = node.Range().Start.Line
n.EndLine = node.Range().End.Line
return nil
}
139 changes: 139 additions & 0 deletions pkg/dependency/parser/c/conan/parse_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
package conan_test

import (
"os"
"sort"
"strings"
"testing"

"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

"github.com/aquasecurity/trivy/pkg/dependency/parser/c/conan"
"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
)

func TestParse(t *testing.T) {
tests := []struct {
name string
inputFile string // Test input file
wantLibs []types.Library
wantDeps []types.Dependency
}{
{
name: "happy path",
inputFile: "testdata/happy.lock",
wantLibs: []types.Library{
{
ID: "pkga/0.0.1",
Name: "pkga",
Version: "0.0.1",
Locations: []types.Location{
{
StartLine: 13,
EndLine: 22,
},
},
},
{
ID: "pkgb/system",
Name: "pkgb",
Version: "system",
Indirect: true,
Locations: []types.Location{
{
StartLine: 23,
EndLine: 29,
},
},
},
{
ID: "pkgc/0.1.1",
Name: "pkgc",
Version: "0.1.1",
Locations: []types.Location{
{
StartLine: 30,
EndLine: 35,
},
},
},
},
wantDeps: []types.Dependency{
{
ID: "pkga/0.0.1",
DependsOn: []string{
"pkgb/system",
},
},
},
},
{
name: "happy path. lock file with revisions support",
inputFile: "testdata/happy2.lock",
wantLibs: []types.Library{
{
ID: "openssl/3.0.3",
Name: "openssl",
Version: "3.0.3",
Locations: []types.Location{
{
StartLine: 12,
EndLine: 22,
},
},
},
{
ID: "zlib/1.2.12",
Name: "zlib",
Version: "1.2.12",
Indirect: true,
Locations: []types.Location{
{
StartLine: 23,
EndLine: 30,
},
},
},
},
wantDeps: []types.Dependency{
{
ID: "openssl/3.0.3",
DependsOn: []string{
"zlib/1.2.12",
},
},
},
},
{
name: "happy path. lock file without dependencies",
inputFile: "testdata/empty.lock",
},
{
name: "sad path. wrong ref format",
inputFile: "testdata/sad.lock",
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
f, err := os.Open(tt.inputFile)
require.NoError(t, err)
defer f.Close()

gotLibs, gotDeps, err := conan.NewParser().Parse(f)
require.NoError(t, err)

sort.Slice(gotLibs, func(i, j int) bool {
ret := strings.Compare(gotLibs[i].Name, gotLibs[j].Name)
if ret != 0 {
return ret < 0
}
return gotLibs[i].Version < gotLibs[j].Version
})

assert.Equal(t, tt.wantLibs, gotLibs)
assert.Equal(t, tt.wantDeps, gotDeps)
})
}
}
Loading

0 comments on commit 74dc5b6

Please sign in to comment.