-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(nodejs): add v9 pnpm lock file support #6617
feat(nodejs): add v9 pnpm lock file support #6617
Conversation
!!! note | ||
Trivy currently only supports Lockfile [v6][pnpm-lockfile-v6] or earlier. | ||
#### lock file v9 version | ||
Trivy supports `Dev` field for `pnpm-lock.yaml` v9 or later. Use the `--include-dev-deps` flag to include the developer's dependencies in the result. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have not seen any requests to use Dev
field for version 6.0
or earlier lock files.
But if users want, we can add this in another PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks almost good
"strconv" | ||
"strings" | ||
|
||
"github.com/samber/lo" | ||
"golang.org/x/exp/maps" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"golang.org/x/exp/maps" | |
"maps" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is weird, but maps
package doesn't have Values
and Keys
functions:
https://pkg.go.dev/maps
// - "registry.npmjs.org/@babel/generator/7.21.9" => "@babel/generator/7.21.9" | ||
// - "/lodash/4.17.10" => "lodash/4.17.10" | ||
_, depPath, _ = strings.Cut(depPath, "/") | ||
// trimRegistry trims registry (or `/` prefix) for depPath. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PURL has vcs_url
. I think we should keep this information if it is not registry.npmjs.org
.
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#npm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if using registry URL in package name is correct.
I suggest keeping depPath in ExternalReferences
and check ExternalReferences
in purl for npm:
Lines 425 to 429 in bbaf595
func parseNpm(pkgName string) (string, string) { | |
// the name must be lowercased | |
name := strings.ToLower(pkgName) | |
return parsePkgName(name) | |
} |
e.g.
private.npmjs.org/@babel/[email protected]
=>
ID: "@babel/[email protected]",
Name: "@babel/runtime",
Version: "7.18.3",
Relationship: ftypes.RelationshipIndirect,
ExternalReferences: []ftypes.ExternalRef{
{
Type: ftypes.RefVCS,
URL: "private.npmjs.org/@babel/[email protected]",
},
},
@knqyf263 wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I meant to suggest using ExternalReferences
. I didn't explain clearly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I update this logic - 2d50522
take a look, when you have time, please
Description
add v9 pnpm lock file support.
Dev
field used for v9Related issues
Checklist