Skip to content

Commit

Permalink
fix(nodejs): check all importers to detect dev deps from pnpm-lock.…
Browse files Browse the repository at this point in the history
…yaml file (aquasecurity#7387)
  • Loading branch information
DmitriyLewen authored and fhielpos committed Dec 20, 2024
1 parent e9a2fd7 commit 0882e0a
Show file tree
Hide file tree
Showing 4 changed files with 49 additions and 13 deletions.
22 changes: 15 additions & 7 deletions pkg/dependency/parser/nodejs/pnpm/parse.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,15 +37,11 @@ type LockFile struct {
Packages map[string]PackageInfo `yaml:"packages,omitempty"`

// V9
Importers Importer `yaml:"importers,omitempty"`
Importers map[string]Importer `yaml:"importers,omitempty"`
Snapshots map[string]Snapshot `yaml:"snapshots,omitempty"`
}

type Importer struct {
Root RootImporter `yaml:".,omitempty"`
}

type RootImporter struct {
Dependencies map[string]ImporterDepVersion `yaml:"dependencies,omitempty"`
DevDependencies map[string]ImporterDepVersion `yaml:"devDependencies,omitempty"`
}
Expand Down Expand Up @@ -167,6 +163,18 @@ func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependen

}

// Parse `Importers` to find all direct dependencies
devDeps := make(map[string]string)
deps := make(map[string]string)
for _, importer := range lockFile.Importers {
for n, v := range importer.DevDependencies {
devDeps[n] = v.Version
}
for n, v := range importer.Dependencies {
deps[n] = v.Version
}
}

for depPath, pkgInfo := range lockFile.Packages {
name, ver, ref := p.parseDepPath(depPath, lockVer)
parsedVer := p.parseVersion(depPath, ver, lockVer)
Expand All @@ -179,10 +187,10 @@ func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependen
// We will update `Dev` field later.
dev := true
relationship := ftypes.RelationshipIndirect
if dep, ok := lockFile.Importers.Root.DevDependencies[name]; ok && dep.Version == ver {
if v, ok := devDeps[name]; ok && p.trimPeerDeps(v, lockVer) == ver {
relationship = ftypes.RelationshipDirect
}
if dep, ok := lockFile.Importers.Root.Dependencies[name]; ok && p.trimPeerDeps(dep.Version, lockVer) == ver {
if v, ok := deps[name]; ok && p.trimPeerDeps(v, lockVer) == ver {
relationship = ftypes.RelationshipDirect
dev = false // mark root direct deps to update `dev` field of their child deps.
}
Expand Down
6 changes: 0 additions & 6 deletions pkg/dependency/parser/nodejs/pnpm/parse_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,12 +59,6 @@ func TestParse(t *testing.T) {
want: pnpmV9,
wantDeps: pnpmV9Deps,
},
{
name: "v9",
file: "testdata/pnpm-lock_v9.yaml",
want: pnpmV9,
wantDeps: pnpmV9Deps,
},
{
name: "v9 with cyclic dependencies import",
file: "testdata/pnpm-lock_v9_cyclic_import.yaml",
Expand Down
13 changes: 13 additions & 0 deletions pkg/dependency/parser/nodejs/pnpm/parse_testcase.go
Original file line number Diff line number Diff line change
Expand Up @@ -752,6 +752,13 @@ var (
Version: "0.4.0",
Relationship: ftypes.RelationshipIndirect,
},
{
ID: "[email protected]",
Name: "await-sleep",
Version: "0.0.1",
Dev: true,
Relationship: ftypes.RelationshipDirect,
},
{
ID: "[email protected]",
Name: "debug",
Expand Down Expand Up @@ -843,6 +850,12 @@ var (
Version: "8.1.0",
Relationship: ftypes.RelationshipDirect,
},
{
ID: "[email protected]",
Name: "sleep-utils",
Version: "1.0.3",
Relationship: ftypes.RelationshipDirect,
},
{
ID: "[email protected]",
Name: "statuses",
Expand Down
21 changes: 21 additions & 0 deletions pkg/dependency/parser/nodejs/pnpm/testdata/pnpm-lock_v9.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,17 @@ importers:
specifier: 2.0.0
version: 2.0.0

subdir:
dependencies:
sleep-utils:
specifier: 1.0.3
version: 1.0.3

devDependencies:
await-sleep:
specifier: ^0.0.1
version: 0.0.1

packages:

'@babel/[email protected]':
Expand All @@ -52,6 +63,9 @@ packages:
[email protected]:
resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}

[email protected]:
resolution: {integrity: sha512-H3X3eAxwGpeNIk/yvFOs8g7500Q1YvzrxjSC9TNgLGtjrMFxPwhDdcT34QNs2iGWpZ+5WKkMJdjDoYs+Sw+TaA==}

[email protected]:
resolution: {integrity: sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==}
engines: {node: '>=6.0'}
Expand Down Expand Up @@ -117,6 +131,9 @@ packages:
[email protected]:
resolution: {integrity: sha512-W04AqnILOL/sPRXziNicCjSNRruLAuIHEOVBazepu0545DDNGYHz7ar9ZgZ1fMU8/MA4mVxp5rkBWRi6OXIy3Q==}

[email protected]:
resolution: {integrity: sha512-uJW7WDHISE1zJIdvoIewcdmis3pBvJhM30rni2gH7fHhV1NkTWLKw3J6CPRFdg3h+rFChFHzAgbkCKUErd4s8Q==}

[email protected]:
resolution: {integrity: sha512-zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew==}
engines: {node: '>= 0.6'}
Expand All @@ -134,6 +151,8 @@ snapshots:

[email protected]: {}

[email protected]: {}

[email protected]([email protected]):
dependencies:
ms: 2.0.0
Expand Down Expand Up @@ -186,6 +205,8 @@ snapshots:
optionalDependencies:
asap: 2.0.6

[email protected]: {}

[email protected]: {}

[email protected]: {}

0 comments on commit 0882e0a

Please sign in to comment.