feat(npm): handle aliases in package-lock.json (#1349)

2026-02-12 02:26:42 +01:00 · 2022-11-20 16:32:10 +00:00 · 2022-11-20 16:32:10 +00:00 · 04880c06ce
commit 04880c06ce
parent da4b2df576
5 changed files with 157 additions and 2 deletions
--- a/syft/pkg/cataloger/javascript/package.go
+++ b/syft/pkg/cataloger/javascript/package.go
@ -44,14 +44,29 @@ func newPackageJSONPackage(u packageJSON, locations ...source.Location) pkg.Pack
 }

 func newPackageLockV1Package(resolver source.FileResolver, location source.Location, name string, u lockDependency) pkg.Package {
+	version := u.Version
+
+	const aliasPrefixPackageLockV1 = "npm:"
+
+	// Handles type aliases https://github.com/npm/rfcs/blob/main/implemented/0001-package-aliases.md
+	if strings.HasPrefix(version, aliasPrefixPackageLockV1) {
+		// this is an alias.
+		// `"version": "npm:canonical-name@X.Y.Z"`
+		canonicalPackageAndVersion := version[len(aliasPrefixPackageLockV1):]
+		versionSeparator := strings.LastIndex(canonicalPackageAndVersion, "@")
+
+		name = canonicalPackageAndVersion[:versionSeparator]
+		version = canonicalPackageAndVersion[versionSeparator+1:]
+	}
+
 	return finalizeLockPkg(
 		resolver,
 		location,
 		pkg.Package{
 			Name:      name,
-			Version:   u.Version,
+			Version:   version,
 			Locations: source.NewLocationSet(location),
-			PURL:      packageURL(name, u.Version),
+			PURL:      packageURL(name, version),
 			Language:  pkg.JavaScript,
 			Type:      pkg.NpmPkg,
 		},
--- a/syft/pkg/cataloger/javascript/parse_package_lock.go
+++ b/syft/pkg/cataloger/javascript/parse_package_lock.go
@ -75,6 +75,11 @@ func parsePackageLock(resolver source.FileResolver, _ *generic.Environment, read
 				}
 			}

+			// handles alias names
+			if pkgMeta.Name != "" {
+				name = pkgMeta.Name
+			}
+
 			pkgs = append(pkgs, newPackageLockV2Package(resolver, reader.Location, getNameFromPath(name), pkgMeta))
 		}
 	}
--- a/syft/pkg/cataloger/javascript/parse_package_lock_test.go
+++ b/syft/pkg/cataloger/javascript/parse_package_lock_test.go
@ -193,3 +193,57 @@ func TestParsePackageLockV3(t *testing.T) {
 	}
 	pkgtest.TestFileParser(t, fixture, parsePackageLock, expectedPkgs, expectedRelationships)
 }
+
+func TestParsePackageLockAlias(t *testing.T) {
+	var expectedRelationships []artifact.Relationship
+	commonPkgs := []pkg.Package{
+		{
+			Name:     "case",
+			Version:  "1.6.2",
+			PURL:     "pkg:npm/case@1.6.2",
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		},
+		{
+			Name:     "case",
+			Version:  "1.6.3",
+			PURL:     "pkg:npm/case@1.6.3",
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		},
+		{
+			Name:     "@bundled-es-modules/chai",
+			Version:  "4.2.2",
+			PURL:     "pkg:npm/%40bundled-es-modules/chai@4.2.2",
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		},
+	}
+
+	v2Pkg := pkg.Package{
+		Name:     "alias-check",
+		Version:  "1.0.0",
+		PURL:     "pkg:npm/alias-check@1.0.0",
+		Language: pkg.JavaScript,
+		Type:     pkg.NpmPkg,
+		Licenses: []string{"ISC"},
+	}
+
+	packageLockV1 := "test-fixtures/pkg-lock/alias-package-lock-1.json"
+	packageLockV2 := "test-fixtures/pkg-lock/alias-package-lock-2.json"
+	packageLocks := []string{packageLockV1, packageLockV2}
+
+	for _, packageLock := range packageLocks {
+		expected := make([]pkg.Package, len(commonPkgs))
+		copy(expected, commonPkgs)
+
+		if packageLock == packageLockV2 {
+			expected = append(expected, v2Pkg)
+		}
+
+		for i := range expected {
+			expected[i].Locations.Add(source.NewLocation(packageLock))
+		}
+		pkgtest.TestFileParser(t, packageLock, parsePackageLock, expected, expectedRelationships)
+	}
+}
--- a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-1.json
+++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-1.json
@ -0,0 +1,23 @@
+{
+  "name": "alias-check",
+  "version": "1.0.0",
+  "lockfileVersion": 1,
+  "requires": true,
+  "dependencies": {
+    "case": {
+      "version": "1.6.2",
+      "resolved": "https://registry.npmjs.org/case/-/case-1.6.2.tgz",
+      "integrity": "sha512-ll380ZRoraT7mUK2G92UbH+FJVD5AwdVIAYk9xhV1tauh0carDgYByUD1HhjCWsWgxrfQvCeHvtfj7IYR6TKeg=="
+    },
+    "case-alias": {
+      "version": "npm:case@1.6.3",
+      "resolved": "https://registry.npmjs.org/case/-/case-1.6.3.tgz",
+      "integrity": "sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ=="
+    },
+    "chai": {
+      "version": "npm:@bundled-es-modules/chai@4.2.2",
+      "resolved": "https://registry.npmjs.org/@bundled-es-modules/chai/-/chai-4.2.2.tgz",
+      "integrity": "sha512-iGmVYw2/zJCoqyKTtWEYCtFmMyi8WmACQKtky0lpNyEKWX0YIOpKWGD7saMXL+tPpllss0otilxV0SLwyi3Ytg=="
+    }
+  }
+}
--- a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-2.json
+++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-2.json
@ -0,0 +1,58 @@
+{
+  "name": "alias-check",
+  "version": "1.0.0",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "alias-check",
+      "version": "1.0.0",
+      "license": "ISC",
+      "dependencies": {
+        "case": "1.6.2",
+        "case-alias": "npm:case@^1.6.3",
+        "chai": "npm:@bundled-es-modules/chai@^4.2.2"
+      }
+    },
+    "node_modules/case": {
+      "version": "1.6.2",
+      "resolved": "https://registry.npmjs.org/case/-/case-1.6.2.tgz",
+      "integrity": "sha512-ll380ZRoraT7mUK2G92UbH+FJVD5AwdVIAYk9xhV1tauh0carDgYByUD1HhjCWsWgxrfQvCeHvtfj7IYR6TKeg==",
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/case-alias": {
+      "name": "case",
+      "version": "1.6.3",
+      "resolved": "https://registry.npmjs.org/case/-/case-1.6.3.tgz",
+      "integrity": "sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ==",
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/chai": {
+      "name": "@bundled-es-modules/chai",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@bundled-es-modules/chai/-/chai-4.2.2.tgz",
+      "integrity": "sha512-iGmVYw2/zJCoqyKTtWEYCtFmMyi8WmACQKtky0lpNyEKWX0YIOpKWGD7saMXL+tPpllss0otilxV0SLwyi3Ytg=="
+    }
+  },
+  "dependencies": {
+    "case": {
+      "version": "1.6.2",
+      "resolved": "https://registry.npmjs.org/case/-/case-1.6.2.tgz",
+      "integrity": "sha512-ll380ZRoraT7mUK2G92UbH+FJVD5AwdVIAYk9xhV1tauh0carDgYByUD1HhjCWsWgxrfQvCeHvtfj7IYR6TKeg=="
+    },
+    "case-alias": {
+      "version": "npm:case@1.6.3",
+      "resolved": "https://registry.npmjs.org/case/-/case-1.6.3.tgz",
+      "integrity": "sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ=="
+    },
+    "chai": {
+      "version": "npm:@bundled-es-modules/chai@4.2.2",
+      "resolved": "https://registry.npmjs.org/@bundled-es-modules/chai/-/chai-4.2.2.tgz",
+      "integrity": "sha512-iGmVYw2/zJCoqyKTtWEYCtFmMyi8WmACQKtky0lpNyEKWX0YIOpKWGD7saMXL+tPpllss0otilxV0SLwyi3Ytg=="
+    }
+  }
+}