oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2026-02-12 10:36:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: exclude devDependencies from package-lock.json parsing (#3371)

Browse Source 
Signed-off-by: Nathan Voss <njvoss299@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
This commit is contained in:
Nathan Voss 2024-10-30 09:02:27 -07:00 committed by GitHub
parent df3998b4f1
commit a55b71d4ef
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 56 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/syft/internal/options/catalog.go
View File

@ -166,6 +166,7 @@ func (cfg Catalog) ToPackagesConfig() pkgcataloging.Config {
WithFromLDFlags(cfg.Golang.MainModuleVersion.FromLDFlags), WithFromLDFlags(cfg.Golang.MainModuleVersion.FromLDFlags),
), ),
JavaScript: javascript.DefaultCatalogerConfig(). JavaScript: javascript.DefaultCatalogerConfig().
WithIncludeDevDependencies(*multiLevelOption(false, cfg.JavaScript.IncludeDevDependencies)).
WithSearchRemoteLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.JavaScript, task.Node, task.NPM), cfg.JavaScript.SearchRemoteLicenses)). WithSearchRemoteLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.JavaScript, task.Node, task.NPM), cfg.JavaScript.SearchRemoteLicenses)).
WithNpmBaseURL(cfg.JavaScript.NpmBaseURL), WithNpmBaseURL(cfg.JavaScript.NpmBaseURL),
LinuxKernel: kernel.LinuxKernelCatalogerConfig{ LinuxKernel: kernel.LinuxKernelCatalogerConfig{

2
cmd/syft/internal/options/javascript.go
View File

@ -5,6 +5,7 @@ import "github.com/anchore/clio"
type javaScriptConfig struct { type javaScriptConfig struct {
SearchRemoteLicenses *bool `json:"search-remote-licenses" yaml:"search-remote-licenses" mapstructure:"search-remote-licenses"` SearchRemoteLicenses *bool `json:"search-remote-licenses" yaml:"search-remote-licenses" mapstructure:"search-remote-licenses"`
NpmBaseURL string `json:"npm-base-url" yaml:"npm-base-url" mapstructure:"npm-base-url"` NpmBaseURL string `json:"npm-base-url" yaml:"npm-base-url" mapstructure:"npm-base-url"`
IncludeDevDependencies *bool `json:"include-dev-dependencies" yaml:"include-dev-dependencies" mapstructure:"include-dev-dependencies"`
} }
var _ interface { var _ interface {
@ -14,4 +15,5 @@ var _ interface {
func (o *javaScriptConfig) DescribeFields(descriptions clio.FieldDescriptionSet) { func (o *javaScriptConfig) DescribeFields(descriptions clio.FieldDescriptionSet) {
descriptions.Add(&o.SearchRemoteLicenses, `enables Syft to use the network to fill in more detailed license information`) descriptions.Add(&o.SearchRemoteLicenses, `enables Syft to use the network to fill in more detailed license information`)
descriptions.Add(&o.NpmBaseURL, `base NPM url to use`) descriptions.Add(&o.NpmBaseURL, `base NPM url to use`)
descriptions.Add(&o.IncludeDevDependencies, `include development-scoped dependencies`)
} }

2
cmd/syft/internal/test/integration/node_packages_test.go
View File

@ -25,7 +25,7 @@ func TestNpmPackageLockDirectory(t *testing.T) {
} }
// ensure that integration test commonTestCases stay in sync with the available catalogers // ensure that integration test commonTestCases stay in sync with the available catalogers
const expectedPackageCount = 6 const expectedPackageCount = 2
if foundPackages.Size() != expectedPackageCount { if foundPackages.Size() != expectedPackageCount {
t.Errorf("found the wrong set of npm package-lock.json packages (expected: %d, actual: %d)", expectedPackageCount, foundPackages.Size()) t.Errorf("found the wrong set of npm package-lock.json packages (expected: %d, actual: %d)", expectedPackageCount, foundPackages.Size())
} }

6
syft/pkg/cataloger/javascript/config.go
View File

@ -5,6 +5,7 @@ const npmBaseURL = "https://registry.npmjs.org"
type CatalogerConfig struct { type CatalogerConfig struct {
SearchRemoteLicenses bool `json:"search-remote-licenses" yaml:"search-remote-licenses" mapstructure:"search-remote-licenses"` SearchRemoteLicenses bool `json:"search-remote-licenses" yaml:"search-remote-licenses" mapstructure:"search-remote-licenses"`
NPMBaseURL string `json:"npm-base-url" yaml:"npm-base-url" mapstructure:"npm-base-url"` NPMBaseURL string `json:"npm-base-url" yaml:"npm-base-url" mapstructure:"npm-base-url"`
IncludeDevDependencies bool `json:"include-dev-dependencies" yaml:"include-dev-dependencies" mapstructure:"include-dev-dependencies"`
} }
func DefaultCatalogerConfig() CatalogerConfig { func DefaultCatalogerConfig() CatalogerConfig {
@ -25,3 +26,8 @@ func (j CatalogerConfig) WithNpmBaseURL(input string) CatalogerConfig {
} }
return j return j
} }
func (j CatalogerConfig) WithIncludeDevDependencies(input bool) CatalogerConfig {
j.IncludeDevDependencies = input
return j
}

12
syft/pkg/cataloger/javascript/parse_package_lock.go
View File

@ -29,6 +29,7 @@ type lockDependency struct {
Version string `json:"version"` Version string `json:"version"`
Resolved string `json:"resolved"` Resolved string `json:"resolved"`
Integrity string `json:"integrity"` Integrity string `json:"integrity"`
Dev bool `json:"dev"`
} }
type lockPackage struct { type lockPackage struct {
@ -37,6 +38,7 @@ type lockPackage struct {
Resolved string `json:"resolved"` Resolved string `json:"resolved"`
Integrity string `json:"integrity"` Integrity string `json:"integrity"`
License packageLockLicense `json:"license"` License packageLockLicense `json:"license"`
Dev bool `json:"dev"`
} }
// packageLockLicense // packageLockLicense
@ -74,6 +76,11 @@ func (a genericPackageLockAdapter) parsePackageLock(_ context.Context, resolver
if lock.LockfileVersion == 1 { if lock.LockfileVersion == 1 {
for name, pkgMeta := range lock.Dependencies { for name, pkgMeta := range lock.Dependencies {
// skip packages that are only present as a dev dependency
if !a.cfg.IncludeDevDependencies && pkgMeta.Dev {
continue
}
pkgs = append(pkgs, newPackageLockV1Package(a.cfg, resolver, reader.Location, name, pkgMeta)) pkgs = append(pkgs, newPackageLockV1Package(a.cfg, resolver, reader.Location, name, pkgMeta))
} }
} }
@ -87,6 +94,11 @@ func (a genericPackageLockAdapter) parsePackageLock(_ context.Context, resolver
name = pkgMeta.Name name = pkgMeta.Name
} }
// skip packages that are only present as a dev dependency
if !a.cfg.IncludeDevDependencies && pkgMeta.Dev {
continue
}
// handles alias names // handles alias names
if pkgMeta.Name != "" { if pkgMeta.Name != "" {
name = pkgMeta.Name name = pkgMeta.Name

15
syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-2.json
View File

@ -9,6 +9,9 @@
"version": "6.14.6", "version": "6.14.6",
"dependencies": { "dependencies": {
"@types/react": "^18.0.9" "@types/react": "^18.0.9"
},
"devDependencies": {
"async": "^3.2.4"
} }
}, },
"node_modules/@types/prop-types": { "node_modules/@types/prop-types": {
@ -39,6 +42,12 @@
"resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.0.tgz", "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.0.tgz",
"integrity": "sha1-TdysNxjXh8+d8NG30VAzklyPKfI=", "integrity": "sha1-TdysNxjXh8+d8NG30VAzklyPKfI=",
"license": "MIT" "license": "MIT"
},
"node_modules/async": {
"version": "3.2.4",
"resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
"integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
"dev": true
} }
}, },
"dependencies": { "dependencies": {
@ -66,6 +75,12 @@
"version": "3.1.0", "version": "3.1.0",
"resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.0.tgz", "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.0.tgz",
"integrity": "sha1-TdysNxjXh8+d8NG30VAzklyPKfI=" "integrity": "sha1-TdysNxjXh8+d8NG30VAzklyPKfI="
},
"async": {
"version": "3.2.4",
"resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
"integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
"dev": true
} }
} }
} }

9
syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-3.json
View File

@ -9,6 +9,9 @@
"version": "1.0.0", "version": "1.0.0",
"dependencies": { "dependencies": {
"@types/react": "^18.0.9" "@types/react": "^18.0.9"
},
"devDependencies": {
"async": "^3.2.4"
} }
}, },
"node_modules/@types/prop-types": { "node_modules/@types/prop-types": {
@ -35,6 +38,12 @@
"version": "3.1.1", "version": "3.1.1",
"resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.1.tgz", "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.1.tgz",
"integrity": "sha512-DJR/VvkAvSZW9bTouZue2sSxDwdTN92uHjqeKVm+0dAqdfNykRzQ95tay8aXMBAAPpUiq4Qcug2L7neoRh2Egw==" "integrity": "sha512-DJR/VvkAvSZW9bTouZue2sSxDwdTN92uHjqeKVm+0dAqdfNykRzQ95tay8aXMBAAPpUiq4Qcug2L7neoRh2Egw=="
},
"node_modules/async": {
"version": "3.2.4",
"resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
"integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
"dev": true
} }
} }
} }

6
syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock.json generated
View File

@ -76,6 +76,12 @@
"version": "0.0.3", "version": "0.0.3",
"resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz", "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
"integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc=" "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
},
"node_modules/async": {
"version": "3.2.4",
"resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
"integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
"dev": true
} }
} }
} }