Skip to content

Commit

Permalink
Support curation npm tree calc by package-lock only (#951)
Browse files Browse the repository at this point in the history
  • Loading branch information
asafambar authored Oct 3, 2023
1 parent 9469fc8 commit 241f308
Show file tree
Hide file tree
Showing 9 changed files with 90 additions and 13 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -97,4 +97,4 @@ require (

replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20231003083451-568b46797866

replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230928084830-478bd49f5d3e
replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20231003094520-3a09931ceaa8
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -195,8 +195,8 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
github.com/jedib0t/go-pretty/v6 v6.4.7 h1:lwiTJr1DEkAgzljsUsORmWsVn5MQjt1BPJdPCtJ6KXE=
github.com/jedib0t/go-pretty/v6 v6.4.7/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs=
github.com/jfrog/build-info-go v1.8.9-0.20230928084830-478bd49f5d3e h1:tWNlQScbapCz5/EBc+lKBBQcZ/3QLgM3tM3HBEtxCTs=
github.com/jfrog/build-info-go v1.8.9-0.20230928084830-478bd49f5d3e/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg=
github.com/jfrog/build-info-go v1.8.9-0.20231003094520-3a09931ceaa8 h1:XaXReF1CKOr5oOXq5KkZDuHt3q9Y6pJeNCjezxZo2CM=
github.com/jfrog/build-info-go v1.8.9-0.20231003094520-3a09931ceaa8/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg=
github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
Expand Down
2 changes: 1 addition & 1 deletion xray/commands/audit/sca/java/javautils.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ func hasLoop(idsAdded []string, idToAdd string) bool {
return false
}

func BuildDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Technology) ([]*xrayUtils.GraphNode, []string, error) {
func BuildDependencyTree(params xrayutils.AuditParams, tech coreutils.Technology) ([]*xrayUtils.GraphNode, []string, error) {
serverDetails, err := params.ServerDetails()
if err != nil {
return nil, nil, err
Expand Down
23 changes: 20 additions & 3 deletions xray/commands/audit/sca/npm/npm.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ const (
ignoreScriptsFlag = "--ignore-scripts"
)

func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) {
func BuildDependencyTree(params utils.AuditParams) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) {
currentDir, err := coreutils.GetWorkingDirectory()
if err != nil {
return
Expand All @@ -28,10 +28,11 @@ func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNo
if err != nil {
return
}
npmArgs = addIgnoreScriptsFlag(npmArgs)

treeDepsParam := createTreeDepsParam(params)

// Calculate npm dependencies
dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), npmArgs, log.Logger)
dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), treeDepsParam, log.Logger)
if err != nil {
log.Info("Used npm version:", npmVersion.GetVersion())
return
Expand All @@ -46,6 +47,22 @@ func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNo
return
}

func createTreeDepsParam(params utils.AuditParams) biutils.NpmTreeDepListParam {
if params == nil {
return biutils.NpmTreeDepListParam{
Args: addIgnoreScriptsFlag([]string{}),
}
}
npmTreeDepParam := biutils.NpmTreeDepListParam{
Args: addIgnoreScriptsFlag(params.Args()),
}
if npmParams, ok := params.(utils.AuditNpmParams); ok {
npmTreeDepParam.IgnoreNodeModules = npmParams.NpmIgnoreNodeModules()
npmTreeDepParam.OverwritePackageLock = npmParams.NpmOverwritePackageLock()
}
return npmTreeDepParam
}

// Add the --ignore-scripts to prevent execution of npm scripts during npm install.
func addIgnoreScriptsFlag(npmArgs []string) []string {
if !slices.Contains(npmArgs, ignoreScriptsFlag) {
Expand Down
2 changes: 1 addition & 1 deletion xray/commands/audit/sca/npm/npm_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,6 @@ func TestIgnoreScripts(t *testing.T) {

// The package.json file contain a postinstall script running an "exit 1" command.
// Without the "--ignore-scripts" flag, the test will fail.
_, _, err := BuildDependencyTree([]string{})
_, _, err := BuildDependencyTree(nil)
assert.NoError(t, err)
}
4 changes: 2 additions & 2 deletions xray/commands/audit/scarunner.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ func getDirectDependenciesFromTree(dependencyTrees []*xrayCmdUtils.GraphNode) []
return directDependencies.ToSlice()
}

func GetTechDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Technology) (flatTree *xrayCmdUtils.GraphNode, fullDependencyTrees []*xrayCmdUtils.GraphNode, err error) {
func GetTechDependencyTree(params xrayutils.AuditParams, tech coreutils.Technology) (flatTree *xrayCmdUtils.GraphNode, fullDependencyTrees []*xrayCmdUtils.GraphNode, err error) {
logMessage := fmt.Sprintf("Calculating %s dependencies", tech.ToFormal())
log.Info(logMessage + "...")
if params.Progress() != nil {
Expand All @@ -149,7 +149,7 @@ func GetTechDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Te
case coreutils.Maven, coreutils.Gradle:
fullDependencyTrees, uniqueDeps, err = java.BuildDependencyTree(params, tech)
case coreutils.Npm:
fullDependencyTrees, uniqueDeps, err = npm.BuildDependencyTree(params.Args())
fullDependencyTrees, uniqueDeps, err = npm.BuildDependencyTree(params)
case coreutils.Yarn:
fullDependencyTrees, uniqueDeps, err = yarn.BuildDependencyTree()
case coreutils.Go:
Expand Down
15 changes: 12 additions & 3 deletions xray/commands/curation/curationaudit.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,13 +111,13 @@ type CurationAuditCommand struct {
workingDirs []string
OriginPath string
parallelRequests int
*utils.AuditBasicParams
utils.AuditParams
}

func NewCurationAuditCommand() *CurationAuditCommand {
return &CurationAuditCommand{
extractPoliciesRegex: regexp.MustCompile(extractPoliciesRegexTemplate),
AuditBasicParams: &utils.AuditBasicParams{},
AuditParams: &utils.AuditBasicParams{},
}
}

Expand Down Expand Up @@ -192,8 +192,17 @@ func (ca *CurationAuditCommand) doCurateAudit(results map[string][]*PackageStatu
return nil
}

func (ca *CurationAuditCommand) getAuditParamsByTech(tech coreutils.Technology) utils.AuditParams {
if tech == coreutils.Npm {
return utils.AuditNpmParams{AuditParams: ca.AuditParams}.
SetNpmIgnoreNodeModules(true).
SetNpmOverwritePackageLock(true)
}
return ca.AuditParams
}

func (ca *CurationAuditCommand) auditTree(tech coreutils.Technology, results map[string][]*PackageStatus) error {
flattenGraph, fullDependenciesTree, err := audit.GetTechDependencyTree(ca.AuditBasicParams, tech)
flattenGraph, fullDependenciesTree, err := audit.GetTechDependencyTree(ca.getAuditParamsByTech(tech), tech)
if err != nil {
return err
}
Expand Down
26 changes: 26 additions & 0 deletions xray/utils/auditbasicparams.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,32 @@ import (
ioUtils "github.com/jfrog/jfrog-client-go/utils/io"
)

type AuditParams interface {
DirectDependencies() []string
AppendDependenciesForApplicabilityScan(directDependencies []string) *AuditBasicParams
ServerDetails() (*config.ServerDetails, error)
SetServerDetails(serverDetails *config.ServerDetails) *AuditBasicParams
PipRequirementsFile() string
SetPipRequirementsFile(requirementsFile string) *AuditBasicParams
ExcludeTestDependencies() bool
SetExcludeTestDependencies(excludeTestDependencies bool) *AuditBasicParams
UseWrapper() bool
SetUseWrapper(useWrapper bool) *AuditBasicParams
InsecureTls() bool
SetInsecureTls(insecureTls bool) *AuditBasicParams
Technologies() []string
SetTechnologies(technologies []string) *AuditBasicParams
Progress() ioUtils.ProgressMgr
SetProgress(progress ioUtils.ProgressMgr)
Args() []string
SetNpmScope(depType string) *AuditBasicParams
OutputFormat() OutputFormat
DepsRepo() string
SetDepsRepo(depsRepo string) *AuditBasicParams
IgnoreConfigFile() bool
SetIgnoreConfigFile(ignoreConfigFile bool) *AuditBasicParams
}

type AuditBasicParams struct {
serverDetails *config.ServerDetails
outputFormat OutputFormat
Expand Down
25 changes: 25 additions & 0 deletions xray/utils/auditnpmparams.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package utils

type AuditNpmParams struct {
AuditParams
npmIgnoreNodeModules bool
npmOverwritePackageLock bool
}

func (anp AuditNpmParams) SetNpmIgnoreNodeModules(ignoreNpmNodeModules bool) AuditNpmParams {
anp.npmIgnoreNodeModules = ignoreNpmNodeModules
return anp
}

func (anp AuditNpmParams) SetNpmOverwritePackageLock(overwritePackageLock bool) AuditNpmParams {
anp.npmOverwritePackageLock = overwritePackageLock
return anp
}

func (anp AuditNpmParams) NpmIgnoreNodeModules() bool {
return anp.npmIgnoreNodeModules
}

func (anp AuditNpmParams) NpmOverwritePackageLock() bool {
return anp.npmOverwritePackageLock
}

0 comments on commit 241f308

Please sign in to comment.