Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support curation npm tree calc by package-lock only #951

Merged
merged 13 commits into from
Oct 3, 2023
Merged

Support curation npm tree calc by package-lock only #951

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
f05e349
Support curation npm tree calc by package-lock only.
asafambar Sep 12, 2023
df23d81
Merge remote-tracking branch 'upstream/dev' into curation-overide-pac…
asafambar Sep 12, 2023
e899571
Fix go sum.
asafambar Sep 12, 2023
abb1769
Fix go mod.
asafambar Sep 13, 2023
7aba379
extract NpmTreeDepListParam struct initialize
asafambar Sep 21, 2023
5a0d1c7
Merge remote-tracking branch 'upstream/dev' into curation-overide-pac…
asafambar Sep 21, 2023
79bff29
Change npm params to wrap audit params interface.
asafambar Sep 27, 2023
293f7e2
Upgrade go-build-info.
asafambar Sep 27, 2023
6de5141
Fix static code analysis.
asafambar Sep 28, 2023
b26b6ea
Merge remote-tracking branch 'upstream/dev' into curation-overide-pac…
asafambar Sep 28, 2023
6b2661c
Fix CR.
asafambar Oct 1, 2023
7900b40
Update go.mod and go.sum
yahavi Oct 3, 2023
89b0d11
Merge remote-tracking branch 'upstream/dev' into curation-overide-pac…
yahavi Oct 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,4 +97,4 @@ require (

replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20231003083451-568b46797866

replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230928084830-478bd49f5d3e
replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20231003094520-3a09931ceaa8
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,8 +195,8 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
github.com/jedib0t/go-pretty/v6 v6.4.7 h1:lwiTJr1DEkAgzljsUsORmWsVn5MQjt1BPJdPCtJ6KXE=
github.com/jedib0t/go-pretty/v6 v6.4.7/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs=
github.com/jfrog/build-info-go v1.8.9-0.20230928084830-478bd49f5d3e h1:tWNlQScbapCz5/EBc+lKBBQcZ/3QLgM3tM3HBEtxCTs=
github.com/jfrog/build-info-go v1.8.9-0.20230928084830-478bd49f5d3e/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg=
github.com/jfrog/build-info-go v1.8.9-0.20231003094520-3a09931ceaa8 h1:XaXReF1CKOr5oOXq5KkZDuHt3q9Y6pJeNCjezxZo2CM=
github.com/jfrog/build-info-go v1.8.9-0.20231003094520-3a09931ceaa8/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg=
github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
Expand Down
2 changes: 1 addition & 1 deletion xray/commands/audit/sca/java/javautils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ func hasLoop(idsAdded []string, idToAdd string) bool {
return false
}

func BuildDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Technology) ([]*xrayUtils.GraphNode, []string, error) {
func BuildDependencyTree(params xrayutils.AuditParams, tech coreutils.Technology) ([]*xrayUtils.GraphNode, []string, error) {
serverDetails, err := params.ServerDetails()
if err != nil {
return nil, nil, err
Expand Down
23 changes: 20 additions & 3 deletions xray/commands/audit/sca/npm/npm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ const (
ignoreScriptsFlag = "--ignore-scripts"
)

func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) {
func BuildDependencyTree(params utils.AuditParams) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) {
currentDir, err := coreutils.GetWorkingDirectory()
if err != nil {
return
Expand All @@ -28,10 +28,11 @@ func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNo
if err != nil {
return
}
npmArgs = addIgnoreScriptsFlag(npmArgs)

treeDepsParam := createTreeDepsParam(params)

// Calculate npm dependencies
dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), npmArgs, log.Logger)
dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), treeDepsParam, log.Logger)
if err != nil {
log.Info("Used npm version:", npmVersion.GetVersion())
return
Expand All @@ -46,6 +47,22 @@ func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNo
return
}

func createTreeDepsParam(params utils.AuditParams) biutils.NpmTreeDepListParam {
if params == nil {
return biutils.NpmTreeDepListParam{
Args: addIgnoreScriptsFlag([]string{}),
}
}
npmTreeDepParam := biutils.NpmTreeDepListParam{
asafambar marked this conversation as resolved.
Show resolved Hide resolved
Args: addIgnoreScriptsFlag(params.Args()),
}
if npmParams, ok := params.(utils.AuditNpmParams); ok {
npmTreeDepParam.IgnoreNodeModules = npmParams.NpmIgnoreNodeModules()
npmTreeDepParam.OverwritePackageLock = npmParams.NpmOverwritePackageLock()
}
return npmTreeDepParam
}

// Add the --ignore-scripts to prevent execution of npm scripts during npm install.
func addIgnoreScriptsFlag(npmArgs []string) []string {
if !slices.Contains(npmArgs, ignoreScriptsFlag) {
Expand Down
2 changes: 1 addition & 1 deletion xray/commands/audit/sca/npm/npm_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,6 @@ func TestIgnoreScripts(t *testing.T) {

// The package.json file contain a postinstall script running an "exit 1" command.
// Without the "--ignore-scripts" flag, the test will fail.
_, _, err := BuildDependencyTree([]string{})
_, _, err := BuildDependencyTree(nil)
assert.NoError(t, err)
}
4 changes: 2 additions & 2 deletions xray/commands/audit/scarunner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ func getDirectDependenciesFromTree(dependencyTrees []*xrayCmdUtils.GraphNode) []
return directDependencies.ToSlice()
}

func GetTechDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Technology) (flatTree *xrayCmdUtils.GraphNode, fullDependencyTrees []*xrayCmdUtils.GraphNode, err error) {
func GetTechDependencyTree(params xrayutils.AuditParams, tech coreutils.Technology) (flatTree *xrayCmdUtils.GraphNode, fullDependencyTrees []*xrayCmdUtils.GraphNode, err error) {
logMessage := fmt.Sprintf("Calculating %s dependencies", tech.ToFormal())
log.Info(logMessage + "...")
if params.Progress() != nil {
Expand All @@ -149,7 +149,7 @@ func GetTechDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Te
case coreutils.Maven, coreutils.Gradle:
fullDependencyTrees, uniqueDeps, err = java.BuildDependencyTree(params, tech)
case coreutils.Npm:
fullDependencyTrees, uniqueDeps, err = npm.BuildDependencyTree(params.Args())
fullDependencyTrees, uniqueDeps, err = npm.BuildDependencyTree(params)
case coreutils.Yarn:
fullDependencyTrees, uniqueDeps, err = yarn.BuildDependencyTree()
case coreutils.Go:
Expand Down
15 changes: 12 additions & 3 deletions xray/commands/curation/curationaudit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,13 +111,13 @@ type CurationAuditCommand struct {
workingDirs []string
OriginPath string
parallelRequests int
*utils.AuditBasicParams
utils.AuditParams
}

func NewCurationAuditCommand() *CurationAuditCommand {
return &CurationAuditCommand{
extractPoliciesRegex: regexp.MustCompile(extractPoliciesRegexTemplate),
AuditBasicParams: &utils.AuditBasicParams{},
AuditParams: &utils.AuditBasicParams{},
}
}

Expand Down Expand Up @@ -192,8 +192,17 @@ func (ca *CurationAuditCommand) doCurateAudit(results map[string][]*PackageStatu
return nil
}

func (ca *CurationAuditCommand) getAuditParamsByTech(tech coreutils.Technology) utils.AuditParams {
if tech == coreutils.Npm {
return utils.AuditNpmParams{AuditParams: ca.AuditParams}.
SetNpmIgnoreNodeModules(true).
SetNpmOverwritePackageLock(true)
}
return ca.AuditParams
}

func (ca *CurationAuditCommand) auditTree(tech coreutils.Technology, results map[string][]*PackageStatus) error {
flattenGraph, fullDependenciesTree, err := audit.GetTechDependencyTree(ca.AuditBasicParams, tech)
flattenGraph, fullDependenciesTree, err := audit.GetTechDependencyTree(ca.getAuditParamsByTech(tech), tech)
if err != nil {
return err
}
Expand Down
26 changes: 26 additions & 0 deletions xray/utils/auditbasicparams.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,32 @@ import (
ioUtils "github.com/jfrog/jfrog-client-go/utils/io"
)

type AuditParams interface {
DirectDependencies() []string
AppendDependenciesForApplicabilityScan(directDependencies []string) *AuditBasicParams
ServerDetails() (*config.ServerDetails, error)
SetServerDetails(serverDetails *config.ServerDetails) *AuditBasicParams
PipRequirementsFile() string
SetPipRequirementsFile(requirementsFile string) *AuditBasicParams
ExcludeTestDependencies() bool
SetExcludeTestDependencies(excludeTestDependencies bool) *AuditBasicParams
UseWrapper() bool
SetUseWrapper(useWrapper bool) *AuditBasicParams
InsecureTls() bool
SetInsecureTls(insecureTls bool) *AuditBasicParams
Technologies() []string
SetTechnologies(technologies []string) *AuditBasicParams
Progress() ioUtils.ProgressMgr
SetProgress(progress ioUtils.ProgressMgr)
Args() []string
SetNpmScope(depType string) *AuditBasicParams
OutputFormat() OutputFormat
DepsRepo() string
SetDepsRepo(depsRepo string) *AuditBasicParams
IgnoreConfigFile() bool
SetIgnoreConfigFile(ignoreConfigFile bool) *AuditBasicParams
}

type AuditBasicParams struct {
serverDetails *config.ServerDetails
outputFormat OutputFormat
Expand Down
25 changes: 25 additions & 0 deletions xray/utils/auditnpmparams.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package utils

type AuditNpmParams struct {
AuditParams
npmIgnoreNodeModules bool
npmOverwritePackageLock bool
}

func (anp AuditNpmParams) SetNpmIgnoreNodeModules(ignoreNpmNodeModules bool) AuditNpmParams {
anp.npmIgnoreNodeModules = ignoreNpmNodeModules
return anp
}

func (anp AuditNpmParams) SetNpmOverwritePackageLock(overwritePackageLock bool) AuditNpmParams {
anp.npmOverwritePackageLock = overwritePackageLock
return anp
}

func (anp AuditNpmParams) NpmIgnoreNodeModules() bool {
return anp.npmIgnoreNodeModules
}

func (anp AuditNpmParams) NpmOverwritePackageLock() bool {
return anp.npmOverwritePackageLock
}
Loading