Support curation npm tree calc by package-lock only

go.mod

@@ -93,3 +93,9 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
+
+// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38
+
+replace github.com/jfrog/build-info-go => github.com/asafambar/build-info-go v1.8.9-0.20230927174003-9caa065a068e
+
+// replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27

go.sum

@@ -60,6 +60,8 @@ github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/asafambar/build-info-go v1.8.9-0.20230927174003-9caa065a068e h1:l5ayu2RwV36o86Sl7aSPcNk26DyF6yW3YDjjKQkCXOg=
+github.com/asafambar/build-info-go v1.8.9-0.20230927174003-9caa065a068e/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
 github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
@@ -195,8 +197,6 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jedib0t/go-pretty/v6 v6.4.7 h1:lwiTJr1DEkAgzljsUsORmWsVn5MQjt1BPJdPCtJ6KXE=
 github.com/jedib0t/go-pretty/v6 v6.4.7/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs=
-github.com/jfrog/build-info-go v1.9.10 h1:uXnDLVxpqxoAMpXcki00QaBB+M2BoGMMpHODPkmmYOY=
-github.com/jfrog/build-info-go v1.9.10/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg=
 github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
 github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
 github.com/jfrog/jfrog-client-go v1.32.3 h1:B2M8Gu8EMrokbHWPPDgN1b7YRWwf0oe746epvQASK6c=

xray/commands/audit/sca/java/javautils.go

@@ -133,7 +133,7 @@ func hasLoop(idsAdded []string, idToAdd string) bool {
 	return false
 }
 
-func BuildDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Technology) ([]*xrayUtils.GraphNode, []string, error) {
+func BuildDependencyTree(params xrayutils.AuditParams, tech coreutils.Technology) ([]*xrayUtils.GraphNode, []string, error) {
 	serverDetails, err := params.ServerDetails()
 	if err != nil {
 		return nil, nil, err

xray/commands/audit/sca/npm/npm.go

@@ -15,7 +15,7 @@ const (
 	ignoreScriptsFlag = "--ignore-scripts"
 )
 
-func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) {
+func BuildDependencyTree(params utils.AuditParams) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) {
 	currentDir, err := coreutils.GetWorkingDirectory()
 	if err != nil {
 		return
@@ -28,10 +28,14 @@ func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNo
 	if err != nil {
 		return
 	}
-	npmArgs = addIgnoreScriptsFlag(npmArgs)
-
+	treeDepsParam := biutils.NpmTreeDepListParam{
+		Args: addIgnoreScriptsFlag([]string{}),
+	}
+	if params != nil {
+		treeDepsParam = createTreeDepsParam(params)
+	}
 	// Calculate npm dependencies
-	dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), npmArgs, log.Logger)
+	dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), treeDepsParam, log.Logger)
 	if err != nil {
 		log.Info("Used npm version:", npmVersion.GetVersion())
 		return
@@ -46,6 +50,17 @@ func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNo
 	return
 }
 
+func createTreeDepsParam(params utils.AuditParams) biutils.NpmTreeDepListParam {
+	npmTreeDepParam := biutils.NpmTreeDepListParam{
+		Args: addIgnoreScriptsFlag(params.Args()),
+	}
+	if npmParams, ok := params.(utils.AuditNpmParams); ok {
+		npmTreeDepParam.IgnoreNodeModules = npmParams.NpmIgnoreNodeModules()
+		npmTreeDepParam.OverwritePackageLock = npmParams.NpmOverwritePackageLock()
+	}
+	return npmTreeDepParam
+}
+
 // Add the --ignore-scripts to prevent execution of npm scripts during npm install.
 func addIgnoreScriptsFlag(npmArgs []string) []string {
 	if !slices.Contains(npmArgs, ignoreScriptsFlag) {

xray/commands/audit/sca/npm/npm_test.go

@@ -116,6 +116,6 @@ func TestIgnoreScripts(t *testing.T) {
 
 	// The package.json file contain a postinstall script running an "exit 1" command.
 	// Without the "--ignore-scripts" flag, the test will fail.
-	_, _, err := BuildDependencyTree([]string{})
+	_, _, err := BuildDependencyTree(nil)
 	assert.NoError(t, err)
 }

xray/commands/audit/scarunner.go

@@ -133,7 +133,7 @@ func getDirectDependenciesFromTree(dependencyTrees []*xrayCmdUtils.GraphNode) []
 	return directDependencies.ToSlice()
 }
 
-func GetTechDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Technology) (flatTree *xrayCmdUtils.GraphNode, fullDependencyTrees []*xrayCmdUtils.GraphNode, err error) {
+func GetTechDependencyTree(params xrayutils.AuditParams, tech coreutils.Technology) (flatTree *xrayCmdUtils.GraphNode, fullDependencyTrees []*xrayCmdUtils.GraphNode, err error) {
 	logMessage := fmt.Sprintf("Calculating %s dependencies", tech.ToFormal())
 	log.Info(logMessage)
 	if params.Progress() != nil {
@@ -149,7 +149,7 @@ func GetTechDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Te
 	case coreutils.Maven, coreutils.Gradle:
 		fullDependencyTrees, uniqueDeps, err = java.BuildDependencyTree(params, tech)
 	case coreutils.Npm:
-		fullDependencyTrees, uniqueDeps, err = npm.BuildDependencyTree(params.Args())
+		fullDependencyTrees, uniqueDeps, err = npm.BuildDependencyTree(params)
 	case coreutils.Yarn:
 		fullDependencyTrees, uniqueDeps, err = yarn.BuildDependencyTree()
 	case coreutils.Go:

xray/commands/curation/curationaudit.go

@@ -111,13 +111,13 @@ type CurationAuditCommand struct {
 	workingDirs          []string
 	OriginPath           string
 	parallelRequests     int
-	*utils.AuditBasicParams
+	utils.AuditParams
 }
 
 func NewCurationAuditCommand() *CurationAuditCommand {
 	return &CurationAuditCommand{
 		extractPoliciesRegex: regexp.MustCompile(extractPoliciesRegexTemplate),
-		AuditBasicParams:     &utils.AuditBasicParams{},
+		AuditParams:          &utils.AuditBasicParams{},
 	}
 }
 
@@ -192,8 +192,18 @@ func (ca *CurationAuditCommand) doCurateAudit(results map[string][]*PackageStatu
 	return nil
 }
 
+func (ca *CurationAuditCommand) getAuditParamsByTech(tech coreutils.Technology) utils.AuditParams {
+	if tech == coreutils.Npm {
+		return utils.AuditNpmParams{
+			AuditParams: ca.AuditParams}.
+			SetNpmIgnoreNodeModules(true).
+			SetNpmOverwritePackageLock(true)
+	}
+	return ca.AuditParams
+}
+
 func (ca *CurationAuditCommand) auditTree(tech coreutils.Technology, results map[string][]*PackageStatus) error {
-	flattenGraph, fullDependenciesTree, err := audit.GetTechDependencyTree(ca.AuditBasicParams, tech)
+	flattenGraph, fullDependenciesTree, err := audit.GetTechDependencyTree(ca.getAuditParamsByTech(tech), tech)
 	if err != nil {
 		return err
 	}

xray/utils/auditbasicparams.go

@@ -5,6 +5,32 @@ import (
 	ioUtils "github.com/jfrog/jfrog-client-go/utils/io"
 )
 
+type AuditParams interface {
+	DirectDependencies() []string
+	AppendDependenciesForApplicabilityScan(directDependencies []string) *AuditBasicParams
+	ServerDetails() (*config.ServerDetails, error)
+	SetServerDetails(serverDetails *config.ServerDetails) *AuditBasicParams
+	PipRequirementsFile() string
+	SetPipRequirementsFile(requirementsFile string) *AuditBasicParams
+	ExcludeTestDependencies() bool
+	SetExcludeTestDependencies(excludeTestDependencies bool) *AuditBasicParams
+	UseWrapper() bool
+	SetUseWrapper(useWrapper bool) *AuditBasicParams
+	InsecureTls() bool
+	SetInsecureTls(insecureTls bool) *AuditBasicParams
+	Technologies() []string
+	SetTechnologies(technologies []string) *AuditBasicParams
+	Progress() ioUtils.ProgressMgr
+	SetProgress(progress ioUtils.ProgressMgr)
+	Args() []string
+	SetNpmScope(depType string) *AuditBasicParams
+	OutputFormat() OutputFormat
+	DepsRepo() string
+	SetDepsRepo(depsRepo string) *AuditBasicParams
+	IgnoreConfigFile() bool
+	SetIgnoreConfigFile(ignoreConfigFile bool) *AuditBasicParams
+}
+
 type AuditBasicParams struct {
 	serverDetails                    *config.ServerDetails
 	outputFormat                     OutputFormat

xray/utils/packageManagerAuditParams.go

@@ -0,0 +1,25 @@
+package utils
+
+type AuditNpmParams struct {
+	AuditParams
+	npmIgnoreNodeModules    bool
+	npmOverWritePackageLock bool
+}
+
+func (abp AuditNpmParams) SetNpmIgnoreNodeModules(ignoreNpmNodeModules bool) AuditNpmParams {
+	abp.npmIgnoreNodeModules = ignoreNpmNodeModules
+	return abp
+}
+
+func (abp AuditNpmParams) SetNpmOverwritePackageLock(overwritePackageLock bool) AuditNpmParams {
+	abp.npmOverWritePackageLock = overwritePackageLock
+	return abp
+}
+
+func (abp AuditNpmParams) NpmIgnoreNodeModules() bool {
+	return abp.npmIgnoreNodeModules
+}
+
+func (abp AuditNpmParams) NpmOverwritePackageLock() bool {
+	return abp.npmOverWritePackageLock
+}