fix: issue paths for non-prod deps

sandworm-hq · Feb 26, 2023 · ad1049a · ad1049a
1 parent 772793f
commit ad1049a
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 6 deletions.
diff --git a/src/index.js b/src/index.js
@@ -54,6 +54,12 @@ const getReport = async ({
       packageGraph,
       onProgress: (message) => onProgress({type: 'update', stage: 'vulnerabilities', message}),
     });
+
+    if (!includeDev) {
+      dependencyVulnerabilities = (dependencyVulnerabilities || []).filter((issue) =>
+        (issue?.findings?.sources || []).find(({flags}) => flags.prod),
+      );
+    }
   } catch (error) {
     errors.push(error);
   }
@@ -141,9 +147,7 @@ const getReport = async ({
 
   return {
     dependencyGraph: dGraph,
-    dependencyVulnerabilities: (dependencyVulnerabilities || []).filter(
-      ({findings: {affects}}) => affects.length,
-    ),
+    dependencyVulnerabilities,
     rootVulnerabilities,
     licenseUsage,
     licenseIssues,

diff --git a/src/issues/utils.js b/src/issues/utils.js
@@ -1,19 +1,23 @@
 const https = require('https');
 const semverSatisfies = require('semver/functions/satisfies');
+const {aggregateDependencies} = require('../charts/utils');
 
 const getPathsForPackage = (packageGraph, packageName, semver) => {
   const parse = (node, currentPath = [], depth = 0, seenNodes = []) => {
     if (seenNodes.includes(node)) {
       return [];
     }
 
-    const newPath = depth === 0 ? [] : [...currentPath, {name: node.name, version: node.version}];
+    const newPath =
+      depth === 0
+        ? []
+        : [...currentPath, {name: node.name, version: node.version, flags: node.flags}];
     if (node.name === packageName && semverSatisfies(node.version, semver)) {
       return [newPath];
     }
 
-    return Object.entries(node.dependencies || {}).reduce(
-      (agg, [, subnode]) => agg.concat(parse(subnode, newPath, depth + 1, [...seenNodes, node])),
+    return aggregateDependencies(node).reduce(
+      (agg, subnode) => agg.concat(parse(subnode, newPath, depth + 1, [...seenNodes, node])),
       [],
     );
   };
@@ -46,8 +50,10 @@ const getFindings = ({packageGraph, packageName, range, allPathsAffected = true}
     : getTargetPackagesFromPaths(allPaths);
   const rootDependencies = getRootPackagesFromPaths(allPaths);
   const paths = getDisplayPaths(allPaths);
+  const sources = getTargetPackagesFromPaths(allPaths);
 
   return {
+    sources,
     affects,
     rootDependencies,
     paths,