From 02c52d039553034687c7bb79ae94aac83a487ae3 Mon Sep 17 00:00:00 2001 From: Nathan Voss Date: Tue, 22 Oct 2024 10:50:00 -0700 Subject: [PATCH 1/2] Excluding devDependencies from package-lock.json parsing Signed-off-by: Nathan Voss --- .../cataloger/javascript/parse_package_lock.go | 12 ++++++++++++ .../test-fixtures/pkg-lock/package-lock-2.json | 15 +++++++++++++++ .../test-fixtures/pkg-lock/package-lock-3.json | 9 +++++++++ .../test-fixtures/pkg-lock/package-lock.json | 6 ++++++ 4 files changed, 42 insertions(+) diff --git a/syft/pkg/cataloger/javascript/parse_package_lock.go b/syft/pkg/cataloger/javascript/parse_package_lock.go index ec8a2b60029..e587fbef8aa 100644 --- a/syft/pkg/cataloger/javascript/parse_package_lock.go +++ b/syft/pkg/cataloger/javascript/parse_package_lock.go @@ -29,6 +29,7 @@ type lockDependency struct { Version string `json:"version"` Resolved string `json:"resolved"` Integrity string `json:"integrity"` + Dev bool `json:"dev"` } type lockPackage struct { @@ -37,6 +38,7 @@ type lockPackage struct { Resolved string `json:"resolved"` Integrity string `json:"integrity"` License packageLockLicense `json:"license"` + Dev bool `json:"dev"` } // packageLockLicense @@ -74,6 +76,11 @@ func (a genericPackageLockAdapter) parsePackageLock(_ context.Context, resolver if lock.LockfileVersion == 1 { for name, pkgMeta := range lock.Dependencies { + // skip packages that are only present as a dev dependency + if pkgMeta.Dev { + continue + } + pkgs = append(pkgs, newPackageLockV1Package(a.cfg, resolver, reader.Location, name, pkgMeta)) } } @@ -87,6 +94,11 @@ func (a genericPackageLockAdapter) parsePackageLock(_ context.Context, resolver name = pkgMeta.Name } + // skip packages that are only present as a dev dependency + if pkgMeta.Dev { + continue + } + // handles alias names if pkgMeta.Name != "" { name = pkgMeta.Name diff --git a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-2.json b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-2.json index 2373f27ca0a..211f8dcc8f7 100644 --- a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-2.json +++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-2.json @@ -9,6 +9,9 @@ "version": "6.14.6", "dependencies": { "@types/react": "^18.0.9" + }, + "devDependencies": { + "async": "^3.2.4" } }, "node_modules/@types/prop-types": { @@ -39,6 +42,12 @@ "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.0.tgz", "integrity": "sha1-TdysNxjXh8+d8NG30VAzklyPKfI=", "license": "MIT" + }, + "node_modules/async": { + "version": "3.2.4", + "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz", + "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==", + "dev": true } }, "dependencies": { @@ -66,6 +75,12 @@ "version": "3.1.0", "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.0.tgz", "integrity": "sha1-TdysNxjXh8+d8NG30VAzklyPKfI=" + }, + "async": { + "version": "3.2.4", + "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz", + "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==", + "dev": true } } } diff --git a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-3.json b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-3.json index 68008c089a5..dce055481bf 100644 --- a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-3.json +++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-3.json @@ -9,6 +9,9 @@ "version": "1.0.0", "dependencies": { "@types/react": "^18.0.9" + }, + "devDependencies": { + "async": "^3.2.4" } }, "node_modules/@types/prop-types": { @@ -35,6 +38,12 @@ "version": "3.1.1", "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.1.tgz", "integrity": "sha512-DJR/VvkAvSZW9bTouZue2sSxDwdTN92uHjqeKVm+0dAqdfNykRzQ95tay8aXMBAAPpUiq4Qcug2L7neoRh2Egw==" + }, + "node_modules/async": { + "version": "3.2.4", + "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz", + "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==", + "dev": true } } } diff --git a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock.json b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock.json index 7a14a9e2120..fcaf8c0e3af 100644 --- a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock.json +++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock.json @@ -76,6 +76,12 @@ "version": "0.0.3", "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz", "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc=" + }, + "node_modules/async": { + "version": "3.2.4", + "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz", + "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==", + "dev": true } } } From 846a9f982ac6e2bf47b5a5582d4914a0337de17c Mon Sep 17 00:00:00 2001 From: Nathan Voss Date: Tue, 22 Oct 2024 11:00:55 -0700 Subject: [PATCH 2/2] Updated integration test to account for exclusion of node dev packages Signed-off-by: Nathan Voss --- cmd/syft/internal/test/integration/node_packages_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/syft/internal/test/integration/node_packages_test.go b/cmd/syft/internal/test/integration/node_packages_test.go index dcf1c4a7381..8995a913a2d 100644 --- a/cmd/syft/internal/test/integration/node_packages_test.go +++ b/cmd/syft/internal/test/integration/node_packages_test.go @@ -25,7 +25,7 @@ func TestNpmPackageLockDirectory(t *testing.T) { } // ensure that integration test commonTestCases stay in sync with the available catalogers - const expectedPackageCount = 6 + const expectedPackageCount = 2 if foundPackages.Size() != expectedPackageCount { t.Errorf("found the wrong set of npm package-lock.json packages (expected: %d, actual: %d)", expectedPackageCount, foundPackages.Size()) }