From f05e349ce4de0acf6d7b325a16fc44f69ffe249b Mon Sep 17 00:00:00 2001 From: asafambar Date: Wed, 13 Sep 2023 00:59:15 +0300 Subject: [PATCH 1/9] Support curation npm tree calc by package-lock only. --- go.mod | 16 ++++++------- go.sum | 32 ++++++++++++------------- xray/commands/audit/sca/npm/npm.go | 17 +++++++++---- xray/commands/audit/sca/npm/npm_test.go | 2 +- xray/commands/audit/scarunner.go | 2 +- xray/utils/auditbasicparams.go | 20 ++++++++++++++++ 6 files changed, 59 insertions(+), 30 deletions(-) diff --git a/go.mod b/go.mod index 891def452..76cd5464f 100644 --- a/go.mod +++ b/go.mod @@ -23,11 +23,11 @@ require ( github.com/stretchr/testify v1.8.4 github.com/urfave/cli v1.22.14 github.com/vbauerster/mpb/v7 v7.5.3 - golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 + golang.org/x/exp v0.0.0-20230905200255-921286631fa9 golang.org/x/mod v0.12.0 golang.org/x/sync v0.3.0 - golang.org/x/term v0.11.0 - golang.org/x/text v0.12.0 + golang.org/x/term v0.12.0 + golang.org/x/text v0.13.0 gopkg.in/yaml.v3 v3.0.1 ) @@ -86,16 +86,16 @@ require ( github.com/xanzy/ssh-agent v0.3.3 // indirect github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect - golang.org/x/crypto v0.12.0 // indirect - golang.org/x/net v0.14.0 // indirect - golang.org/x/sys v0.11.0 // indirect - golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect + golang.org/x/crypto v0.13.0 // indirect + golang.org/x/net v0.15.0 // indirect + golang.org/x/sys v0.12.0 // indirect + golang.org/x/tools v0.13.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect ) replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f -replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38 +replace github.com/jfrog/build-info-go => github.com/asafambar/build-info-go v1.8.9-0.20230912212926-cf07082371c0 // replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 diff --git a/go.sum b/go.sum index a028a4cfc..3c4e8a70d 100644 --- a/go.sum +++ b/go.sum @@ -60,6 +60,8 @@ github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/asafambar/build-info-go v1.8.9-0.20230912212926-cf07082371c0 h1:9zBIe6NHZ8pedSPyRAtQrzC856bztt7M9ndWFZnRNBg= +github.com/asafambar/build-info-go v1.8.9-0.20230912212926-cf07082371c0/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg= github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= @@ -194,8 +196,6 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedib0t/go-pretty/v6 v6.4.7 h1:lwiTJr1DEkAgzljsUsORmWsVn5MQjt1BPJdPCtJ6KXE= github.com/jedib0t/go-pretty/v6 v6.4.7/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs= -github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38 h1:XyAcwWP2a6a5RL861gkfgQ7MUaQ7mmDkUVoD6kMtUtQ= -github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38/go.mod h1:QEskae5fQpjeY2PBzsjWtUQVskYSNDF2sSmw/Gx44dQ= github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk= github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0= github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f h1:S6l0o2sKFLRJ+QYVB5U/PJhrnwFSmKFFY7eHpRPRH8A= @@ -350,8 +350,8 @@ golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= -golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= +golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -362,8 +362,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ= -golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8= +golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= +golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -427,8 +427,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= -golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8= +golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -511,15 +511,15 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= -golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= -golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -532,8 +532,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= -golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -586,8 +586,8 @@ golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E= -golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= +golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/xray/commands/audit/sca/npm/npm.go b/xray/commands/audit/sca/npm/npm.go index 7a646e349..8f6acc28b 100644 --- a/xray/commands/audit/sca/npm/npm.go +++ b/xray/commands/audit/sca/npm/npm.go @@ -5,6 +5,7 @@ import ( buildinfo "github.com/jfrog/build-info-go/entities" "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/sca" + xrayutils "github.com/jfrog/jfrog-cli-core/v2/xray/utils" "github.com/jfrog/jfrog-client-go/utils/log" xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils" "golang.org/x/exp/slices" @@ -15,7 +16,7 @@ const ( ignoreScriptsFlag = "--ignore-scripts" ) -func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) { +func BuildDependencyTree(params *xrayutils.AuditBasicParams) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) { currentDir, err := coreutils.GetWorkingDirectory() if err != nil { return @@ -28,10 +29,18 @@ func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNo if err != nil { return } - npmArgs = addIgnoreScriptsFlag(npmArgs) - + treeDepsParam := biutils.NpmTreeDepListParam{ + Args: addIgnoreScriptsFlag([]string{}), + } + if params != nil { + treeDepsParam = biutils.NpmTreeDepListParam{ + Args: addIgnoreScriptsFlag(params.Args()), + IgnoreNodeModules: params.NpmIgnoreNodeModules(), + OverWritePackageLock: params.NpmOverwritePackageLock(), + } + } // Calculate npm dependencies - dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), npmArgs, log.Logger) + dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), treeDepsParam, log.Logger) if err != nil { log.Info("Used npm version:", npmVersion.GetVersion()) return diff --git a/xray/commands/audit/sca/npm/npm_test.go b/xray/commands/audit/sca/npm/npm_test.go index aaa9ea47c..f0180c0b6 100644 --- a/xray/commands/audit/sca/npm/npm_test.go +++ b/xray/commands/audit/sca/npm/npm_test.go @@ -115,6 +115,6 @@ func TestIgnoreScripts(t *testing.T) { // The package.json file contain a postinstall script running an "exit 1" command. // Without the "--ignore-scripts" flag, the test will fail. - _, _, err := BuildDependencyTree([]string{}) + _, _, err := BuildDependencyTree(nil) assert.NoError(t, err) } diff --git a/xray/commands/audit/scarunner.go b/xray/commands/audit/scarunner.go index 231a45c1e..77f336bec 100644 --- a/xray/commands/audit/scarunner.go +++ b/xray/commands/audit/scarunner.go @@ -140,7 +140,7 @@ func GetTechDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Te case coreutils.Maven, coreutils.Gradle: fullDependencyTrees, uniqueDeps, err = java.BuildDependencyTree(params, tech) case coreutils.Npm: - fullDependencyTrees, uniqueDeps, err = npm.BuildDependencyTree(params.Args()) + fullDependencyTrees, uniqueDeps, err = npm.BuildDependencyTree(params) case coreutils.Yarn: fullDependencyTrees, uniqueDeps, err = yarn.BuildDependencyTree() case coreutils.Go: diff --git a/xray/utils/auditbasicparams.go b/xray/utils/auditbasicparams.go index f8e3abba3..ba7b6535f 100644 --- a/xray/utils/auditbasicparams.go +++ b/xray/utils/auditbasicparams.go @@ -18,6 +18,8 @@ type AuditBasicParams struct { args []string depsRepo string ignoreConfigFile bool + npmIgnoreNodeModules bool + npmOverWritePackageLock bool } func (abp *AuditBasicParams) DirectDependencies() []string { @@ -60,6 +62,14 @@ func (abp *AuditBasicParams) UseWrapper() bool { return abp.useWrapper } +func (abp *AuditBasicParams) NpmIgnoreNodeModules() bool { + return abp.npmIgnoreNodeModules +} + +func (abp *AuditBasicParams) NpmOverwritePackageLock() bool { + return abp.npmOverWritePackageLock +} + func (abp *AuditBasicParams) SetUseWrapper(useWrapper bool) *AuditBasicParams { abp.useWrapper = useWrapper return abp @@ -131,3 +141,13 @@ func (abp *AuditBasicParams) SetIgnoreConfigFile(ignoreConfigFile bool) *AuditBa abp.ignoreConfigFile = ignoreConfigFile return abp } + +func (abp *AuditBasicParams) SetNpmIgnoreNodeModules(ignoreNpmNodeModules bool) *AuditBasicParams { + abp.npmIgnoreNodeModules = ignoreNpmNodeModules + return abp +} + +func (abp *AuditBasicParams) SetNpmOverwritePackageLock(overwritePackageLock bool) *AuditBasicParams { + abp.npmOverWritePackageLock = overwritePackageLock + return abp +} From e8995716e3c2bcfd85f481f208fb9ed68b98b93b Mon Sep 17 00:00:00 2001 From: asafambar Date: Wed, 13 Sep 2023 01:04:01 +0300 Subject: [PATCH 2/9] Fix go sum. --- go.sum | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/go.sum b/go.sum index e10baec8b..3c4e8a70d 100644 --- a/go.sum +++ b/go.sum @@ -196,12 +196,10 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedib0t/go-pretty/v6 v6.4.7 h1:lwiTJr1DEkAgzljsUsORmWsVn5MQjt1BPJdPCtJ6KXE= github.com/jedib0t/go-pretty/v6 v6.4.7/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs= -github.com/jfrog/build-info-go v1.9.10 h1:uXnDLVxpqxoAMpXcki00QaBB+M2BoGMMpHODPkmmYOY= -github.com/jfrog/build-info-go v1.9.10/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg= github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk= github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0= -github.com/jfrog/jfrog-client-go v1.32.1 h1:RQmuPSLsF5222vZJzwkgHSZMMJF83ExS7SwIvh4P+H8= -github.com/jfrog/jfrog-client-go v1.32.1/go.mod h1:362+oa7uTTYurzBs1L0dmUTlLo7uhpAU/pwM5Zb9clg= +github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f h1:S6l0o2sKFLRJ+QYVB5U/PJhrnwFSmKFFY7eHpRPRH8A= +github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f/go.mod h1:uUnMrqHX7Xi+OCaZEE4b3BtsmGeOSCB7XqaEWVXEH/E= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= From abb17690f3423f46d835c996b0dd30025d16ca6a Mon Sep 17 00:00:00 2001 From: asafambar Date: Wed, 13 Sep 2023 10:40:00 +0300 Subject: [PATCH 3/9] Fix go mod. --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 23f73db13..51974c945 100644 --- a/go.mod +++ b/go.mod @@ -93,7 +93,7 @@ require ( gopkg.in/warnings.v0 v0.1.2 // indirect ) -replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f +// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38 replace github.com/jfrog/build-info-go => github.com/asafambar/build-info-go v1.8.9-0.20230912212926-cf07082371c0 diff --git a/go.sum b/go.sum index 3c4e8a70d..c3d93340a 100644 --- a/go.sum +++ b/go.sum @@ -198,8 +198,8 @@ github.com/jedib0t/go-pretty/v6 v6.4.7 h1:lwiTJr1DEkAgzljsUsORmWsVn5MQjt1BPJdPCt github.com/jedib0t/go-pretty/v6 v6.4.7/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs= github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk= github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0= -github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f h1:S6l0o2sKFLRJ+QYVB5U/PJhrnwFSmKFFY7eHpRPRH8A= -github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f/go.mod h1:uUnMrqHX7Xi+OCaZEE4b3BtsmGeOSCB7XqaEWVXEH/E= +github.com/jfrog/jfrog-client-go v1.32.1 h1:RQmuPSLsF5222vZJzwkgHSZMMJF83ExS7SwIvh4P+H8= +github.com/jfrog/jfrog-client-go v1.32.1/go.mod h1:362+oa7uTTYurzBs1L0dmUTlLo7uhpAU/pwM5Zb9clg= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= From 7aba3796e43576055d9f0eff7db099ddc6d8b8b6 Mon Sep 17 00:00:00 2001 From: asafambar Date: Thu, 21 Sep 2023 14:00:42 +0300 Subject: [PATCH 4/9] extract NpmTreeDepListParam struct initialize --- xray/commands/audit/sca/npm/npm.go | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/xray/commands/audit/sca/npm/npm.go b/xray/commands/audit/sca/npm/npm.go index 8f6acc28b..67a8365ad 100644 --- a/xray/commands/audit/sca/npm/npm.go +++ b/xray/commands/audit/sca/npm/npm.go @@ -33,11 +33,7 @@ func BuildDependencyTree(params *xrayutils.AuditBasicParams) (dependencyTrees [] Args: addIgnoreScriptsFlag([]string{}), } if params != nil { - treeDepsParam = biutils.NpmTreeDepListParam{ - Args: addIgnoreScriptsFlag(params.Args()), - IgnoreNodeModules: params.NpmIgnoreNodeModules(), - OverWritePackageLock: params.NpmOverwritePackageLock(), - } + treeDepsParam = createTreeDepsParam(params) } // Calculate npm dependencies dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), treeDepsParam, log.Logger) @@ -55,6 +51,14 @@ func BuildDependencyTree(params *xrayutils.AuditBasicParams) (dependencyTrees [] return } +func createTreeDepsParam(params *xrayutils.AuditBasicParams) biutils.NpmTreeDepListParam { + return biutils.NpmTreeDepListParam{ + Args: addIgnoreScriptsFlag(params.Args()), + IgnoreNodeModules: params.NpmIgnoreNodeModules(), + OverWritePackageLock: params.NpmOverwritePackageLock(), + } +} + // Add the --ignore-scripts to prevent execution of npm scripts during npm install. func addIgnoreScriptsFlag(npmArgs []string) []string { if !slices.Contains(npmArgs, ignoreScriptsFlag) { From 79bff29117646716c250506a0ae2ca7559925e6e Mon Sep 17 00:00:00 2001 From: asafambar Date: Wed, 27 Sep 2023 19:54:24 +0300 Subject: [PATCH 5/9] Change npm params to wrap audit params interface. --- xray/commands/audit/sca/java/javautils.go | 2 +- xray/commands/audit/sca/npm/npm.go | 15 +++++--- xray/commands/audit/scarunner.go | 2 +- xray/commands/curation/curationaudit.go | 17 +++++++-- xray/utils/auditbasicparams.go | 46 +++++++++++++---------- xray/utils/packageManagerAuditParams.go | 25 ++++++++++++ 6 files changed, 76 insertions(+), 31 deletions(-) create mode 100644 xray/utils/packageManagerAuditParams.go diff --git a/xray/commands/audit/sca/java/javautils.go b/xray/commands/audit/sca/java/javautils.go index 9653de43f..d32a313f4 100644 --- a/xray/commands/audit/sca/java/javautils.go +++ b/xray/commands/audit/sca/java/javautils.go @@ -133,7 +133,7 @@ func hasLoop(idsAdded []string, idToAdd string) bool { return false } -func BuildDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Technology) ([]*xrayUtils.GraphNode, []string, error) { +func BuildDependencyTree(params xrayutils.AuditParams, tech coreutils.Technology) ([]*xrayUtils.GraphNode, []string, error) { serverDetails, err := params.ServerDetails() if err != nil { return nil, nil, err diff --git a/xray/commands/audit/sca/npm/npm.go b/xray/commands/audit/sca/npm/npm.go index d03340f86..b472d68d7 100644 --- a/xray/commands/audit/sca/npm/npm.go +++ b/xray/commands/audit/sca/npm/npm.go @@ -15,7 +15,7 @@ const ( ignoreScriptsFlag = "--ignore-scripts" ) -func BuildDependencyTree(params *utils.AuditBasicParams) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) { +func BuildDependencyTree(params utils.AuditParams) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) { currentDir, err := coreutils.GetWorkingDirectory() if err != nil { return @@ -50,12 +50,15 @@ func BuildDependencyTree(params *utils.AuditBasicParams) (dependencyTrees []*xra return } -func createTreeDepsParam(params *utils.AuditBasicParams) biutils.NpmTreeDepListParam { - return biutils.NpmTreeDepListParam{ - Args: addIgnoreScriptsFlag(params.Args()), - IgnoreNodeModules: params.NpmIgnoreNodeModules(), - OverWritePackageLock: params.NpmOverwritePackageLock(), +func createTreeDepsParam(params utils.AuditParams) biutils.NpmTreeDepListParam { + npmTreeDepParam := biutils.NpmTreeDepListParam{ + Args: addIgnoreScriptsFlag(params.Args()), } + if npmParams, ok := params.(utils.AuditNpmParams); ok { + npmTreeDepParam.IgnoreNodeModules = npmParams.NpmIgnoreNodeModules() + npmTreeDepParam.OverWritePackageLock = npmParams.NpmOverwritePackageLock() + } + return npmTreeDepParam } // Add the --ignore-scripts to prevent execution of npm scripts during npm install. diff --git a/xray/commands/audit/scarunner.go b/xray/commands/audit/scarunner.go index fc6e73a17..0715e4370 100644 --- a/xray/commands/audit/scarunner.go +++ b/xray/commands/audit/scarunner.go @@ -133,7 +133,7 @@ func getDirectDependenciesFromTree(dependencyTrees []*xrayCmdUtils.GraphNode) [] return directDependencies.ToSlice() } -func GetTechDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Technology) (flatTree *xrayCmdUtils.GraphNode, fullDependencyTrees []*xrayCmdUtils.GraphNode, err error) { +func GetTechDependencyTree(params xrayutils.AuditParams, tech coreutils.Technology) (flatTree *xrayCmdUtils.GraphNode, fullDependencyTrees []*xrayCmdUtils.GraphNode, err error) { logMessage := fmt.Sprintf("Calculating %s dependencies", tech.ToFormal()) log.Info(logMessage) if params.Progress() != nil { diff --git a/xray/commands/curation/curationaudit.go b/xray/commands/curation/curationaudit.go index 1ef10d1bb..d987203a2 100644 --- a/xray/commands/curation/curationaudit.go +++ b/xray/commands/curation/curationaudit.go @@ -111,13 +111,13 @@ type CurationAuditCommand struct { workingDirs []string OriginPath string parallelRequests int - *utils.AuditBasicParams + utils.AuditParams } func NewCurationAuditCommand() *CurationAuditCommand { return &CurationAuditCommand{ extractPoliciesRegex: regexp.MustCompile(extractPoliciesRegexTemplate), - AuditBasicParams: &utils.AuditBasicParams{}, + AuditParams: &utils.AuditBasicParams{}, } } @@ -192,8 +192,19 @@ func (ca *CurationAuditCommand) doCurateAudit(results map[string][]*PackageStatu return nil } +func (ca *CurationAuditCommand) getAuditParamsByTech(tech coreutils.Technology) utils.AuditParams { + switch tech { + case coreutils.Npm: + return utils.AuditNpmParams{ + AuditParams: ca.AuditParams}. + SetNpmIgnoreNodeModules(true). + SetNpmOverwritePackageLock(true) + } + return ca.AuditParams +} + func (ca *CurationAuditCommand) auditTree(tech coreutils.Technology, results map[string][]*PackageStatus) error { - flattenGraph, fullDependenciesTree, err := audit.GetTechDependencyTree(ca.AuditBasicParams, tech) + flattenGraph, fullDependenciesTree, err := audit.GetTechDependencyTree(ca.getAuditParamsByTech(tech), tech) if err != nil { return err } diff --git a/xray/utils/auditbasicparams.go b/xray/utils/auditbasicparams.go index ad42f2824..e5c739517 100644 --- a/xray/utils/auditbasicparams.go +++ b/xray/utils/auditbasicparams.go @@ -5,6 +5,32 @@ import ( ioUtils "github.com/jfrog/jfrog-client-go/utils/io" ) +type AuditParams interface { + DirectDependencies() []string + AppendDependenciesForApplicabilityScan(directDependencies []string) *AuditBasicParams + ServerDetails() (*config.ServerDetails, error) + SetServerDetails(serverDetails *config.ServerDetails) *AuditBasicParams + PipRequirementsFile() string + SetPipRequirementsFile(requirementsFile string) *AuditBasicParams + ExcludeTestDependencies() bool + SetExcludeTestDependencies(excludeTestDependencies bool) *AuditBasicParams + UseWrapper() bool + SetUseWrapper(useWrapper bool) *AuditBasicParams + InsecureTls() bool + SetInsecureTls(insecureTls bool) *AuditBasicParams + Technologies() []string + SetTechnologies(technologies []string) *AuditBasicParams + Progress() ioUtils.ProgressMgr + SetProgress(progress ioUtils.ProgressMgr) + Args() []string + SetNpmScope(depType string) *AuditBasicParams + OutputFormat() OutputFormat + DepsRepo() string + SetDepsRepo(depsRepo string) *AuditBasicParams + IgnoreConfigFile() bool + SetIgnoreConfigFile(ignoreConfigFile bool) *AuditBasicParams +} + type AuditBasicParams struct { serverDetails *config.ServerDetails outputFormat OutputFormat @@ -18,8 +44,6 @@ type AuditBasicParams struct { args []string depsRepo string ignoreConfigFile bool - npmIgnoreNodeModules bool - npmOverWritePackageLock bool } func (abp *AuditBasicParams) DirectDependencies() []string { @@ -62,14 +86,6 @@ func (abp *AuditBasicParams) UseWrapper() bool { return abp.useWrapper } -func (abp *AuditBasicParams) NpmIgnoreNodeModules() bool { - return abp.npmIgnoreNodeModules -} - -func (abp *AuditBasicParams) NpmOverwritePackageLock() bool { - return abp.npmOverWritePackageLock -} - func (abp *AuditBasicParams) SetUseWrapper(useWrapper bool) *AuditBasicParams { abp.useWrapper = useWrapper return abp @@ -141,13 +157,3 @@ func (abp *AuditBasicParams) SetIgnoreConfigFile(ignoreConfigFile bool) *AuditBa abp.ignoreConfigFile = ignoreConfigFile return abp } - -func (abp *AuditBasicParams) SetNpmIgnoreNodeModules(ignoreNpmNodeModules bool) *AuditBasicParams { - abp.npmIgnoreNodeModules = ignoreNpmNodeModules - return abp -} - -func (abp *AuditBasicParams) SetNpmOverwritePackageLock(overwritePackageLock bool) *AuditBasicParams { - abp.npmOverWritePackageLock = overwritePackageLock - return abp -} diff --git a/xray/utils/packageManagerAuditParams.go b/xray/utils/packageManagerAuditParams.go new file mode 100644 index 000000000..3e4d8f036 --- /dev/null +++ b/xray/utils/packageManagerAuditParams.go @@ -0,0 +1,25 @@ +package utils + +type AuditNpmParams struct { + AuditParams + npmIgnoreNodeModules bool + npmOverWritePackageLock bool +} + +func (abp AuditNpmParams) SetNpmIgnoreNodeModules(ignoreNpmNodeModules bool) AuditNpmParams { + abp.npmIgnoreNodeModules = ignoreNpmNodeModules + return abp +} + +func (abp AuditNpmParams) SetNpmOverwritePackageLock(overwritePackageLock bool) AuditNpmParams { + abp.npmOverWritePackageLock = overwritePackageLock + return abp +} + +func (abp AuditNpmParams) NpmIgnoreNodeModules() bool { + return abp.npmIgnoreNodeModules +} + +func (abp AuditNpmParams) NpmOverwritePackageLock() bool { + return abp.npmOverWritePackageLock +} From 293f7e2f443d6f2cd9487f71064ce4f6d33b0ca6 Mon Sep 17 00:00:00 2001 From: asafambar Date: Wed, 27 Sep 2023 20:44:23 +0300 Subject: [PATCH 6/9] Upgrade go-build-info. --- go.mod | 2 +- go.sum | 4 ++-- xray/commands/audit/sca/npm/npm.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index a425f00bb..c6a726081 100644 --- a/go.mod +++ b/go.mod @@ -96,6 +96,6 @@ require ( // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38 -replace github.com/jfrog/build-info-go => github.com/asafambar/build-info-go v1.8.9-0.20230912212926-cf07082371c0 +replace github.com/jfrog/build-info-go => github.com/asafambar/build-info-go v1.8.9-0.20230927174003-9caa065a068e // replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 diff --git a/go.sum b/go.sum index dd32e32f2..4e86d6330 100644 --- a/go.sum +++ b/go.sum @@ -60,8 +60,8 @@ github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= -github.com/asafambar/build-info-go v1.8.9-0.20230912212926-cf07082371c0 h1:9zBIe6NHZ8pedSPyRAtQrzC856bztt7M9ndWFZnRNBg= -github.com/asafambar/build-info-go v1.8.9-0.20230912212926-cf07082371c0/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg= +github.com/asafambar/build-info-go v1.8.9-0.20230927174003-9caa065a068e h1:l5ayu2RwV36o86Sl7aSPcNk26DyF6yW3YDjjKQkCXOg= +github.com/asafambar/build-info-go v1.8.9-0.20230927174003-9caa065a068e/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg= github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= diff --git a/xray/commands/audit/sca/npm/npm.go b/xray/commands/audit/sca/npm/npm.go index b472d68d7..e469b1b50 100644 --- a/xray/commands/audit/sca/npm/npm.go +++ b/xray/commands/audit/sca/npm/npm.go @@ -56,7 +56,7 @@ func createTreeDepsParam(params utils.AuditParams) biutils.NpmTreeDepListParam { } if npmParams, ok := params.(utils.AuditNpmParams); ok { npmTreeDepParam.IgnoreNodeModules = npmParams.NpmIgnoreNodeModules() - npmTreeDepParam.OverWritePackageLock = npmParams.NpmOverwritePackageLock() + npmTreeDepParam.OverwritePackageLock = npmParams.NpmOverwritePackageLock() } return npmTreeDepParam } From 6de5141a2124e7b81844c58f39af6b952bfa3442 Mon Sep 17 00:00:00 2001 From: asafambar Date: Thu, 28 Sep 2023 11:50:14 +0300 Subject: [PATCH 7/9] Fix static code analysis. --- xray/commands/curation/curationaudit.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/xray/commands/curation/curationaudit.go b/xray/commands/curation/curationaudit.go index d987203a2..98ee26959 100644 --- a/xray/commands/curation/curationaudit.go +++ b/xray/commands/curation/curationaudit.go @@ -193,8 +193,7 @@ func (ca *CurationAuditCommand) doCurateAudit(results map[string][]*PackageStatu } func (ca *CurationAuditCommand) getAuditParamsByTech(tech coreutils.Technology) utils.AuditParams { - switch tech { - case coreutils.Npm: + if tech == coreutils.Npm { return utils.AuditNpmParams{ AuditParams: ca.AuditParams}. SetNpmIgnoreNodeModules(true). From 6b2661c578192d01aeef270ec37496898b21802c Mon Sep 17 00:00:00 2001 From: asafambar Date: Sun, 1 Oct 2023 13:24:46 +0300 Subject: [PATCH 8/9] Fix CR. --- xray/commands/audit/sca/npm/npm.go | 14 ++++++++------ xray/commands/curation/curationaudit.go | 3 +-- xray/utils/auditnpmparams.go | 25 +++++++++++++++++++++++++ xray/utils/packageManagerAuditParams.go | 25 ------------------------- 4 files changed, 34 insertions(+), 33 deletions(-) create mode 100644 xray/utils/auditnpmparams.go delete mode 100644 xray/utils/packageManagerAuditParams.go diff --git a/xray/commands/audit/sca/npm/npm.go b/xray/commands/audit/sca/npm/npm.go index e469b1b50..9c863f877 100644 --- a/xray/commands/audit/sca/npm/npm.go +++ b/xray/commands/audit/sca/npm/npm.go @@ -28,12 +28,9 @@ func BuildDependencyTree(params utils.AuditParams) (dependencyTrees []*xrayUtils if err != nil { return } - treeDepsParam := biutils.NpmTreeDepListParam{ - Args: addIgnoreScriptsFlag([]string{}), - } - if params != nil { - treeDepsParam = createTreeDepsParam(params) - } + + treeDepsParam := createTreeDepsParam(params) + // Calculate npm dependencies dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), treeDepsParam, log.Logger) if err != nil { @@ -51,6 +48,11 @@ func BuildDependencyTree(params utils.AuditParams) (dependencyTrees []*xrayUtils } func createTreeDepsParam(params utils.AuditParams) biutils.NpmTreeDepListParam { + if params == nil { + return biutils.NpmTreeDepListParam{ + Args: addIgnoreScriptsFlag([]string{}), + } + } npmTreeDepParam := biutils.NpmTreeDepListParam{ Args: addIgnoreScriptsFlag(params.Args()), } diff --git a/xray/commands/curation/curationaudit.go b/xray/commands/curation/curationaudit.go index 98ee26959..e6bf649c0 100644 --- a/xray/commands/curation/curationaudit.go +++ b/xray/commands/curation/curationaudit.go @@ -194,8 +194,7 @@ func (ca *CurationAuditCommand) doCurateAudit(results map[string][]*PackageStatu func (ca *CurationAuditCommand) getAuditParamsByTech(tech coreutils.Technology) utils.AuditParams { if tech == coreutils.Npm { - return utils.AuditNpmParams{ - AuditParams: ca.AuditParams}. + return utils.AuditNpmParams{AuditParams: ca.AuditParams}. SetNpmIgnoreNodeModules(true). SetNpmOverwritePackageLock(true) } diff --git a/xray/utils/auditnpmparams.go b/xray/utils/auditnpmparams.go new file mode 100644 index 000000000..947c09c5a --- /dev/null +++ b/xray/utils/auditnpmparams.go @@ -0,0 +1,25 @@ +package utils + +type AuditNpmParams struct { + AuditParams + npmIgnoreNodeModules bool + npmOverwritePackageLock bool +} + +func (anp AuditNpmParams) SetNpmIgnoreNodeModules(ignoreNpmNodeModules bool) AuditNpmParams { + anp.npmIgnoreNodeModules = ignoreNpmNodeModules + return anp +} + +func (anp AuditNpmParams) SetNpmOverwritePackageLock(overwritePackageLock bool) AuditNpmParams { + anp.npmOverwritePackageLock = overwritePackageLock + return anp +} + +func (anp AuditNpmParams) NpmIgnoreNodeModules() bool { + return anp.npmIgnoreNodeModules +} + +func (anp AuditNpmParams) NpmOverwritePackageLock() bool { + return anp.npmOverwritePackageLock +} diff --git a/xray/utils/packageManagerAuditParams.go b/xray/utils/packageManagerAuditParams.go deleted file mode 100644 index 3e4d8f036..000000000 --- a/xray/utils/packageManagerAuditParams.go +++ /dev/null @@ -1,25 +0,0 @@ -package utils - -type AuditNpmParams struct { - AuditParams - npmIgnoreNodeModules bool - npmOverWritePackageLock bool -} - -func (abp AuditNpmParams) SetNpmIgnoreNodeModules(ignoreNpmNodeModules bool) AuditNpmParams { - abp.npmIgnoreNodeModules = ignoreNpmNodeModules - return abp -} - -func (abp AuditNpmParams) SetNpmOverwritePackageLock(overwritePackageLock bool) AuditNpmParams { - abp.npmOverWritePackageLock = overwritePackageLock - return abp -} - -func (abp AuditNpmParams) NpmIgnoreNodeModules() bool { - return abp.npmIgnoreNodeModules -} - -func (abp AuditNpmParams) NpmOverwritePackageLock() bool { - return abp.npmOverWritePackageLock -} From 7900b40c1fdb10820721c93a9d17407e8cf3860d Mon Sep 17 00:00:00 2001 From: yahavi Date: Tue, 3 Oct 2023 12:46:30 +0300 Subject: [PATCH 9/9] Update go.mod and go.sum --- go.mod | 10 ++++------ go.sum | 12 ++++++------ 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index c6a726081..7cb11f88a 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/google/uuid v1.3.1 github.com/gookit/color v1.5.4 github.com/jedib0t/go-pretty/v6 v6.4.7 - github.com/jfrog/build-info-go v1.9.10 + github.com/jfrog/build-info-go v1.9.11 github.com/jfrog/gofrog v1.3.0 github.com/jfrog/jfrog-client-go v1.32.3 github.com/magiconair/properties v1.8.7 @@ -36,7 +36,7 @@ require ( github.com/BurntSushi/toml v1.3.2 // indirect github.com/CycloneDX/cyclonedx-go v0.7.2 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect - github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect github.com/VividCortex/ewma v1.2.0 // indirect github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect github.com/acomagu/bufpipe v1.0.4 // indirect @@ -94,8 +94,6 @@ require ( gopkg.in/warnings.v0 v0.1.2 // indirect ) -// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38 +replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20231003083451-568b46797866 -replace github.com/jfrog/build-info-go => github.com/asafambar/build-info-go v1.8.9-0.20230927174003-9caa065a068e - -// replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 +replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20231003094520-3a09931ceaa8 diff --git a/go.sum b/go.sum index 4e86d6330..6cbeca1e1 100644 --- a/go.sum +++ b/go.sum @@ -47,8 +47,8 @@ github.com/CycloneDX/cyclonedx-go v0.7.2/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7B github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= -github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg= -github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= +github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE= +github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow= github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4= github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8= @@ -60,8 +60,6 @@ github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= -github.com/asafambar/build-info-go v1.8.9-0.20230927174003-9caa065a068e h1:l5ayu2RwV36o86Sl7aSPcNk26DyF6yW3YDjjKQkCXOg= -github.com/asafambar/build-info-go v1.8.9-0.20230927174003-9caa065a068e/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg= github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= @@ -197,10 +195,12 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedib0t/go-pretty/v6 v6.4.7 h1:lwiTJr1DEkAgzljsUsORmWsVn5MQjt1BPJdPCtJ6KXE= github.com/jedib0t/go-pretty/v6 v6.4.7/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs= +github.com/jfrog/build-info-go v1.8.9-0.20231003094520-3a09931ceaa8 h1:XaXReF1CKOr5oOXq5KkZDuHt3q9Y6pJeNCjezxZo2CM= +github.com/jfrog/build-info-go v1.8.9-0.20231003094520-3a09931ceaa8/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg= github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk= github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0= -github.com/jfrog/jfrog-client-go v1.32.3 h1:B2M8Gu8EMrokbHWPPDgN1b7YRWwf0oe746epvQASK6c= -github.com/jfrog/jfrog-client-go v1.32.3/go.mod h1:UewnwkIf/77HzBgwCPzOHZCK6V/Nw5/JwdzN/tRb4aU= +github.com/jfrog/jfrog-client-go v1.28.1-0.20231003083451-568b46797866 h1:0SWHyECx5QfCjQXf8hDzbyM94B78Dvzei7TvD9CpsCY= +github.com/jfrog/jfrog-client-go v1.28.1-0.20231003083451-568b46797866/go.mod h1:wtk8jhtdrlzYvo3LLIwOn0OrqoSm8J5TiMfZzHIwLe8= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=