2019-05-01 15:24:08 +09:00
|
|
|
package npm
|
|
|
|
|
|
|
|
|
|
import (
|
2021-10-06 19:18:50 +05:30
|
|
|
"context"
|
2023-03-16 01:54:01 +06:00
|
|
|
"errors"
|
2023-08-23 13:35:54 +07:00
|
|
|
"io"
|
2023-03-16 01:54:01 +06:00
|
|
|
"io/fs"
|
2020-05-28 23:29:07 +03:00
|
|
|
"os"
|
2023-03-16 01:54:01 +06:00
|
|
|
"path"
|
2019-05-01 15:24:08 +09:00
|
|
|
"path/filepath"
|
|
|
|
|
|
2021-05-19 08:05:14 +03:00
|
|
|
"golang.org/x/xerrors"
|
2020-02-27 21:09:05 +02:00
|
|
|
|
2024-02-19 15:16:35 +04:00
|
|
|
"github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/npm"
|
|
|
|
|
"github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/packagejson"
|
2022-06-20 09:43:33 +01:00
|
|
|
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
|
|
|
|
|
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/language"
|
|
|
|
|
"github.com/aquasecurity/trivy/pkg/fanal/types"
|
2023-03-16 01:54:01 +06:00
|
|
|
"github.com/aquasecurity/trivy/pkg/log"
|
|
|
|
|
"github.com/aquasecurity/trivy/pkg/utils/fsutils"
|
2024-02-26 09:55:15 +04:00
|
|
|
xio "github.com/aquasecurity/trivy/pkg/x/io"
|
2023-08-06 11:59:18 +03:00
|
|
|
xpath "github.com/aquasecurity/trivy/pkg/x/path"
|
2019-05-01 15:24:08 +09:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func init() {
|
2023-03-16 01:54:01 +06:00
|
|
|
analyzer.RegisterPostAnalyzer(analyzer.TypeNpmPkgLock, newNpmLibraryAnalyzer)
|
2019-05-01 15:24:08 +09:00
|
|
|
}
|
|
|
|
|
|
2023-03-16 01:54:01 +06:00
|
|
|
const (
|
|
|
|
|
version = 1
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type npmLibraryAnalyzer struct {
|
2024-04-11 22:59:09 +04:00
|
|
|
logger *log.Logger
|
2024-05-07 16:25:52 +04:00
|
|
|
lockParser language.Parser
|
2023-03-21 23:13:02 +06:00
|
|
|
packageParser *packagejson.Parser
|
2023-03-16 01:54:01 +06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newNpmLibraryAnalyzer(_ analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
|
|
|
|
|
return &npmLibraryAnalyzer{
|
2024-04-11 22:59:09 +04:00
|
|
|
logger: log.WithPrefix("npm"),
|
2023-03-16 01:54:01 +06:00
|
|
|
lockParser: npm.NewParser(),
|
|
|
|
|
packageParser: packagejson.NewParser(),
|
|
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-14 11:13:48 +06:00
|
|
|
func (a npmLibraryAnalyzer) PostAnalyze(ctx context.Context, input analyzer.PostAnalysisInput) (*analyzer.AnalysisResult, error) {
|
2023-03-16 01:54:01 +06:00
|
|
|
// Parse package-lock.json
|
|
|
|
|
required := func(path string, _ fs.DirEntry) bool {
|
2025-03-17 16:12:10 +06:00
|
|
|
return filepath.Base(path) == types.NpmPkgLock || input.FilePatterns.Match(path)
|
2023-03-16 01:54:01 +06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var apps []types.Application
|
2025-04-30 11:17:24 +02:00
|
|
|
err := fsutils.WalkDir(input.FS, ".", required, func(filePath string, _ fs.DirEntry, _ io.Reader) error {
|
2023-03-16 01:54:01 +06:00
|
|
|
// Find all licenses from package.json files under node_modules dirs
|
|
|
|
|
licenses, err := a.findLicenses(input.FS, filePath)
|
|
|
|
|
if err != nil {
|
2024-04-11 22:59:09 +04:00
|
|
|
a.logger.Error("Unable to collect licenses", log.Err(err))
|
2024-05-07 16:25:52 +04:00
|
|
|
licenses = make(map[string][]string)
|
2023-03-16 01:54:01 +06:00
|
|
|
}
|
2021-02-24 07:25:01 +02:00
|
|
|
|
2025-10-14 11:13:48 +06:00
|
|
|
app, err := a.parseNpmPkgLock(ctx, input.FS, filePath)
|
2023-03-16 01:54:01 +06:00
|
|
|
if err != nil {
|
|
|
|
|
return xerrors.Errorf("parse error: %w", err)
|
|
|
|
|
} else if app == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2020-05-28 23:29:07 +03:00
|
|
|
|
2025-12-29 11:57:06 +06:00
|
|
|
// Fill licenses from package.json only if not present in lock file
|
|
|
|
|
for i, pkg := range app.Packages {
|
|
|
|
|
if len(pkg.Licenses) == 0 {
|
|
|
|
|
if ll, ok := licenses[pkg.ID]; ok {
|
|
|
|
|
app.Packages[i].Licenses = ll
|
|
|
|
|
}
|
2023-03-16 01:54:01 +06:00
|
|
|
}
|
|
|
|
|
}
|
2019-05-01 15:24:08 +09:00
|
|
|
|
2023-03-16 01:54:01 +06:00
|
|
|
apps = append(apps, *app)
|
|
|
|
|
return nil
|
|
|
|
|
})
|
2020-05-28 23:29:07 +03:00
|
|
|
if err != nil {
|
2023-03-16 01:54:01 +06:00
|
|
|
return nil, xerrors.Errorf("package-lock.json/package.json walk error: %w", err)
|
2019-05-01 15:24:08 +09:00
|
|
|
}
|
2023-03-16 01:54:01 +06:00
|
|
|
|
|
|
|
|
return &analyzer.AnalysisResult{
|
|
|
|
|
Applications: apps,
|
|
|
|
|
}, nil
|
2019-05-01 15:24:08 +09:00
|
|
|
}
|
|
|
|
|
|
2020-05-28 23:29:07 +03:00
|
|
|
func (a npmLibraryAnalyzer) Required(filePath string, _ os.FileInfo) bool {
|
|
|
|
|
fileName := filepath.Base(filePath)
|
2024-01-15 13:11:12 +06:00
|
|
|
// Don't save package-lock.json from the `node_modules` directory to avoid duplication and mistakes.
|
2023-08-06 11:59:18 +03:00
|
|
|
if fileName == types.NpmPkgLock && !xpath.Contains(filePath, "node_modules") {
|
2023-03-16 01:54:01 +06:00
|
|
|
return true
|
|
|
|
|
}
|
2024-01-15 13:11:12 +06:00
|
|
|
|
|
|
|
|
// Save package.json files only from the `node_modules` directory.
|
|
|
|
|
// Required to search for licenses.
|
|
|
|
|
if fileName == types.NpmPkg && xpath.Contains(filePath, "node_modules") {
|
2023-03-16 01:54:01 +06:00
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
return false
|
2019-05-01 15:24:08 +09:00
|
|
|
}
|
2020-02-27 21:09:05 +02:00
|
|
|
|
2021-02-22 13:56:00 +02:00
|
|
|
func (a npmLibraryAnalyzer) Type() analyzer.Type {
|
2021-09-05 23:00:22 +05:30
|
|
|
return analyzer.TypeNpmPkgLock
|
2020-02-27 21:09:05 +02:00
|
|
|
}
|
2021-02-24 07:25:01 +02:00
|
|
|
|
|
|
|
|
func (a npmLibraryAnalyzer) Version() int {
|
|
|
|
|
return version
|
|
|
|
|
}
|
2023-03-16 01:54:01 +06:00
|
|
|
|
2025-10-14 11:13:48 +06:00
|
|
|
func (a npmLibraryAnalyzer) parseNpmPkgLock(ctx context.Context, fsys fs.FS, filePath string) (*types.Application, error) {
|
2023-10-02 11:33:21 +03:00
|
|
|
f, err := fsys.Open(filePath)
|
2023-03-16 01:54:01 +06:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, xerrors.Errorf("file open error: %w", err)
|
|
|
|
|
}
|
|
|
|
|
defer func() { _ = f.Close() }()
|
|
|
|
|
|
2024-02-26 09:55:15 +04:00
|
|
|
file, ok := f.(xio.ReadSeekCloserAt)
|
2023-03-16 01:54:01 +06:00
|
|
|
if !ok {
|
|
|
|
|
return nil, xerrors.Errorf("type assertion error: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// parse package-lock.json file
|
2025-10-14 11:13:48 +06:00
|
|
|
return language.Parse(ctx, types.Npm, filePath, file, a.lockParser)
|
2023-03-16 01:54:01 +06:00
|
|
|
}
|
|
|
|
|
|
2024-05-07 16:25:52 +04:00
|
|
|
func (a npmLibraryAnalyzer) findLicenses(fsys fs.FS, lockPath string) (map[string][]string, error) {
|
2023-08-06 11:59:18 +03:00
|
|
|
dir := path.Dir(lockPath)
|
2023-03-16 01:54:01 +06:00
|
|
|
root := path.Join(dir, "node_modules")
|
|
|
|
|
if _, err := fs.Stat(fsys, root); errors.Is(err, fs.ErrNotExist) {
|
2024-04-11 22:59:09 +04:00
|
|
|
a.logger.Info(`To collect the license information of packages, "npm install" needs to be performed beforehand`,
|
|
|
|
|
log.String("dir", root))
|
2023-03-16 01:54:01 +06:00
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse package.json
|
|
|
|
|
required := func(path string, _ fs.DirEntry) bool {
|
|
|
|
|
return filepath.Base(path) == types.NpmPkg
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Traverse node_modules dir and find licenses
|
|
|
|
|
// Note that fs.FS is always slashed regardless of the platform,
|
|
|
|
|
// and path.Join should be used rather than filepath.Join.
|
2024-05-07 16:25:52 +04:00
|
|
|
licenses := make(map[string][]string)
|
2025-04-30 11:17:24 +02:00
|
|
|
err := fsutils.WalkDir(fsys, root, required, func(filePath string, _ fs.DirEntry, r io.Reader) error {
|
2023-03-21 23:13:02 +06:00
|
|
|
pkg, err := a.packageParser.Parse(r)
|
2023-03-16 01:54:01 +06:00
|
|
|
if err != nil {
|
|
|
|
|
return xerrors.Errorf("unable to parse %q: %w", filePath, err)
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-07 16:25:52 +04:00
|
|
|
licenses[pkg.ID] = pkg.Licenses
|
2023-03-16 01:54:01 +06:00
|
|
|
return nil
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, xerrors.Errorf("walk error: %w", err)
|
|
|
|
|
}
|
|
|
|
|
return licenses, nil
|
|
|
|
|
}
|
