github.com/anchore/syft@v1.4.2-0.20240516191711-1bec1fc5d397/syft/pkg/cataloger/javascript/parse_pnpm_lock.go (about)

     1  package javascript
     2  
     3  import (
     4  	"context"
     5  	"fmt"
     6  	"io"
     7  	"regexp"
     8  	"strconv"
     9  	"strings"
    10  
    11  	"gopkg.in/yaml.v3"
    12  
    13  	"github.com/anchore/syft/internal/log"
    14  	"github.com/anchore/syft/syft/artifact"
    15  	"github.com/anchore/syft/syft/file"
    16  	"github.com/anchore/syft/syft/pkg"
    17  	"github.com/anchore/syft/syft/pkg/cataloger/generic"
    18  )
    19  
    20  // integrity check
    21  var _ generic.Parser = parsePnpmLock
    22  
    23  type pnpmLockYaml struct {
    24  	Version      string                 `json:"lockfileVersion" yaml:"lockfileVersion"`
    25  	Dependencies map[string]interface{} `json:"dependencies" yaml:"dependencies"`
    26  	Packages     map[string]interface{} `json:"packages" yaml:"packages"`
    27  }
    28  
    29  func parsePnpmLock(_ context.Context, resolver file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
    30  	bytes, err := io.ReadAll(reader)
    31  	if err != nil {
    32  		return nil, nil, fmt.Errorf("failed to load pnpm-lock.yaml file: %w", err)
    33  	}
    34  
    35  	var pkgs []pkg.Package
    36  	var lockFile pnpmLockYaml
    37  
    38  	if err := yaml.Unmarshal(bytes, &lockFile); err != nil {
    39  		return nil, nil, fmt.Errorf("failed to parse pnpm-lock.yaml file: %w", err)
    40  	}
    41  
    42  	lockVersion, _ := strconv.ParseFloat(lockFile.Version, 64)
    43  
    44  	for name, info := range lockFile.Dependencies {
    45  		version := ""
    46  
    47  		switch info := info.(type) {
    48  		case string:
    49  			version = info
    50  		case map[string]interface{}:
    51  			v, ok := info["version"]
    52  			if !ok {
    53  				break
    54  			}
    55  			ver, ok := v.(string)
    56  			if ok {
    57  				version = parseVersion(ver)
    58  			}
    59  		default:
    60  			log.Tracef("unsupported pnpm dependency type: %+v", info)
    61  			continue
    62  		}
    63  
    64  		if hasPkg(pkgs, name, version) {
    65  			continue
    66  		}
    67  
    68  		pkgs = append(pkgs, newPnpmPackage(resolver, reader.Location, name, version))
    69  	}
    70  
    71  	packageNameRegex := regexp.MustCompile(`^/?([^(]*)(?:\(.*\))*$`)
    72  	splitChar := "/"
    73  	if lockVersion >= 6.0 {
    74  		splitChar = "@"
    75  	}
    76  
    77  	// parse packages from packages section of pnpm-lock.yaml
    78  	for nameVersion := range lockFile.Packages {
    79  		nameVersion = packageNameRegex.ReplaceAllString(nameVersion, "$1")
    80  		nameVersionSplit := strings.Split(strings.TrimPrefix(nameVersion, "/"), splitChar)
    81  
    82  		// last element in split array is version
    83  		version := nameVersionSplit[len(nameVersionSplit)-1]
    84  
    85  		// construct name from all array items other than last item (version)
    86  		name := strings.Join(nameVersionSplit[:len(nameVersionSplit)-1], splitChar)
    87  
    88  		if hasPkg(pkgs, name, version) {
    89  			continue
    90  		}
    91  
    92  		pkgs = append(pkgs, newPnpmPackage(resolver, reader.Location, name, version))
    93  	}
    94  
    95  	pkg.Sort(pkgs)
    96  
    97  	return pkgs, nil, nil
    98  }
    99  
   100  func hasPkg(pkgs []pkg.Package, name, version string) bool {
   101  	for _, p := range pkgs {
   102  		if p.Name == name && p.Version == version {
   103  			return true
   104  		}
   105  	}
   106  	return false
   107  }
   108  
   109  func parseVersion(version string) string {
   110  	return strings.SplitN(version, "(", 2)[0]
   111  }