github.com/lineaje-labs/syft@v0.98.1-0.20231227153149-9e393f60ff1b/syft/pkg/cataloger/javascript/parse_pnpm_lock.go

github.com/lineaje-labs/syft@v0.98.1-0.20231227153149-9e393f60ff1b/syft/pkg/cataloger/javascript/parse_pnpm_lock.go (about)

     1  package javascript
     2  
     3  import (
     4  	"fmt"
     5  	"io"
     6  	"regexp"
     7  	"strconv"
     8  	"strings"
     9  
    10  	"gopkg.in/yaml.v3"
    11  
    12  	"github.com/anchore/syft/syft/artifact"
    13  	"github.com/anchore/syft/syft/file"
    14  	"github.com/anchore/syft/syft/pkg"
    15  	"github.com/anchore/syft/syft/pkg/cataloger/generic"
    16  	"github.com/lineaje-labs/syft/internal/log"
    17  )
    18  
    19  // integrity check
    20  var _ generic.Parser = parsePnpmLock
    21  
    22  type pnpmLockYaml struct {
    23  	Version      string                 `json:"lockfileVersion" yaml:"lockfileVersion"`
    24  	Dependencies map[string]interface{} `json:"dependencies" yaml:"dependencies"`
    25  	Packages     map[string]interface{} `json:"packages" yaml:"packages"`
    26  }
    27  
    28  func parsePnpmLock(
    29  	resolver file.Resolver, _ *generic.Environment, reader file.LocationReadCloser,
    30  ) ([]pkg.Package, []artifact.Relationship, error) {
    31  	bytes, err := io.ReadAll(reader)
    32  	if err != nil {
    33  		return nil, nil, fmt.Errorf("failed to load pnpm-lock.yaml file: %w", err)
    34  	}
    35  
    36  	var pkgs []pkg.Package
    37  	var lockFile pnpmLockYaml
    38  
    39  	if err := yaml.Unmarshal(bytes, &lockFile); err != nil {
    40  		return nil, nil, fmt.Errorf("failed to parse pnpm-lock.yaml file: %w", err)
    41  	}
    42  
    43  	lockVersion, _ := strconv.ParseFloat(lockFile.Version, 64)
    44  
    45  	for name, info := range lockFile.Dependencies {
    46  		version := ""
    47  
    48  		switch info := info.(type) {
    49  		case string:
    50  			version = info
    51  		case map[string]interface{}:
    52  			v, ok := info["version"]
    53  			if !ok {
    54  				break
    55  			}
    56  			ver, ok := v.(string)
    57  			if ok {
    58  				version = parseVersion(ver)
    59  			}
    60  		default:
    61  			log.Tracef("unsupported pnpm dependency type: %+v", info)
    62  			continue
    63  		}
    64  
    65  		if hasPkg(pkgs, name, version) {
    66  			continue
    67  		}
    68  
    69  		pkgs = append(pkgs, newPnpmPackage(resolver, reader.Location, name, version))
    70  	}
    71  
    72  	packageNameRegex := regexp.MustCompile(`^/?([^(]*)(?:\(.*\))*$`)
    73  	splitChar := "/"
    74  	if lockVersion >= 6.0 {
    75  		splitChar = "@"
    76  	}
    77  
    78  	// parse packages from packages section of pnpm-lock.yaml
    79  	for nameVersion := range lockFile.Packages {
    80  		nameVersion = packageNameRegex.ReplaceAllString(nameVersion, "$1")
    81  		nameVersionSplit := strings.Split(strings.TrimPrefix(nameVersion, "/"), splitChar)
    82  
    83  		// last element in split array is version
    84  		version := nameVersionSplit[len(nameVersionSplit)-1]
    85  
    86  		// construct name from all array items other than last item (version)
    87  		name := strings.Join(nameVersionSplit[:len(nameVersionSplit)-1], splitChar)
    88  
    89  		if hasPkg(pkgs, name, version) {
    90  			continue
    91  		}
    92  
    93  		pkgs = append(pkgs, newPnpmPackage(resolver, reader.Location, name, version))
    94  	}
    95  
    96  	pkg.Sort(pkgs)
    97  
    98  	return pkgs, nil, nil
    99  }
   100  
   101  func hasPkg(pkgs []pkg.Package, name, version string) bool {
   102  	for _, p := range pkgs {
   103  		if p.Name == name && p.Version == version {
   104  			return true
   105  		}
   106  	}
   107  	return false
   108  }
   109  
   110  func parseVersion(version string) string {
   111  	return strings.SplitN(version, "(", 2)[0]
   112  }