github.com/nextlinux/gosbom@v0.81.1-0.20230627115839-1ff50c281391/gosbom/pkg/cataloger/javascript/parse_pnpm_lock.go

github.com/nextlinux/gosbom@v0.81.1-0.20230627115839-1ff50c281391/gosbom/pkg/cataloger/javascript/parse_pnpm_lock.go (about)

     1  package javascript
     2  
     3  import (
     4  	"fmt"
     5  	"io"
     6  	"regexp"
     7  	"strconv"
     8  	"strings"
     9  
    10  	"github.com/nextlinux/gosbom/gosbom/artifact"
    11  	"github.com/nextlinux/gosbom/gosbom/file"
    12  	"github.com/nextlinux/gosbom/gosbom/pkg"
    13  	"github.com/nextlinux/gosbom/gosbom/pkg/cataloger/generic"
    14  	"github.com/nextlinux/gosbom/internal/log"
    15  	"gopkg.in/yaml.v3"
    16  )
    17  
    18  // integrity check
    19  var _ generic.Parser = parsePnpmLock
    20  
    21  type pnpmLockYaml struct {
    22  	Version      string                 `json:"lockfileVersion" yaml:"lockfileVersion"`
    23  	Dependencies map[string]interface{} `json:"dependencies" yaml:"dependencies"`
    24  	Packages     map[string]interface{} `json:"packages" yaml:"packages"`
    25  }
    26  
    27  func parsePnpmLock(resolver file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
    28  	bytes, err := io.ReadAll(reader)
    29  	if err != nil {
    30  		return nil, nil, fmt.Errorf("failed to load pnpm-lock.yaml file: %w", err)
    31  	}
    32  
    33  	var pkgs []pkg.Package
    34  	var lockFile pnpmLockYaml
    35  
    36  	if err := yaml.Unmarshal(bytes, &lockFile); err != nil {
    37  		return nil, nil, fmt.Errorf("failed to parse pnpm-lock.yaml file: %w", err)
    38  	}
    39  
    40  	lockVersion, _ := strconv.ParseFloat(lockFile.Version, 64)
    41  
    42  	for name, info := range lockFile.Dependencies {
    43  		version := ""
    44  
    45  		switch info := info.(type) {
    46  		case string:
    47  			version = info
    48  		case map[string]interface{}:
    49  			v, ok := info["version"]
    50  			if !ok {
    51  				break
    52  			}
    53  			ver, ok := v.(string)
    54  			if ok {
    55  				version = parseVersion(ver)
    56  			}
    57  		default:
    58  			log.Tracef("unsupported pnpm dependency type: %+v", info)
    59  			continue
    60  		}
    61  
    62  		if hasPkg(pkgs, name, version) {
    63  			continue
    64  		}
    65  
    66  		pkgs = append(pkgs, newPnpmPackage(resolver, reader.Location, name, version))
    67  	}
    68  
    69  	packageNameRegex := regexp.MustCompile(`^/?([^(]*)(?:\(.*\))*$`)
    70  	splitChar := "/"
    71  	if lockVersion >= 6.0 {
    72  		splitChar = "@"
    73  	}
    74  
    75  	// parse packages from packages section of pnpm-lock.yaml
    76  	for nameVersion := range lockFile.Packages {
    77  		nameVersion = packageNameRegex.ReplaceAllString(nameVersion, "$1")
    78  		nameVersionSplit := strings.Split(strings.TrimPrefix(nameVersion, "/"), splitChar)
    79  
    80  		// last element in split array is version
    81  		version := nameVersionSplit[len(nameVersionSplit)-1]
    82  
    83  		// construct name from all array items other than last item (version)
    84  		name := strings.Join(nameVersionSplit[:len(nameVersionSplit)-1], splitChar)
    85  
    86  		if hasPkg(pkgs, name, version) {
    87  			continue
    88  		}
    89  
    90  		pkgs = append(pkgs, newPnpmPackage(resolver, reader.Location, name, version))
    91  	}
    92  
    93  	pkg.Sort(pkgs)
    94  
    95  	return pkgs, nil, nil
    96  }
    97  
    98  func hasPkg(pkgs []pkg.Package, name, version string) bool {
    99  	for _, p := range pkgs {
   100  		if p.Name == name && p.Version == version {
   101  			return true
   102  		}
   103  	}
   104  	return false
   105  }
   106  
   107  func parseVersion(version string) string {
   108  	return strings.SplitN(version, "(", 2)[0]
   109  }