STRLCPY/syft

npm: package-lock license decoding to accept string or array (#1482)
```
Signed-off-by: mikcl <[email protected]>
```
mikcl committed with GitHub 1 year ago

396441e9

1 parent 972e4cda

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

syft/pkg/cataloger/javascript/package.go

		skipped 77 lines
78	78		func newPackageLockV2Package(resolver source.FileResolver, location source.Location, name string, u lockPackage) pkg.Package {
79	79		var licenses []string
80	80
81		-	if u.License != "" {
82		-	licenses = append(licenses, u.License)
	81	+	if u.License != nil {
	82	+	licenses = u.License
83	83		}
84	84
85	85		return finalizeLockPkg(
		skipped 124 lines

■ ■ ■ ■ ■ ■

syft/pkg/cataloger/javascript/parse_package_lock.go

		skipped 6 lines
7	7		"io"
8	8		"strings"
9	9
	10	+	"github.com/anchore/syft/internal/log"
10	11		"github.com/anchore/syft/syft/artifact"
11	12		"github.com/anchore/syft/syft/pkg"
12	13		"github.com/anchore/syft/syft/pkg/cataloger/generic"
		skipped 11 lines
24	25		Packages map[string]lockPackage
25	26		}
26	27
	28	+	// packageLockLicense
	29	+	type packageLockLicense []string
	30	+
	31	+	func (licenses *packageLockLicense) UnmarshalJSON(data []byte) (err error) {
	32	+	// The license field could be either a string or an array.
	33	+
	34	+	// 1. An array
	35	+	var arr []string
	36	+	if err := json.Unmarshal(data, &arr); err == nil {
	37	+	*licenses = arr
	38	+	return nil
	39	+	}
	40	+
	41	+	// 2. A string
	42	+	var str string
	43	+	if err = json.Unmarshal(data, &str); err == nil {
	44	+	*licenses = make([]string, 1)
	45	+	(*licenses)[0] = str
	46	+	return nil
	47	+	}
	48	+
	49	+	// debug the content we did not expect
	50	+	if len(data) > 0 {
	51	+	log.WithFields("license", string(data)).Debug("Unable to parse the following `license` value in package-lock.json")
	52	+	}
	53	+
	54	+	// 3. Unexpected
	55	+	// In case we are unable to parse the license field,
	56	+	// i.e if we have not covered the full specification,
	57	+	// we do not want to throw an error, instead assign nil.
	58	+	return nil
	59	+	}
	60	+
27	61		// lockDependency represents a single package dependency listed in the package.lock json file
28	62		type lockDependency struct {
29	63		Version string `json:"version"`
		skipped 2 lines
32	66		}
33	67
34	68		type lockPackage struct {
35		-	Name string `json:"name"` // only present in the root package entry (named "")
36		-	Version string `json:"version"`
37		-	Resolved string `json:"resolved"`
38		-	Integrity string `json:"integrity"`
39		-	License string `json:"license"`
	69	+	Name string `json:"name"` // only present in the root package entry (named "")
	70	+	Version string `json:"version"`
	71	+	Resolved string `json:"resolved"`
	72	+	Integrity string `json:"integrity"`
	73	+	License packageLockLicense `json:"license"`
40	74		}
41	75
42	76		// parsePackageLock parses a package-lock.json and returns the discovered JavaScript packages.
		skipped 54 lines

■ ■ ■ ■ ■ ■

syft/pkg/cataloger/javascript/parse_package_lock_test.go

		skipped 297 lines
298	298		}
299	299		}
300	300
	301	+	func TestParsePackageLockLicenseWithArray(t *testing.T) {
	302	+	fixture := "test-fixtures/pkg-lock/array-license-package-lock.json"
	303	+	var expectedRelationships []artifact.Relationship
	304	+	expectedPkgs := []pkg.Package{
	305	+	{
	306	+	Name: "tmp",
	307	+	Version: "1.0.0",
	308	+	Licenses: []string{"ISC"},
	309	+	Language: pkg.JavaScript,
	310	+	Type: pkg.NpmPkg,
	311	+	PURL: "pkg:npm/[email protected]",
	312	+	MetadataType: "NpmPackageLockJsonMetadata",
	313	+	Metadata: pkg.NpmPackageLockJSONMetadata{},
	314	+	},
	315	+	{
	316	+	Name: "pause-stream",
	317	+	Version: "0.0.11",
	318	+	Licenses: []string{"MIT", "Apache2"},
	319	+	Language: pkg.JavaScript,
	320	+	Type: pkg.NpmPkg,
	321	+	PURL: "pkg:npm/[email protected]",
	322	+	MetadataType: "NpmPackageLockJsonMetadata",
	323	+	Metadata: pkg.NpmPackageLockJSONMetadata{},
	324	+	},
	325	+	{
	326	+	Name: "through",
	327	+	Version: "2.3.8",
	328	+	Licenses: []string{"MIT"},
	329	+	Language: pkg.JavaScript,
	330	+	Type: pkg.NpmPkg,
	331	+	PURL: "pkg:npm/[email protected]",
	332	+	MetadataType: "NpmPackageLockJsonMetadata",
	333	+	Metadata: pkg.NpmPackageLockJSONMetadata{},
	334	+	},
	335	+	}
	336	+	for i := range expectedPkgs {
	337	+	expectedPkgs[i].Locations.Add(source.NewLocation(fixture))
	338	+	}
	339	+	pkgtest.TestFileParser(t, fixture, parsePackageLock, expectedPkgs, expectedRelationships)
	340	+	}
	341	+

■ ■ ■ ■ ■ ■

syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/array-license-package-lock.json

1	+	{
2	+	"name": "tmp",
3	+	"version": "1.0.0",
4	+	"lockfileVersion": 2,
5	+	"requires": true,
6	+	"packages": {
7	+	"": {
8	+	"name": "tmp",
9	+	"version": "1.0.0",
10	+	"license": "ISC",
11	+	"dependencies": {
12	+	"pause-stream": "0.0.11"
13	+	}
14	+	},
15	+	"node_modules/pause-stream": {
16	+	"version": "0.0.11",
17	+	"license": [
18	+	"MIT",
19	+	"Apache2"
20	+	],
21	+	"dependencies": {
22	+	"through": "~2.3"
23	+	}
24	+	},
25	+	"node_modules/through": {
26	+	"version": "2.3.8",
27	+	"license": "MIT"
28	+	}
29	+	},
30	+	"dependencies": {
31	+	"pause-stream": {
32	+	"version": "0.0.11",
33	+	"requires": {
34	+	"through": "~2.3"
35	+	}
36	+	},
37	+	"through": {
38	+	"version": "2.3.8"
39	+	}
40	+	}
41	+	}

npm: package-lock license decoding to accept string or array (#1482)