From a1da63ebd4f53443845a124983579b7be4fa0866 Mon Sep 17 00:00:00 2001 From: Philipp Dallig Date: Tue, 31 Mar 2020 10:35:33 +0200 Subject: [PATCH] npm package inforamtion without version (#244) --- .../parser/element/Identifier.java | 2 ++ .../reason/NPMDependencyReason.java | 25 +++++++++++++------ .../parser/element/IdentifierTest.java | 10 ++++++++ .../reason/NPMDependencyReasonTest.java | 20 +++++++++++++++ 4 files changed, 50 insertions(+), 7 deletions(-) diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Identifier.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Identifier.java index 6f0b134f..ffee3058 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Identifier.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Identifier.java @@ -60,6 +60,7 @@ public static Optional getPackageType(@NonNull Identifier identifier) { // pkg:maven/struts/struts@1.2.8 -> maven // pkg:javascript/jquery@2.2.0 -> javascript // pkg:npm/arr-flatten@1.1.0 -> npm + // pkg:npm/mime -> npm return Optional.of(StringUtils.substringAfter(StringUtils.substringBefore(identifier.getId(), "/"), "pkg:")); } return Optional.empty(); @@ -69,6 +70,7 @@ public static Optional getPackageArtifact(@NonNull Identifier identifier // pkg:maven/struts/struts@1.2.8 -> struts/struts@1.2.8 // pkg:javascript/jquery@2.2.0 -> jquery@2.2.0 // pkg:npm/arr-flatten@1.1.0 -> arr-flatten@1.1.0 + // pkg:npm/mime -> mime return Optional.of(StringUtils.substringAfter(identifier.getId(), "/")); } return Optional.empty(); diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java index 55769048..8ba0ef71 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java @@ -41,6 +41,7 @@ import edu.umd.cs.findbugs.annotations.CheckForNull; import edu.umd.cs.findbugs.annotations.NonNull; +import edu.umd.cs.findbugs.annotations.Nullable; public class NPMDependencyReason extends DependencyReason { @@ -99,12 +100,22 @@ public TextRangeConfidence getBestTextRange(Dependency dependency) { } private void fillArtifactMatch(@NonNull Dependency dependency, Identifier npmIdentifier) { - Optional packageArtifact = Identifier.getPackageArtifact(npmIdentifier); - if (packageArtifact.isPresent()) { - // packageArtifact has something like jquery@2.2.0 - String[] npmIdentifierSplit = packageArtifact.get().split("@"); - String name = npmIdentifierSplit[0]; - String version = npmIdentifierSplit[1]; + String packageArtifact = Identifier.getPackageArtifact(npmIdentifier).orElse(null); + if (StringUtils.isNotBlank(packageArtifact)) { + String name; + String version; + if (packageArtifact.contains("@")) { + // packageArtifact is something like jquery@2.2.0 + String[] npmIdentifierSplit = packageArtifact.split("@"); + name = npmIdentifierSplit[0]; + version = npmIdentifierSplit[1]; + } else { + // It happens, that packageArtifact doesn't contain a version + // https://github.com/dependency-check/dependency-check-sonar-plugin/issues/242#issuecomment-605521827 + name = packageArtifact; + version = null; + } + // Try to find in for (NPMDependency npmDependency : packageLockModel.getDependencies()) { checkNPMDependency(name, version , npmDependency) @@ -113,7 +124,7 @@ private void fillArtifactMatch(@NonNull Dependency dependency, Identifier npmIde } } - private Optional checkNPMDependency(String name, String version, NPMDependency dependency) { + private Optional checkNPMDependency(String name, @Nullable String version, NPMDependency dependency) { if (StringUtils.equals(name, dependency.getName()) && StringUtils.equals(version, dependency.getVersion())) { LOGGER.debug("Found a name and version match in {}", packageLock); diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/element/IdentifierTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/element/IdentifierTest.java index d4f06e14..976825cb 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/element/IdentifierTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/element/IdentifierTest.java @@ -47,6 +47,16 @@ public void testNode() { assertEquals("npm", Identifier.getPackageType(a).get()); } + @Test + public void testNodeWithOutVersion() { + Identifier a = new Identifier("pkg:npm/mime", Confidence.HIGHEST); + assertFalse(Identifier.isMavenPackage(a)); + assertTrue(Identifier.isNPMPackage(a)); + assertFalse(Identifier.isJavaScriptPackage(a)); + assertEquals("mime", Identifier.getPackageArtifact(a).get()); + assertEquals("npm", Identifier.getPackageType(a).get()); + } + @Test public void testJavaScript() { Identifier a = new Identifier("pkg:javascript/jquery@2.2.0", Confidence.HIGHEST); diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java index 5bfaf606..67020382 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java @@ -126,6 +126,26 @@ public void foundDependencyNPMOnlyWithName() throws IOException { assertEquals(npm.getBestTextRange(dependency), npm.getBestTextRange(dependency)); } + @Test + public void foundDependencyNPMWithoutVersion() throws IOException { + NPMDependencyReason npm = new NPMDependencyReason(inputFile("package-lock.json")); + // Create Dependency + Identifier identifier = new Identifier("pkg:npm/arr-flatten", Confidence.HIGHEST); + Collection identifiersCollected = new ArrayList<>(); + identifiersCollected.add(identifier); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); + TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); + assertTrue(npm.isReasonable()); + assertNotNull(textRangeConfidence); + assertEquals(7, textRangeConfidence.getTextrange().start().line()); + assertEquals(0, textRangeConfidence.getTextrange().start().lineOffset()); + assertEquals(11, textRangeConfidence.getTextrange().end().line()); + assertEquals(6, textRangeConfidence.getTextrange().end().lineOffset()); + assertEquals(Confidence.HIGH, textRangeConfidence.getConfidence()); + // verify that same dependency points to the same TextRange, use of HashMap + assertEquals(npm.getBestTextRange(dependency), npm.getBestTextRange(dependency)); + } + @Test public void foundNoDependency() throws IOException { NPMDependencyReason npm = new NPMDependencyReason(inputFile("package-lock.json"));