Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm: package-lock license decoding to accept string or array #1482

Merged
merged 1 commit into from
Jan 20, 2023
Merged

npm: package-lock license decoding to accept string or array #1482

merged 1 commit into from
Jan 20, 2023

Conversation

Mikcl
Copy link
Contributor

@Mikcl Mikcl commented Jan 19, 2023

Fixes #1479

Introduces new decoding behaviour for the license field in package-lock.json packages. To accept a string and array as the datatype.

Previously: only a string was an expected value. This would mean the decoding step would fail in the event of an array being present, and all the remaining dependencies in the package-lock.json would not be cataloged.

This PR:

  1. Accepts either a string or an array.
  2. If its neither string or array and unable to parse the license field. Sets license to nil and does not error to allow us to capture the remaining package dependencies (at the expense of perhaps an unexpected license field not being captured).
  • Have created the new packageLockLicense type with overriden UnMarshallJSON behaviour to create this change.
  • Added test cases from an example package-lock.json

@Mikcl Mikcl force-pushed the mikcl/npm-deprecated-license branch from 0ee3d6f to d42d517 Compare January 19, 2023 08:44
kzantow
kzantow reviewed Jan 19, 2023
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great @Mikcl just one suggestion

syft/pkg/cataloger/javascript/parse_package_lock.go Show resolved Hide resolved
@Mikcl Mikcl force-pushed the mikcl/npm-deprecated-license branch 2 times, most recently from 360e774 to 38ce0f9 Compare January 19, 2023 22:17
@Mikcl
Copy link
Contributor Author

Mikcl commented Jan 19, 2023

Thanks for the quick review @kzantow

Updated with the feedback :)

@Mikcl Mikcl force-pushed the mikcl/npm-deprecated-license branch from 38ce0f9 to 82a0c93 Compare January 19, 2023 22:27
@Mikcl
Copy link
Contributor Author

Mikcl commented Jan 19, 2023
edited
Loading

Note the "CLI tests" failing are not from changes in the PR but from upstream/main.

Update: Passes Now

@Mikcl Mikcl force-pushed the mikcl/npm-deprecated-license branch from 82a0c93 to 7730d14 Compare January 20, 2023 11:23
@kzantow kzantow merged commit 396441e into anchore:main Jan 20, 2023
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@Mikcl
npm: package-lock license decoding to accept string or array (anchore…
77edfb4 
…#1482)

Signed-off-by: mikcl <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ZERO npm dependencies discovered if any npm dependency has an array as a license
2 participants
@Mikcl @kzantow