feat(nodejs): support package.json (#1225)

Co-authored-by: knqyf263 <[email protected]>
aquasecurity · Sep 15, 2021 · 8edcc62 · 8edcc62
1 parent 31c45ff
commit 8edcc62
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 7 deletions.
diff --git a/docs/vulnerability/detection/language.md b/docs/vulnerability/detection/language.md
@@ -6,14 +6,15 @@
 |---------|-------------------------|:---------:|:--------------:|:---------------:|-----------------|
 | Ruby     | Gemfile.lock             | -         | ✅              | ✅              | included         |
 |          | gemspec                  | ✅        | ✅              | -               | included         |
-| Python   | Pipfile.lock             | -         | ✅              | ✅              |excluded         |
+| Python   | Pipfile.lock             | -         | ✅              | ✅              | excluded         |
 |          | poetry.lock              | -         | ✅              | ✅              | included         |
 |          | requirements.txt         | -         | ✅              | ✅              | included         |
 |          | egg package[^1]          | ✅        | ✅              | -               | excluded         |
 |          | wheel package[^2]        | ✅        | ✅              | -               | excluded         |
 | PHP      | composer.lock            | ✅        | ✅              | ✅              | excluded         |
-| Node.js  | package-lock.json        | ✅        | ✅              | ✅              | excluded         |
-|          | yarn.lock                | ✅        | ✅              | ✅              | ncluded         |
+| Node.js  | package-lock.json        | -         | ✅              | ✅              | excluded         |
+|          | yarn.lock                | -         | ✅              | ✅              | included         |
+|          | package.json             | ✅        | ✅              | -               | excluded         |
 | .NET     | packages.lock.json       | ✅        | ✅              | ✅              | included         |
 | Java     | JAR/WAR/EAR[^3][^4]      | ✅        | ✅              | ✅              | included         |
 | Go       | Binaries built by Go[^5] | ✅        | ✅              | -               | excluded         |

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20210914172041-6ec4fbcfc2e3
+	github.com/aquasecurity/fanal v0.0.0-20210915104214-95382456f047
 	github.com/aquasecurity/go-dep-parser v0.0.0-20210905090655-b95c2c079bbb
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

diff --git a/go.sum b/go.sum
@@ -201,8 +201,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/fanal v0.0.0-20210914172041-6ec4fbcfc2e3 h1:ELXkeEQ6d+olRfCig23i3MJWBu/IFLj8StYH8Iqk9aQ=
-github.com/aquasecurity/fanal v0.0.0-20210914172041-6ec4fbcfc2e3/go.mod h1:pkPj0NkblwiXdg7Q5RnNlekcJ935StxImiLsU3tCvno=
+github.com/aquasecurity/fanal v0.0.0-20210915104214-95382456f047 h1:SmwcaPrdCxxQLlzhVwhZNOs7H4IIICpzEk/3oKwpGts=
+github.com/aquasecurity/fanal v0.0.0-20210915104214-95382456f047/go.mod h1:pkPj0NkblwiXdg7Q5RnNlekcJ935StxImiLsU3tCvno=
 github.com/aquasecurity/go-dep-parser v0.0.0-20210905090655-b95c2c079bbb h1:RYx2+0fUc/3nR4SywvLAs+Sm3dtLhpBw2IeBE8+w1Po=
 github.com/aquasecurity/go-dep-parser v0.0.0-20210905090655-b95c2c079bbb/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go
@@ -31,7 +31,7 @@ func NewDriver(libType string) (Driver, error) {
 		driver = newCargoDriver()
 	case ftypes.Composer:
 		driver = newComposerDriver()
-	case ftypes.Npm, ftypes.Yarn:
+	case ftypes.Npm, ftypes.Yarn, ftypes.NodePkg:
 		driver = newNpmDriver()
 	case ftypes.Pipenv, ftypes.Poetry, ftypes.Pip, ftypes.PythonPkg:
 		driver = newPipDriver()

diff --git a/pkg/detector/ospkg/redhat/redhat_test.go b/pkg/detector/ospkg/redhat/redhat_test.go
@@ -1,6 +1,7 @@
 package redhat_test
 
 import (
+	"sort"
 	"testing"
 	"time"
 
@@ -205,6 +206,9 @@ func TestScanner_Detect(t *testing.T) {
 				assert.Contains(t, err.Error(), tt.wantErr)
 				return
 			}
+			sort.Slice(got, func(i, j int) bool {
+				return got[i].VulnerabilityID < got[j].VulnerabilityID
+			})
 			assert.NoError(t, err)
 			assert.Equal(t, tt.want, got)
 		})

diff --git a/pkg/detector/ospkg/ubuntu/ubuntu_test.go b/pkg/detector/ospkg/ubuntu/ubuntu_test.go
@@ -1,6 +1,7 @@
 package ubuntu_test
 
 import (
+	"sort"
 	"testing"
 	"time"
 
@@ -94,6 +95,9 @@ func TestScanner_Detect(t *testing.T) {
 				assert.Contains(t, err.Error(), tt.wantErr)
 				return
 			}
+			sort.Slice(got, func(i, j int) bool {
+				return got[i].VulnerabilityID < got[j].VulnerabilityID
+			})
 			assert.NoError(t, err)
 			assert.Equal(t, tt.want, got)
 		})

diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go
@@ -30,6 +30,7 @@ var (
 	pkgTargets = map[string]string{
 		ftypes.PythonPkg: "Python",
 		ftypes.GemSpec:   "Ruby",
+		ftypes.NodePkg:   "Node.js",
 	}
 )