gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-23 07:29:00 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
467b159e68bbb114c22dee1e6181bfe89a629acd
trivy/pkg/dependency/parser/php/composer/parse.go

143 lines
4.2 KiB
Go
Raw Blame History

package composer
import (
"context"
"sort"
"strings"
"github.com/samber/lo"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy/pkg/dependency"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/licensing"
"github.com/aquasecurity/trivy/pkg/log"
xio "github.com/aquasecurity/trivy/pkg/x/io"
xjson "github.com/aquasecurity/trivy/pkg/x/json"
)
type LockFile struct {
Packages []packageInfo `json:"packages"`
PackagesDev []packageInfo `json:"packages-dev"`
}
type packageInfo struct {
Name string `json:"name"`
Version string `json:"version"`
Require map[string]string `json:"require"`
License any `json:"license"`
xjson.Location
}
type Parser struct {
logger *log.Logger
}
func NewParser() *Parser {
return &Parser{
logger: log.WithPrefix("composer"),
}
}
func (p *Parser) Parse(_ context.Context, r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependency, error) {
var lockFile LockFile
if err := xjson.UnmarshalRead(r, &lockFile); err != nil {
return nil, nil, xerrors.Errorf("decode error: %w", err)
}
pkgs := make(map[string]ftypes.Package)
foundDeps := make(map[string][]string)
// Production packages are parsed first to ensure they take precedence
// when the same package exists in both "packages" and "packages-dev".
p.parseProdPackages(lockFile, pkgs, foundDeps)
p.parseDevPackages(lockFile, pkgs, foundDeps)
// fill deps versions
var deps ftypes.Dependencies
for pkgID, depsOn := range foundDeps {
var dependsOn []string
for _, depName := range depsOn {
if pkg, ok := pkgs[depName]; ok {
dependsOn = append(dependsOn, pkg.ID)
continue
}
p.logger.Debug("Unable to find version", log.String("name", depName))
}
sort.Strings(dependsOn)
deps = append(deps, ftypes.Dependency{
ID: pkgID,
DependsOn: dependsOn,
})
}
pkgSlice := lo.Values(pkgs)
sort.Sort(ftypes.Packages(pkgSlice))
sort.Sort(deps)
return pkgSlice, deps, nil
}
// parseProdPackages parses packages from the "packages" field in composer.lock.
func (p *Parser) parseProdPackages(lockFile LockFile, pkgs map[string]ftypes.Package, foundDeps map[string][]string) {
p.parsePackages(lockFile.Packages, false, pkgs, foundDeps)
}
// parseDevPackages parses packages from the "packages-dev" field in composer.lock.
// Packages already present in pkgs (i.e., production packages) are skipped.
func (p *Parser) parseDevPackages(lockFile LockFile, pkgs map[string]ftypes.Package, foundDeps map[string][]string) {
p.parsePackages(lockFile.PackagesDev, true, pkgs, foundDeps)
}
func (p *Parser) parsePackages(lockPkgs []packageInfo, isDev bool, pkgs map[string]ftypes.Package, foundDeps map[string][]string) {
for _, lpkg := range lockPkgs {
// Skip if the package already exists (production packages take precedence over dev packages)
if _, ok := pkgs[lpkg.Name]; ok {
continue
}
pkg := ftypes.Package{
ID: dependency.ID(ftypes.Composer, lpkg.Name, lpkg.Version),
Name: lpkg.Name,
Version: lpkg.Version,
Relationship: ftypes.RelationshipUnknown, // composer.lock file doesn't have info about direct/indirect dependencies
Licenses: licenses(lpkg.License),
Locations: []ftypes.Location{ftypes.Location(lpkg.Location)},
Dev: isDev,
}
pkgs[pkg.Name] = pkg
var dependsOn []string
for depName := range lpkg.Require {
// Require field includes required php version, skip this
// Also skip PHP extensions
if depName == "php" || strings.HasPrefix(depName, "ext") {
continue
}
dependsOn = append(dependsOn, depName) // field uses range of versions, so later we will fill in the versions from the packages
}
if len(dependsOn) > 0 {
foundDeps[pkg.ID] = dependsOn
}
}
}
// licenses returns slice of licenses from string, string with separators (`or`, `and`, etc.) or string array
// cf. https://getcomposer.org/doc/04-schema.md#license
func licenses(val any) []string {
switch v := val.(type) {
case string:
if v != "" {
return licensing.SplitLicenses(v)
}
case []any:
var lics []string
for _, l := range v {
if lic, ok := l.(string); ok {
lics = append(lics, lic)
}
}
return lics
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink