Fixed dependency removal (#240)

Anything other than object and array node is ignored now to handle unknown package.json configurations. Fixes: https://shiftleftinc.atlassian.net/browse/SEN-420 Updated deps.
ShiftLeftSecurity · Jan 25, 2023 · e02471c · e02471c
1 parent 12a64f2
commit e02471c
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 7 deletions.
diff --git a/build.sbt b/build.sbt
@@ -1,5 +1,5 @@
-val cpgVersion   = "1.3.585"
-val joernVersion = "1.1.1378"
+val cpgVersion   = "1.3.587"
+val joernVersion = "1.1.1403"
 
 val gitCommitString = SettingKey[String]("gitSha")
 

diff --git a/src/main/scala/io/shiftleft/js2cpg/parser/PackageJsonParser.scala b/src/main/scala/io/shiftleft/js2cpg/parser/PackageJsonParser.scala
@@ -44,6 +44,7 @@ object PackageJsonParser {
     "peerDependenciesMeta",
     "optionalDependencies",
     "resolutions",
+    "bundleDependencies",
     "bundledDependencies"
   )
 

diff --git a/src/main/scala/io/shiftleft/js2cpg/preprocessing/TranspilationRunner.scala b/src/main/scala/io/shiftleft/js2cpg/preprocessing/TranspilationRunner.scala
@@ -3,6 +3,7 @@ package io.shiftleft.js2cpg.preprocessing
 import better.files.File
 import better.files.File.LinkOptions
 import com.fasterxml.jackson.databind.ObjectMapper
+import com.fasterxml.jackson.databind.node.ArrayNode
 import com.fasterxml.jackson.databind.node.ObjectNode
 import io.shiftleft.js2cpg.core.Config
 import io.shiftleft.js2cpg.io.FileDefaults
@@ -130,14 +131,21 @@ class TranspilationRunner(projectPath: Path, tmpTranspileDir: Path, config: Conf
 
       // remove all project specific dependencies (only keep the ones required for transpiling)
       PackageJsonParser.PROJECT_DEPENDENCIES.foreach { dep =>
-        Option(jsonObject.get(dep).asInstanceOf[ObjectNode]).foreach { depNode =>
-          val fieldsToRemove =
-            depNode
+        Option(jsonObject.get(dep)) match {
+          case Some(depNode: ObjectNode) =>
+            val fieldsToRemove = depNode
               .fieldNames()
               .asScala
-              .toList
+              .toSet
               .filterNot(f => DEPS_TO_KEEP.exists(f.startsWith))
-          fieldsToRemove.foreach(depNode.remove)
+            fieldsToRemove.foreach(depNode.remove)
+          case Some(depNode: ArrayNode) =>
+            val allFields         = depNode.elements().asScala.toSet
+            val fieldsToRemove    = allFields.filterNot(f => DEPS_TO_KEEP.exists(f.asText().startsWith))
+            val remainingElements = allFields -- fieldsToRemove
+            depNode.removeAll()
+            remainingElements.foreach(depNode.add)
+          case _ => // this is fine; we ignore all other nodes intentionally
         }
       }
       // remove project specific engine restrictions and script hooks