From e02471c8f406837a56e3db1d40e3cb35cd4b8d2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Max=20Leuth=C3=A4user?=
 <1417198+max-leuthaeuser@users.noreply.github.com>
Date: Wed, 25 Jan 2023 08:50:31 +0100
Subject: [PATCH] Fixed dependency removal (#240)

Anything other than object and array node is ignored now to handle unknown package.json configurations.
Fixes: https://shiftleftinc.atlassian.net/browse/SEN-420
Updated deps.
---
 build.sbt                                      |  4 ++--
 .../js2cpg/parser/PackageJsonParser.scala      |  1 +
 .../preprocessing/TranspilationRunner.scala    | 18 +++++++++++++-----
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/build.sbt b/build.sbt
index 05d3ff6ca..6b1cfc24c 100644
--- a/build.sbt
+++ b/build.sbt
@@ -1,5 +1,5 @@
-val cpgVersion   = "1.3.585"
-val joernVersion = "1.1.1378"
+val cpgVersion   = "1.3.587"
+val joernVersion = "1.1.1403"
 
 val gitCommitString = SettingKey[String]("gitSha")
 
diff --git a/src/main/scala/io/shiftleft/js2cpg/parser/PackageJsonParser.scala b/src/main/scala/io/shiftleft/js2cpg/parser/PackageJsonParser.scala
index e32889960..8f8c6f6ea 100644
--- a/src/main/scala/io/shiftleft/js2cpg/parser/PackageJsonParser.scala
+++ b/src/main/scala/io/shiftleft/js2cpg/parser/PackageJsonParser.scala
@@ -44,6 +44,7 @@ object PackageJsonParser {
     "peerDependenciesMeta",
     "optionalDependencies",
     "resolutions",
+    "bundleDependencies",
     "bundledDependencies"
   )
 
diff --git a/src/main/scala/io/shiftleft/js2cpg/preprocessing/TranspilationRunner.scala b/src/main/scala/io/shiftleft/js2cpg/preprocessing/TranspilationRunner.scala
index 96b2684e6..6bb448c30 100644
--- a/src/main/scala/io/shiftleft/js2cpg/preprocessing/TranspilationRunner.scala
+++ b/src/main/scala/io/shiftleft/js2cpg/preprocessing/TranspilationRunner.scala
@@ -3,6 +3,7 @@ package io.shiftleft.js2cpg.preprocessing
 import better.files.File
 import better.files.File.LinkOptions
 import com.fasterxml.jackson.databind.ObjectMapper
+import com.fasterxml.jackson.databind.node.ArrayNode
 import com.fasterxml.jackson.databind.node.ObjectNode
 import io.shiftleft.js2cpg.core.Config
 import io.shiftleft.js2cpg.io.FileDefaults
@@ -130,14 +131,21 @@ class TranspilationRunner(projectPath: Path, tmpTranspileDir: Path, config: Conf
 
       // remove all project specific dependencies (only keep the ones required for transpiling)
       PackageJsonParser.PROJECT_DEPENDENCIES.foreach { dep =>
-        Option(jsonObject.get(dep).asInstanceOf[ObjectNode]).foreach { depNode =>
-          val fieldsToRemove =
-            depNode
+        Option(jsonObject.get(dep)) match {
+          case Some(depNode: ObjectNode) =>
+            val fieldsToRemove = depNode
               .fieldNames()
               .asScala
-              .toList
+              .toSet
               .filterNot(f => DEPS_TO_KEEP.exists(f.startsWith))
-          fieldsToRemove.foreach(depNode.remove)
+            fieldsToRemove.foreach(depNode.remove)
+          case Some(depNode: ArrayNode) =>
+            val allFields         = depNode.elements().asScala.toSet
+            val fieldsToRemove    = allFields.filterNot(f => DEPS_TO_KEEP.exists(f.asText().startsWith))
+            val remainingElements = allFields -- fieldsToRemove
+            depNode.removeAll()
+            remainingElements.foreach(depNode.add)
+          case _ => // this is fine; we ignore all other nodes intentionally
         }
       }
       // remove project specific engine restrictions and script hooks