From 757ba4194cbe90143d9fbdc9f61e3612f872b9fe Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 7 Feb 2024 14:23:53 +0600 Subject: [PATCH] feat(packagejson): move logic to find files from Trivy --- pkg/nodejs/packagejson/parse.go | 26 +++++++++- pkg/nodejs/packagejson/parse_test.go | 49 +++++++++++++++++-- .../packagejson/testdata/license-ref.json | 5 ++ .../packagejson/testdata/see-license.json | 5 ++ 4 files changed, 78 insertions(+), 7 deletions(-) create mode 100644 pkg/nodejs/packagejson/testdata/license-ref.json create mode 100644 pkg/nodejs/packagejson/testdata/see-license.json diff --git a/pkg/nodejs/packagejson/parse.go b/pkg/nodejs/packagejson/parse.go index 20aa43b9..9ef94d79 100644 --- a/pkg/nodejs/packagejson/parse.go +++ b/pkg/nodejs/packagejson/parse.go @@ -3,6 +3,7 @@ package packagejson import ( "encoding/json" "io" + "strings" "github.com/aquasecurity/go-dep-parser/pkg/types" "github.com/aquasecurity/go-dep-parser/pkg/utils" @@ -71,6 +72,27 @@ func parseLicense(val interface{}) types.Licenses { license = l.(string) } } - // NPM uses SPDX licenses and expressions - https://docs.npmjs.com/cli/v10/configuring-npm/package-json#license - return types.LicensesFromString(license, types.NameLicenseType) + + // If the license is missing, it may be stored in the `LICENSE` file. + if license == "" { + return types.LicensesFromString("LICENSE", types.LicenseTypeFile) + } + + // The license field can refer to a file: + // https://docs.npmjs.com/cli/v9/configuring-npm/package-json#license + var licenseFileName string + if strings.HasPrefix(license, "LicenseRef-") { + // LicenseRef- + licenseFileName = strings.Split(license, "-")[1] + } else if strings.HasPrefix(license, "SEE LICENSE IN ") { + // SEE LICENSE IN + parts := strings.Split(license, " ") + licenseFileName = parts[len(parts)-1] + } + + if licenseFileName != "" { + return types.LicensesFromString(licenseFileName, types.LicenseTypeFile) + } + + return types.LicensesFromString(license, types.LicenseTypeName) } diff --git a/pkg/nodejs/packagejson/parse_test.go b/pkg/nodejs/packagejson/parse_test.go index eb2b7f4f..6394f038 100644 --- a/pkg/nodejs/packagejson/parse_test.go +++ b/pkg/nodejs/packagejson/parse_test.go @@ -2,7 +2,6 @@ package packagejson_test import ( "os" - "path" "testing" "github.com/stretchr/testify/assert" @@ -34,7 +33,7 @@ func TestParse(t *testing.T) { Version: "5.0.2", Licenses: types.Licenses{ { - Type: types.NameLicenseType, + Type: types.LicenseTypeName, Value: "MIT", }, }, @@ -65,7 +64,7 @@ func TestParse(t *testing.T) { Version: "4.1.2", Licenses: types.Licenses{ { - Type: types.NameLicenseType, + Type: types.LicenseTypeName, Value: "ISC", }, }, @@ -84,6 +83,46 @@ func TestParse(t *testing.T) { Library: types.Library{ ID: "", Name: "angular", + Licenses: types.Licenses{ + { + Type: types.LicenseTypeFile, + Value: "LICENSE", + }, + }, + }, + }, + }, + { + name: "happy path - licenseRef is used", + inputFile: "testdata/license-ref.json", + want: packagejson.Package{ + Library: types.Library{ + ID: "package-b@0.0.1", + Name: "package-b", + Version: "0.0.1", + Licenses: types.Licenses{ + { + Type: types.LicenseTypeFile, + Value: "LICENSE.txt", + }, + }, + }, + }, + }, + { + name: "happy path - 'SEE LICENSE IN` is used", + inputFile: "testdata/see-license.json", + want: packagejson.Package{ + Library: types.Library{ + ID: "package-c@0.0.1", + Name: "package-c", + Version: "0.0.1", + Licenses: types.Licenses{ + { + Type: types.LicenseTypeFile, + Value: "LICENSE.md", + }, + }, }, }, }, @@ -104,7 +143,7 @@ func TestParse(t *testing.T) { Library: types.Library{ Licenses: types.Licenses{ { - Type: types.NameLicenseType, + Type: types.LicenseTypeName, Value: "MIT", }, }, @@ -114,7 +153,7 @@ func TestParse(t *testing.T) { } for _, v := range vectors { - t.Run(path.Base(v.name), func(t *testing.T) { + t.Run(v.name, func(t *testing.T) { f, err := os.Open(v.inputFile) require.NoError(t, err) defer f.Close() diff --git a/pkg/nodejs/packagejson/testdata/license-ref.json b/pkg/nodejs/packagejson/testdata/license-ref.json new file mode 100644 index 00000000..20bb37bc --- /dev/null +++ b/pkg/nodejs/packagejson/testdata/license-ref.json @@ -0,0 +1,5 @@ +{ + "name": "package-b", + "version": "0.0.1", + "license": "LicenseRef-LICENSE.txt" +} \ No newline at end of file diff --git a/pkg/nodejs/packagejson/testdata/see-license.json b/pkg/nodejs/packagejson/testdata/see-license.json new file mode 100644 index 00000000..0e425322 --- /dev/null +++ b/pkg/nodejs/packagejson/testdata/see-license.json @@ -0,0 +1,5 @@ +{ + "name": "package-c", + "version": "0.0.1", + "license": "SEE LICENSE IN LICENSE.md" +} \ No newline at end of file