Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parsing yarn.lock fails to identify the currect package and version combinations #925

Closed
AMoo-Miki opened this issue Mar 29, 2022 · 1 comment
Closed

Parsing yarn.lock fails to identify the currect package and version combinations #925

AMoo-Miki opened this issue Mar 29, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@AMoo-Miki
Copy link
Contributor

AMoo-Miki commented Mar 29, 2022
edited
Loading

What happened:
Extracting packages from this yarn.lock file failed to identify the correct and complete packages.

The output contained:

 ✔ Indexed ../syft-and-yarn-workspaces
 ✔ Cataloged packages      [3 packages]
NAME                      VERSION  TYPE
async                     0.9.2    npm
resize-observer-polyfill  1.5.2    npm
should-type               1.3.0    npm

What you expected to happen:
I expected to see both versions of async and the correct resize-observer-polyfil package:

 ✔ Indexed ../syft-and-yarn-workspaces
 ✔ Cataloged packages      [4 packages]
NAME                             VERSION  TYPE
@4lolo/resize-observer-polyfill  1.5.2    npm
async                            0.9.2    npm
async                            3.2.3    npm
should-type                      1.3.0    npm

How to reproduce it (as minimally and precisely as possible):

mkdir /tmp/yarn-workspace && cd /tmp/yarn-workspace
git clone https://github.com/AMoo-Miki/syft-and-yarn-workspaces.git .
syft .

Anything else we need to know?:
There are 2 problems in the above example but I want to propose a common solution to solve them both.

Why do I have 2 async versions?
Working in a Yarn workspace, I can have different versions of the same package across my dependencies. yarn.lock would list both of them.

Why am I overriding the package?

One method of mitigating vulnerable nested dependencies or working around problems with abandoned nested dependencies is to replace them with a forked and fixed release. My sample code is extracted from a much larger code that has the abandoned resize-observer-polyfill deeply nested in its dependencies, which I was forced to replace with @4lolo/resize-observer-polyfill, a forked and fixed release.

What am I proposing?
Depend solely on "resolved" URLs for those entries that are pulled from registry.yarnpkg.com; as in ^\s+resolved\s+"https://registry.yarnpkg.com/(.+?)/-/(?:.+?)-(\d+\..+?)\.tgz.

Environment:

  • Output of syft version: 0.42.4
  • OS (e.g: cat /etc/os-release or similar):
    • Ubuntu 20.04.2 LTS
    • macOS 12.2.1
@AMoo-Miki AMoo-Miki added the bug Something isn't working label Mar 29, 2022
@AMoo-Miki AMoo-Miki mentioned this issue Mar 29, 2022
Merged
@spiffcs spiffcs added this to OSS May 31, 2022
@spiffcs
Copy link
Contributor

spiffcs commented Aug 4, 2022

@AMoo-Miki It looks like this has been fixed with the latest version:

I pulled down git clone https://github.com/AMoo-Miki/syft-and-yarn-workspaces.git

Ran syft against it:
Image

The expected packages are now showing up.

If there is anything incorrect about this output or a bug is still present please feel free to tag me and I'll reopen this.

@spiffcs spiffcs closed this as completed Aug 4, 2022
@spiffcs spiffcs moved this to Done in OSS Aug 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AMoo-Miki @spiffcs