chore(deps): merge go-dep-parser into Trivy (#6094)

Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com> Signed-off-by: guoguangwu <guoguangwu@magic-shield.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: Masahiro <mur4m4s4.331@gmail.com> Co-authored-by: Tomoya Amachi <tomoya.amachi@gmail.com> Co-authored-by: Masahiro <lomycisw@gmail.com> Co-authored-by: Liz Rice <liz@lizrice.com> Co-authored-by: Johannes <johannes@jitesoft.com> Co-authored-by: aprp <doelaudi@gmail.com> Co-authored-by: rahul2393 <rahulyadavsep92@gmail.com> Co-authored-by: Arunprasad Rajkumar <ar.arunprasad@gmail.com> Co-authored-by: Emrecan BATI <emrecanbati@gmail.com> Co-authored-by: sherif84 <12298259+sherif84@users.noreply.github.com> Co-authored-by: Sherif Fathalla <sfathall@akamai.com> Co-authored-by: sherif <sherif.mailbox@gmail.com> Co-authored-by: Sam Lane <samuel.lane@hotmail.com> Co-authored-by: Ankush K <akhobragade@gmail.com> Co-authored-by: Ankush K <akhobragade42@gmail.com> Co-authored-by: Tauseef <tauseefmlk@gmail.com> Co-authored-by: Daniel <danfaizer@gmail.com> Co-authored-by: Matthieu MOREL <mmorel-35@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: afdesk <work@afdesk.com> Co-authored-by: AndreyLevchenko <levchenko.andrey@gmail.com> Co-authored-by: Kobus van Schoor <10784365+kobus-v-schoor@users.noreply.github.com> Co-authored-by: Jan-Otto Kröpke <github@jkroepke.de> Co-authored-by: jerbob92 <jerbob92@users.noreply.github.com> Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Co-authored-by: Shira Cohen <97398476+ShiraCohen33@users.noreply.github.com> Co-authored-by: astevenson-microsoft <78623826+astevenson-microsoft@users.noreply.github.com> Co-authored-by: Kyriakos Georgiou <kgeorgiou@users.noreply.github.com> Co-authored-by: mycodeself <mycodeself@users.noreply.github.com> Co-authored-by: DavidSalame <75929252+davidsalame1@users.noreply.github.com> Co-authored-by: Tom Fay <tom@teamfay.co.uk> Co-authored-by: Tom Fay <tomfay@microsoft.com> Co-authored-by: François Poirotte <fpoirotte@users.noreply.github.com> Co-authored-by: Guy Ben-Aharon <baguy3@gmail.com> Co-authored-by: Catminusminus <37803616+Catminusminus@users.noreply.github.com> Co-authored-by: Lior Vaisman Argon <97836016+VaismanLior@users.noreply.github.com> Co-authored-by: Matthieu Maitre <mmaitre@microsoft.com> Co-authored-by: Andrea Scarpino <andrea@scarpino.dev> Co-authored-by: MorAlon1 <101275199+MorAlon1@users.noreply.github.com> Co-authored-by: liorj-orca <96177663+liorj-orca@users.noreply.github.com> Co-authored-by: Nikita Pivkin <100182843+nikpivkin@users.noreply.github.com> Co-authored-by: guangwu <guoguangwu@magic-shield.com> Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> Co-authored-by: yuriShafet <5830215+yuriShafet@users.noreply.github.com> Co-authored-by: Octogonapus <firey45@gmail.com>
aquasecurity · Feb 19, 2024 · 74dc5b6 · 74dc5b6
1 parent 32a02a9
commit 74dc5b6
Show file tree

Hide file tree

Showing 384 changed files with 63,319 additions and 79 deletions.
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -19,6 +19,7 @@ linters-settings:
     locale: US
     ignore-words:
       - licence
+      - optimise
   gosec:
     excludes:
       - G101

diff --git a/go.mod b/go.mod
@@ -13,7 +13,6 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alicebob/miniredis/v2 v2.31.1
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/go-dep-parser v0.0.0-20240208080026-8cc7d408bce4
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -35,6 +34,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.24.6
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.48.1
 	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7
+	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
 	github.com/bmatcuk/doublestar/v4 v4.6.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.1.4
@@ -55,6 +55,7 @@ require (
 	github.com/google/wire v0.5.0
 	github.com/hashicorp/go-getter v1.7.3
 	github.com/hashicorp/go-multierror v1.1.1
+	github.com/hashicorp/go-retryablehttp v0.7.5
 	github.com/hashicorp/golang-lru/v2 v2.0.6
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
@@ -63,6 +64,7 @@ require (
 	github.com/knqyf263/go-rpmdb v0.0.0-20231008124120-ac49267ab4e1
 	github.com/knqyf263/nested v0.0.1
 	github.com/kylelemons/godebug v1.1.0
+	github.com/liamg/jfather v0.0.7
 	github.com/magefile/mage v1.15.0
 	github.com/mailru/easyjson v0.7.7
 	github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
@@ -72,6 +74,7 @@ require (
 	github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
 	github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70
 	github.com/mattn/go-shellwords v1.0.12
+	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/moby/buildkit v0.12.5
@@ -104,6 +107,7 @@ require (
 	go.uber.org/zap v1.26.0
 	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
 	golang.org/x/mod v0.14.0
+	golang.org/x/net v0.20.0
 	golang.org/x/sync v0.6.0
 	golang.org/x/term v0.16.0
 	golang.org/x/text v0.14.0
@@ -120,19 +124,16 @@ require (
 	github.com/antchfx/htmlquery v1.3.0
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aws/smithy-go v1.19.0
-	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
-	github.com/hashicorp/go-uuid v1.0.3
+	github.com/hashicorp/go-uuid v1.0.1
 	github.com/hashicorp/hcl/v2 v2.19.1
 	github.com/liamg/iamgo v0.0.9
-	github.com/liamg/jfather v0.0.7
 	github.com/liamg/memoryfs v1.6.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/owenrumney/squealer v1.2.1
 	github.com/zclconf/go-cty v1.13.0
 	github.com/zclconf/go-cty-yaml v1.0.3
 	golang.org/x/crypto v0.18.0
-	golang.org/x/net v0.20.0
 	helm.sh/helm/v3 v3.14.1
 )
 
@@ -318,7 +319,6 @@ require (
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
-	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
 	github.com/miekg/dns v1.1.53 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect

diff --git a/go.sum b/go.sum
@@ -325,8 +325,6 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/go-dep-parser v0.0.0-20240208080026-8cc7d408bce4 h1:6qs80w4qPbPnF6GhbIifSANqfCrq90CKtSUBaw6p0z0=
-github.com/aquasecurity/go-dep-parser v0.0.0-20240208080026-8cc7d408bce4/go.mod h1:P0PmelcN1ABKJrDzRbPnn6hK7RvgI+xmjiV/9uPaNnY=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20240109054747-49e4b5da33cb h1:dNxUB2bSbiLGNYcXkbBKrrfuY96+dXhA9FahEFZ4THQ=
@@ -1084,6 +1082,9 @@ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9n
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-getter v1.7.3 h1:bN2+Fw9XPFvOCjB0UOevFIMICZ7G2XSQHzfvLUyOM5E=
 github.com/hashicorp/go-getter v1.7.3/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744=
+github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
+github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
@@ -1098,9 +1099,8 @@ github.com/hashicorp/go-safetemp v1.0.0/go.mod h1:oaerMy3BhqiTbVye6QuFhFtIceqFoD
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.1 h1:fv1ep09latC32wFoVwnqcnKJGnMSdBanPczbHAYm1BE=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
-github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=

diff --git a/pkg/dependency/parser/c/conan/parse.go b/pkg/dependency/parser/c/conan/parse.go
@@ -0,0 +1,133 @@
+package conan
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/liamg/jfather"
+	"golang.org/x/exp/slices"
+	"golang.org/x/xerrors"
+
+	dio "github.com/aquasecurity/trivy/pkg/dependency/parser/io"
+	"github.com/aquasecurity/trivy/pkg/dependency/parser/log"
+	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+)
+
+type LockFile struct {
+	GraphLock GraphLock `json:"graph_lock"`
+}
+
+type GraphLock struct {
+	Nodes map[string]Node `json:"nodes"`
+}
+
+type Node struct {
+	Ref       string   `json:"ref"`
+	Requires  []string `json:"requires"`
+	StartLine int
+	EndLine   int
+}
+
+type Parser struct{}
+
+func NewParser() types.Parser {
+	return &Parser{}
+}
+
+func (p *Parser) Parse(r dio.ReadSeekerAt) ([]types.Library, []types.Dependency, error) {
+	var lock LockFile
+	input, err := io.ReadAll(r)
+	if err != nil {
+		return nil, nil, xerrors.Errorf("failed to read canon lock file: %w", err)
+	}
+	if err := jfather.Unmarshal(input, &lock); err != nil {
+		return nil, nil, xerrors.Errorf("failed to decode canon lock file: %w", err)
+	}
+
+	// Get a list of direct dependencies
+	var directDeps []string
+	if root, ok := lock.GraphLock.Nodes["0"]; ok {
+		directDeps = root.Requires
+	}
+
+	// Parse packages
+	parsed := make(map[string]types.Library)
+	for i, node := range lock.GraphLock.Nodes {
+		if node.Ref == "" {
+			continue
+		}
+		lib, err := parseRef(node)
+		if err != nil {
+			log.Logger.Debug(err)
+			continue
+		}
+
+		// Determine if the package is a direct dependency or not
+		direct := slices.Contains(directDeps, i)
+		lib.Indirect = !direct
+
+		parsed[i] = lib
+	}
+
+	// Parse dependency graph
+	var libs []types.Library
+	var deps []types.Dependency
+	for i, node := range lock.GraphLock.Nodes {
+		lib, ok := parsed[i]
+		if !ok {
+			continue
+		}
+
+		var childDeps []string
+		for _, req := range node.Requires {
+			if child, ok := parsed[req]; ok {
+				childDeps = append(childDeps, child.ID)
+			}
+		}
+		if len(childDeps) != 0 {
+			deps = append(deps, types.Dependency{
+				ID:        lib.ID,
+				DependsOn: childDeps,
+			})
+		}
+
+		libs = append(libs, lib)
+	}
+	return libs, deps, nil
+}
+
+func parseRef(node Node) (types.Library, error) {
+	// full ref format: package/version@user/channel#rrev:package_id#prev
+	// various examples:
+	// 'pkga/0.1@user/testing'
+	// 'pkgb/0.1.0'
+	// 'pkgc/system'
+	// 'pkgd/0.1.0#7dcb50c43a5a50d984c2e8fa5898bf18'
+	ss := strings.Split(strings.Split(strings.Split(node.Ref, "@")[0], "#")[0], "/")
+	if len(ss) != 2 {
+		return types.Library{}, xerrors.Errorf("Unable to determine conan dependency: %q", node.Ref)
+	}
+	return types.Library{
+		ID:      fmt.Sprintf("%s/%s", ss[0], ss[1]),
+		Name:    ss[0],
+		Version: ss[1],
+		Locations: []types.Location{
+			{
+				StartLine: node.StartLine,
+				EndLine:   node.EndLine,
+			},
+		},
+	}, nil
+}
+
+// UnmarshalJSONWithMetadata needed to detect start and end lines of deps
+func (n *Node) UnmarshalJSONWithMetadata(node jfather.Node) error {
+	if err := node.Decode(&n); err != nil {
+		return err
+	}
+	// Decode func will overwrite line numbers if we save them first
+	n.StartLine = node.Range().Start.Line
+	n.EndLine = node.Range().End.Line
+	return nil
+}
diff --git a/pkg/dependency/parser/c/conan/parse_test.go b/pkg/dependency/parser/c/conan/parse_test.go
@@ -0,0 +1,139 @@
+package conan_test
+
+import (
+	"os"
+	"sort"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/dependency/parser/c/conan"
+	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+)
+
+func TestParse(t *testing.T) {
+	tests := []struct {
+		name      string
+		inputFile string // Test input file
+		wantLibs  []types.Library
+		wantDeps  []types.Dependency
+	}{
+		{
+			name:      "happy path",
+			inputFile: "testdata/happy.lock",
+			wantLibs: []types.Library{
+				{
+					ID:      "pkga/0.0.1",
+					Name:    "pkga",
+					Version: "0.0.1",
+					Locations: []types.Location{
+						{
+							StartLine: 13,
+							EndLine:   22,
+						},
+					},
+				},
+				{
+					ID:       "pkgb/system",
+					Name:     "pkgb",
+					Version:  "system",
+					Indirect: true,
+					Locations: []types.Location{
+						{
+							StartLine: 23,
+							EndLine:   29,
+						},
+					},
+				},
+				{
+					ID:      "pkgc/0.1.1",
+					Name:    "pkgc",
+					Version: "0.1.1",
+					Locations: []types.Location{
+						{
+							StartLine: 30,
+							EndLine:   35,
+						},
+					},
+				},
+			},
+			wantDeps: []types.Dependency{
+				{
+					ID: "pkga/0.0.1",
+					DependsOn: []string{
+						"pkgb/system",
+					},
+				},
+			},
+		},
+		{
+			name:      "happy path. lock file with revisions support",
+			inputFile: "testdata/happy2.lock",
+			wantLibs: []types.Library{
+				{
+					ID:      "openssl/3.0.3",
+					Name:    "openssl",
+					Version: "3.0.3",
+					Locations: []types.Location{
+						{
+							StartLine: 12,
+							EndLine:   22,
+						},
+					},
+				},
+				{
+					ID:       "zlib/1.2.12",
+					Name:     "zlib",
+					Version:  "1.2.12",
+					Indirect: true,
+					Locations: []types.Location{
+						{
+							StartLine: 23,
+							EndLine:   30,
+						},
+					},
+				},
+			},
+			wantDeps: []types.Dependency{
+				{
+					ID: "openssl/3.0.3",
+					DependsOn: []string{
+						"zlib/1.2.12",
+					},
+				},
+			},
+		},
+		{
+			name:      "happy path. lock file without dependencies",
+			inputFile: "testdata/empty.lock",
+		},
+		{
+			name:      "sad path. wrong ref format",
+			inputFile: "testdata/sad.lock",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			f, err := os.Open(tt.inputFile)
+			require.NoError(t, err)
+			defer f.Close()
+
+			gotLibs, gotDeps, err := conan.NewParser().Parse(f)
+			require.NoError(t, err)
+
+			sort.Slice(gotLibs, func(i, j int) bool {
+				ret := strings.Compare(gotLibs[i].Name, gotLibs[j].Name)
+				if ret != 0 {
+					return ret < 0
+				}
+				return gotLibs[i].Version < gotLibs[j].Version
+			})
+
+			assert.Equal(t, tt.wantLibs, gotLibs)
+			assert.Equal(t, tt.wantDeps, gotDeps)
+		})
+	}
+}