Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(nodejs): fix infinite loop when package link from package-lock.json file is broken #6858

Merged
merged 4 commits into from
Jun 10, 2024
Merged

fix(nodejs): fix infinite loop when package link from package-lock.json file is broken #6858

merged 4 commits into from
Jun 10, 2024

Conversation

DmitriyLewen
Copy link
Contributor

Description

This PR fixes 2 cases:

  1. When Packages[x].resolved is empty for link - we don't need to resolve this link.
  2. Don't overwrite packages map when resolving links to avoid cases when we updated package is parsed.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Jun 5, 2024
@DmitriyLewen DmitriyLewen marked this pull request as ready for review June 5, 2024 06:32
@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner June 5, 2024 06:32
knqyf263
knqyf263 reviewed Jun 5, 2024
View reviewed changes
pkg/dependency/parser/nodejs/npm/parse.go Outdated
@@ -208,7 +216,8 @@ func (p *Parser) resolveLinks(packages map[string]Package) {
}

workspaces := rootPkg.Workspaces
for pkgPath, pkg := range packages {
// Clone packages to avoid cases when we check already updated packages
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you elaborate on that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We update packages map inside of packages loop.

trivy/pkg/dependency/parser/nodejs/npm/parse.go

Lines 232 to 235 in a2d1871

packages[resolvedPath] = pkg
// Delete the target package
delete(packages, pkgPath)

this is bad practice.

When I tested broken link with empty resolved field - this loop would endlessly update packages, check them and we get out of memory error.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we change the comment to something like "Changing the map during the map iteration causes unexpected behavior" for clarity?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it make sense.
Updated in b8e52c4

@DmitriyLewen DmitriyLewen mentioned this pull request Jun 5, 2024
Closed
2 tasks
@knqyf263 knqyf263 added this pull request to the merge queue Jun 10, 2024
Merged via the queue into aquasecurity:main with commit cf5aa33 Jun 10, 2024
12 checks passed
@aqua-bot aqua-bot mentioned this pull request Jun 10, 2024
Merged
@DmitriyLewen DmitriyLewen deleted the fix-npm/link-resolve branch June 10, 2024 07:21
@DmitriyLewen
Copy link
Contributor Author

@aqua-bot backport release/v0.52

github-actions bot pushed a commit that referenced this pull request Jun 10, 2024
@DmitriyLewen @actions-user
fix(nodejs): fix infinite loop when package link from `package-lock.j…
2413b1a 
…son` file is broken (#6858)
@aqua-bot aqua-bot mentioned this pull request Jun 10, 2024
Merged
@aqua-bot
Copy link
Contributor

Backport PR created: #6888

@namandf namandf mentioned this pull request Aug 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug(npm): runtime: out of memory
3 participants
@DmitriyLewen @aqua-bot @knqyf263