Feat/lockfile parser lib #188
Conversation
|
|
miiila
force-pushed
the
feat/lockfile-parser-lib
branch
from
c651996 to
c16e64d
Compare
miiila
force-pushed
the
feat/lockfile-parser-lib
branch
from
c16e64d to
9d4035b
Compare
For now we only support --file=package-lock.json as an opt in for lockfile tests
miiila
force-pushed
the
feat/lockfile-parser-lib
branch
7 times, most recently
from
408390b to
f2fc748
Compare
miiila
force-pushed
the
feat/lockfile-parser-lib
branch
from
f2fc748 to
f275033
Compare
lib/snyk-test/npm/index.js
Outdated
| var shrinkwrapFullPath = path.resolve(root, 'npm-shrinkwrap.json'); | ||
|
|
||
| if (!fileSystem.existsSync(targetFileFullPath)) { | ||
| throw new Error('LockFile package.json not found at location: ' + |
There was a problem hiding this comment.
a typo - package.json is not a lock
lib/snyk-test/npm/index.js
Outdated
|
|
||
| function generateDependenciesFromLockfile(root, options) { | ||
| debug('Lockfile detected, generating dependency tree from lockfile'); | ||
| var targetFileFullPath = path.resolve(root, 'package.json'); |
There was a problem hiding this comment.
let's think about the case of monorepo and make sure it behaves as we expect, in example what about a case where user runs:
snyk test --file=node-subproject/package-lock.jsonin this case the pacakge.json should be picked from the same location of the lock, but maybe it's ok as the user can also run:
snyk test node-project --file=package-lock.json
There was a problem hiding this comment.
defo need to make sure that the correct lockfile is always used (according to NPM rules)
lib/snyk-test/npm/index.js
Outdated
| var targetFile = fileSystem.readFileSync(targetFileFullPath); | ||
| var lockFile = fileSystem.readFileSync(lockFileFullPath); | ||
|
|
||
| analytics.add('local', true); |
There was a problem hiding this comment.
if we'er at it, maybe also add analytics metadata for the fact a lockfile is used?
There was a problem hiding this comment.
Thank you - I had it in mind, but then I forgot :-)
lib/snyk-test/npm/index.js
Outdated
| analytics.add('local', true); | ||
|
|
||
| var resolveModuleSpinnerLabel = 'Analyzing npm dependencies for ' + | ||
| lockFileFullPath; |
There was a problem hiding this comment.
an indentation is needed here
lib/snyk-test/npm/index.js
Outdated
| var resolveModuleSpinnerLabel = 'Analyzing npm dependencies for ' + | ||
| lockFileFullPath; | ||
| debug(resolveModuleSpinnerLabel); | ||
| var payload = { |
There was a problem hiding this comment.
is it necessary to clone the payload creation (and this is not only the payload, but parameters for the http request) and policy collection into generateDependenciesFromLockfile() ? Would expect this function to just generate a tree and continue with the flow that already exists
There was a problem hiding this comment.
We agreed with @lili2311 that refactoring to better shape will happen later (will be planned properly) and with upcoming work around yarn.lock.
There was a problem hiding this comment.
I can try and help refactor this, don't think we should merge a PR with a code that is not in good shape - unless there's a really good reason for it to be
There was a problem hiding this comment.
@michael-go 👋 We had this chat already with Mila yesterday, please see https://snyk.slack.com/archives/CBXBQHN6A/p1534157719000072 We will be refactoring this but in the next few PRs
There was a problem hiding this comment.
We are happy with out decision to hold off the refactoring for this PR, this way we gain more knowledge over the next few PRs & features like supporting different use cases and yarn.lock to help us understand how we should restructure this file to make the best of it.
package.json
Outdated
| @@ -48,6 +48,7 @@ | |||
| "snyk-gradle-plugin": "1.3.0", | |||
| "snyk-module": "1.8.2", | |||
| "snyk-mvn-plugin": "1.2.0", | |||
| "snyk-nodejs-lockfile-parser": "^1.2.2", | |||
There was a problem hiding this comment.
note we always pin our own dependencies to an exact version - maybe we shouldn't, but easier to stick to what we already do 😅
There was a problem hiding this comment.
Hmm, I am not sure I am happy with this approach, however I can see the reasons... Will do it for now.
There was a problem hiding this comment.
@miiila It means that the version of the main CLI library tells us the exact state of the Snyk modules on a user's machine. Very useful for debugging and support.
There was a problem hiding this comment.
@gjvis And for those situations, when you break the flow by fixing the bug 😇
| var pkg = req.body; | ||
| t.equal(req.method, 'POST', 'makes POST request'); | ||
| t.match(req.url, '/vuln/npm', 'posts to correct url'); | ||
| t.ok(pkg.dependencies['to-array'], 'dependency'); |
There was a problem hiding this comment.
would check a transitive dependency too
There was a problem hiding this comment.
There's no transitive dependecny right now :-(
There was a problem hiding this comment.
so lets use a better fixture ...
| t.includes(e.message, '--file=npm-shrinkwrap.json', 'Contains enough info about error'); | ||
| }); | ||
| }); | ||
|
|
||
| test('`test` on a yarn package does work and displays appropriate text', |
There was a problem hiding this comment.
maybe also add a test that if lockfile exists but not given via --file it's not used?
lib/snyk-test/npm/index.js
Outdated
|
|
||
| if (options.file.endsWith('package-lock.json') && fileSystem.existsSync(shrinkwrapFullPath)) { | ||
| throw new Error('`npm-shrinkwrap.json` was found while using package-lock.json.\n' | ||
| + 'Please use `--file=npm-shrinkwrap.json` flag instead.'); |
There was a problem hiding this comment.
We don't and we will not => changing the message.
lib/snyk-test/npm/index.js
Outdated
| var shrinkwrapFullPath = path.resolve(root, 'npm-shrinkwrap.json'); | ||
|
|
||
| if (!fileSystem.existsSync(targetFileFullPath)) { | ||
| throw new Error('LockFile package.json not found at location: ' + |
lib/snyk-test/npm/index.js
Outdated
| return lockFileParser.buildDepTree(manifestFile, lockFile, options); | ||
| }) | ||
| .then(function (pkg) { | ||
| modules = pkg; |
There was a problem hiding this comment.
my comment here became outdated with some recent changes - but still, this needs refactoring. Why duplicate the http requests params creation & policy file collection code?
There was a problem hiding this comment.
and also the name getDependenciesFrom... is misleading as the functions also query for vulns.
miiila
force-pushed
the
feat/lockfile-parser-lib
branch
from
caa01df to
407f471
Compare
| @@ -11,20 +11,124 @@ var isCI = require('../../is-ci'); | |||
| var _ = require('lodash'); | |||
| var analytics = require('../../analytics'); | |||
| var common = require('../common'); | |||
| var fileSystem = require('fs'); | |||
There was a problem hiding this comment.
any reason you're not calling the var fs like we always do?
lib/snyk-test/npm/index.js
Outdated
| options.root = root; | ||
|
|
||
| // if the file exists, let's read the package file and post | ||
| // that up to the server. |
There was a problem hiding this comment.
the comment is misleading, as we'll upload the fully resolved dependency tree, not the package file
lib/snyk-test/npm/index.js
Outdated
| if (error) { | ||
| return reject(error); | ||
| } | ||
| return queryForVulns(p, modules, options); |
There was a problem hiding this comment.
maybe it will be nicer to do:
return p.then(function(payload) {
return queryForVulns(payload, modules, options);
})or even add it to he promise chain above,
instead of passing a promise as a parameter to queryVulns
There was a problem hiding this comment.
I agree (and will address), however, this exactly the thin ice, when you are refactoring and suddenly realise, you are changing behaviour :-D
lib/snyk-test/npm/index.js
Outdated
| }); | ||
| } | ||
|
|
||
| function queryForVulns(p, modules, options) { |
There was a problem hiding this comment.
note that in the lockfile case - modules is just the pkgTree, but in the node_modules case it's an object with methods and such .. and in this function .pluck() is called on it and .numDependencies is checked
lib/snyk-test/npm/index.js
Outdated
| }, | ||
| }; | ||
| options.hasDevDependencies = false; | ||
| options.root = root; |
There was a problem hiding this comment.
this doesn't look right - if we do this to pass data down to queryForVulns(), lets instead just use extra parameters for it, and not "abuse" the options object
There was a problem hiding this comment.
Well, not sure if I agree - what is the options object for then? I am not a big fan of methods like queryForVulns(data, modules, hasDevDependencies, root, options).
miiila
force-pushed
the
feat/lockfile-parser-lib
branch
from
a63bd8d to
f6f360a
Compare
miiila
force-pushed
the
feat/lockfile-parser-lib
branch
from
f6f360a to
5cf157c
Compare
|
🎉 This PR is included in version 1.91.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Moved from https://github.com/snyk/snyk-internal/pull/417
What does this PR do?
opt-inlockfile testingAssuming the https://github.com/snyk/nodejs-lockfile-parser/pull/5/files returns a tree the way we expect, i hope this is enough code to be able to get back a tree in the same format and carry on the test in the same way as before.
Where should the reviewer start?
Look in
snyk-test/npm/index.jsHow should this be manually tested?
snyk-dev test -d=> will test using the old flow by looking at your node_modulessnyk-dev test -d --file=package-lock.jsonwill go down the new flow and use the new libAny background context you want to provide?
What are the relevant tickets?
SC-5873