fix: fail gracefully for npm .package-lock.json files (intel#3654)

terriko · inosmeet · commit b90df8462079 · 2024-02-06T09:39:06.000+05:30
* fixes intel#3559 npm has a .package-lock.json file with a similar name but slightly different format than the package-lock.json file we can parse with our javascript language parser. This changes the javascript parser so it fails more gracefully if the format of a package-lock.json file does not appear to be what we can parse. As in, it prints a warning that it was unable to parse the file and does not halt the scan. We should probably build a parser to handle these files correctly in the future, but for now this will skip them. Also, I added some docstrings to the files I changed so interrogate would be happy. Signed-off-by: Terri Oda <terri.oda@intel.com>
diff --git a/cve_bin_tool/parsers/javascript.py b/cve_bin_tool/parsers/javascript.py
@@ -7,6 +7,8 @@
 
 
 class JavascriptParser(Parser):
+    """Parser for javascript's package-lock.json files"""
+
     def __init__(self, cve_db, logger):
         super().__init__(cve_db, logger)
 
@@ -23,6 +25,17 @@ def run_checker(self, filename):
                 vendor = None
             if vendor is not None:
                 yield from vendor
+
+            # If there is no "dependencies" array then this file is likely not in a format we
+            # can parse.  Log warning and abort.
+            # npm generates a similarly named .package-lock.js file (note the starting `.`)
+            # that will trigger this
+            if "dependencies" not in data.keys():
+                self.logger.warning(
+                    f"Cannot parse {self.filename}: no dependencies array found."
+                )
+                return
+
             # Now process dependencies
             for i in data["dependencies"]:
                 # To handle @actions/<product>: lines, extract product name from line
diff --git a/test/language_data/.package-lock.json b/test/language_data/.package-lock.json
diff --git a/test/test_language_scanner.py b/test/test_language_scanner.py
@@ -13,6 +13,8 @@
 
 
 class TestLanguageScanner:
+    """Tests for various language scanners"""
+
     TEST_FILE_PATH = Path(__file__).parent.resolve() / "language_data"
 
     JAVASCRIPT_PRODUCTS = [
@@ -168,6 +170,7 @@ def setup_class(cls):
         (((str(TEST_FILE_PATH / "pom.xml")), ["jmeter", "hamcrest"]),),
     )
     def test_java_package(self, filename: str, product_list: set[str]) -> None:
+        """Test against a valid pom.xml file for Java packages"""
         scanner = VersionScanner()
         scanner.file_stack.append(filename)
         # check list of product_names
@@ -181,6 +184,7 @@ def test_java_package(self, filename: str, product_list: set[str]) -> None:
         "filename", ((str(TEST_FILE_PATH / "fail-package-lock.json")),)
     )
     def test_javascript_package_none_found(self, filename: str) -> None:
+        """Test an invalid package-lock.json file"""
         scanner = VersionScanner()
         scanner.file_stack.append(filename)
         product = None
@@ -189,6 +193,20 @@ def test_javascript_package_none_found(self, filename: str) -> None:
             pass
         assert product is not None
 
+    def test_invalid_npm_package(self) -> None:
+        """
+        A test for an npm .package-lock.json file.
+        Currently we can't parse those, so it should generate a warning,
+        return no output but not fail
+        """
+
+        scanner = VersionScanner()
+        scanner_output = scanner.scan_file(
+            str(self.TEST_FILE_PATH / ".package-lock.json")
+        )
+        for entry in scanner_output:
+            assert entry is None
+
     @pytest.mark.parametrize(
         "filename",
         [
@@ -197,6 +215,7 @@ def test_javascript_package_none_found(self, filename: str) -> None:
         ],
     )
     def test_language_package_none_found(self, filename: str) -> None:
+        """Test for cases where no products match a vendor in the database"""
         scanner = VersionScanner()
         scanner.file_stack.append(filename)
         product = None
@@ -220,6 +239,7 @@ def test_language_package_none_found(self, filename: str) -> None:
         ],
     )
     def test_language_package(self, filename: str, products: set[str]) -> None:
+        """Test valid language product list files"""
         scanner = VersionScanner()
         scanner.file_stack.append(filename)
         found_product = []
@@ -236,6 +256,7 @@ def test_language_package(self, filename: str, products: set[str]) -> None:
 
     @pytest.mark.parametrize("filename", ((str(TEST_FILE_PATH / "PKG-INFO")),))
     def test_python_package(self, filename: str) -> None:
+        """Test against python's PKG-INFO metadata file"""
         scanner = VersionScanner()
         scanner.file_stack.append(filename)
         for product in scanner.scan_file(filename):
