Skip to content

Commit 002808b

Browse files
committed
Fix #4753: Prevent Git URLs from being misidentified as NPM aliases in package.json dependencies
1 parent 6c1b14d commit 002808b

File tree

4 files changed

+89
-4
lines changed

4 files changed

+89
-4
lines changed

src/packagedcode/npm.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -380,10 +380,10 @@ def update_dependencies_by_purl(
380380
if '_' in metadata:
381381
requirement, _extra = metadata.split('_')
382382

383-
if ':' in requirement and '@' in requirement:
383+
if isinstance(requirement, str) and requirement.startswith('npm:') and '@' in requirement:
384384
# dependencies with requirements like this are aliases and should be reported
385385
aliased_package, _, constraint = requirement.rpartition('@')
386-
_, _, aliased_package_name = aliased_package.rpartition(':')
386+
_, _, aliased_package_name = aliased_package.partition('npm:')
387387
sdns, _ , sdname = aliased_package_name.rpartition('/')
388388
dep_purl = PackageURL(
389389
type=cls.default_package_type,
@@ -1848,10 +1848,10 @@ def deps_mapper(deps, package, field_name, is_direct=True):
18481848
if not name:
18491849
continue
18501850

1851-
if ':' in requirement and '@' in requirement:
1851+
if isinstance(requirement, str) and requirement.startswith('npm:') and '@' in requirement:
18521852
# dependencies with requirements like this are aliases and should be reported
18531853
aliased_package, _, requirement = requirement.rpartition('@')
1854-
_, _, aliased_package_name = aliased_package.rpartition(':')
1854+
_, _, aliased_package_name = aliased_package.partition('npm:')
18551855
ns, _ , name = aliased_package_name.rpartition('/')
18561856

18571857
purl = PackageURL(type='npm', namespace=ns, name=name).to_string()
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"name": "example",
3+
"version": "1.0.0",
4+
"dependencies": {
5+
"private-lib": "git+ssh://[email protected]:org/repo.git#v1.0.0"
6+
},
7+
"devDependencies": {
8+
"my-alias": "npm:original-package@^1.2.3"
9+
}
10+
}
Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
[
2+
{
3+
"type": "npm",
4+
"namespace": null,
5+
"name": "example",
6+
"version": "1.0.0",
7+
"qualifiers": {},
8+
"subpath": null,
9+
"primary_language": "JavaScript",
10+
"description": null,
11+
"release_date": null,
12+
"parties": [],
13+
"keywords": [],
14+
"homepage_url": null,
15+
"download_url": "https://registry.npmjs.org/example/-/example-1.0.0.tgz",
16+
"size": null,
17+
"sha1": null,
18+
"md5": null,
19+
"sha256": null,
20+
"sha512": null,
21+
"bug_tracking_url": null,
22+
"code_view_url": null,
23+
"vcs_url": null,
24+
"copyright": null,
25+
"holder": null,
26+
"declared_license_expression": null,
27+
"declared_license_expression_spdx": null,
28+
"license_detections": [],
29+
"other_license_expression": null,
30+
"other_license_expression_spdx": null,
31+
"other_license_detections": [],
32+
"extracted_license_statement": null,
33+
"notice_text": null,
34+
"source_packages": [],
35+
"file_references": [],
36+
"is_private": false,
37+
"is_virtual": false,
38+
"extra_data": {},
39+
"dependencies": [
40+
{
41+
"purl": "pkg:npm/private-lib",
42+
"extracted_requirement": "git+ssh://[email protected]:org/repo.git#v1.0.0",
43+
"scope": "dependencies",
44+
"is_runtime": true,
45+
"is_optional": false,
46+
"is_pinned": false,
47+
"is_direct": true,
48+
"resolved_package": {},
49+
"extra_data": {}
50+
},
51+
{
52+
"purl": "pkg:npm/original-package",
53+
"extracted_requirement": "^1.2.3",
54+
"scope": "devDependencies",
55+
"is_runtime": false,
56+
"is_optional": true,
57+
"is_pinned": false,
58+
"is_direct": true,
59+
"resolved_package": {},
60+
"extra_data": {}
61+
}
62+
],
63+
"repository_homepage_url": "https://www.npmjs.com/package/example",
64+
"repository_download_url": "https://registry.npmjs.org/example/-/example-1.0.0.tgz",
65+
"api_data_url": "https://registry.npmjs.org/example/1.0.0",
66+
"datasource_id": "npm_package_json",
67+
"purl": "pkg:npm/[email protected]"
68+
}
69+
]

tests/packagedcode/test_npm.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,12 @@ def test_parse_bundleddeps(self):
108108
packages = npm.NpmPackageJsonHandler.parse(test_file)
109109
self.check_packages_data(packages, expected_loc, regen=REGEN_TEST_FIXTURES)
110110

111+
def test_parse_git_urls(self):
112+
test_file = self.get_test_loc('npm/git_urls/package.json')
113+
expected_loc = self.get_test_loc('npm/git_urls/package.json.expected')
114+
packages = npm.NpmPackageJsonHandler.parse(test_file)
115+
self.check_packages_data(packages, expected_loc, regen=REGEN_TEST_FIXTURES)
116+
111117
def test_parse_faulty_npm(self):
112118
test_file = self.get_test_loc('npm/casepath/package.json')
113119
expected_loc = self.get_test_loc('npm/casepath/package.json.expected')

0 commit comments

Comments
 (0)