Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply allow-partial-results on Yarn V1 dependencies map construction #282

Merged
merged 5 commits into from
Nov 10, 2024
Merged

Apply allow-partial-results on Yarn V1 dependencies map construction #282

merged 5 commits into from
Nov 10, 2024

Conversation

eranturgeman
Copy link
Contributor

@eranturgeman eranturgeman commented Nov 7, 2024
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.

This PR introduces an improvement that applies 'allow-partial-results' ability on Yarn V1 dependencies map construction, so if we have some missing dependencies - it will not fail the entire map construction.
In more details:
Due to the output of 'yarn list' we manually build the dependencies map for Yarn V1 in 2 phases.
At the output's first level we get all dependencies (direct and indirect) with their locked versions.
At the output's second level (the children) we get all dependencies with caret version specifier (^).
Therefore a manual mapping between the versions is required for the final construction of the map and later the tree.
Sometime (for unknown reason that will be investigated further later, extra debug logs were added) we encounter a child dependency that we do now have at the first level of the map, and this causes the entire process to fail.
The current change states that if 'allow-partial-results' is enabled, and we encounter such a dependency - we just log the error and skip the matching for this problematic dependency.
This allow us to continue the process and to report the vulnerability, with a price that we might have some dependencies without impact paths (they will be reported in 'audit', just without stating their direct dependency) and will not get fixed in Frogbot.
This applies ONLY if 'partial results' is enabled. In any other case the flow remains unchanged

related changes:
jfrog/jfrog-cli-security#229
jfrog/frogbot#784

@eranturgeman eranturgeman added the ignore for release Automatically generated release notes label Nov 7, 2024
@eranturgeman
Merge branch 'dev' of https://github.com/jfrog/build-info-go into app…
3cdd946 
…ly-allow-partial-results-on-yarn-dep-tree-construction
This was referenced Nov 10, 2024
Merged
Merged
@eranturgeman eranturgeman removed the request for review from asafgabai November 10, 2024 12:32
eyalbe4
eyalbe4 requested changes Nov 10, 2024
View reviewed changes
build/utils/yarn.go Show resolved Hide resolved
build/utils/yarn.go Outdated Show resolved Hide resolved
build/utils/yarn.go Outdated Show resolved Hide resolved
@github-actions GitHub Actions
Copy link

👍 Frogbot scanned this pull request and did not find any new security issues.

@eyalbe4 eyalbe4 added improvement Automatically generated release notes and removed ignore for release Automatically generated release notes labels Nov 10, 2024
@eyalbe4 eyalbe4 merged commit 36ed221 into jfrog:dev Nov 10, 2024
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eyalbe4 eyalbe4 eyalbe4 requested changes

Assignees
No one assigned
Labels
improvement Automatically generated release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eranturgeman @eyalbe4