Configuration format not sufficient to resolve packages aliases
dappelt opened this issue · comments
Description
Yarn and npm support specifying packages via aliases, see https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases. The config format of vuln-reach-cli
does not have enough information to resolve such packages (see example below).
Aliases are certainly not the most common method of referencing packages, but since all transitive dependencies must be specified in the vuln-reach config, it seems like it is enough if one dependency in a project is specified via an alias to make vuln-reach not applicable.
Here is an example:
// package.json
dependencies: {
"vue-loader-vue3": "npm:vue-loader@17",
}
Corresponding lockfile entry:
// yarn.lock
"vue-loader-vue3@npm:vue-loader@17":
version "17.0.1"
resolved "https://registry.yarnpkg.com/vue-loader/-/vue-loader-17.0.1.tgz#c0ee8875e0610a0c2d13ba9b4d50a9c8442e7a3a"
integrity sha512-/OOyugJnImKCkAKrAvdsWMuwoCqGxWT5USLsjohzWbMgOwpA5wQmzQiLMzZd7DjhIfunzAGIApTOgIylz/kwcg==
dependencies:
chalk "^4.1.0"
hash-sum "^2.0.0"
loader-utils "^2.0.0"
If we use phylum cli to parse the transitive packages, we get
$ phylum parse yarn.lock | jq '.[] | select(.name == "vue-loader-vue3")'
{
"name": "vue-loader-vue3",
"version": "17.0.1",
"type": "npm",
"lockfile": "yarn.lock"
}
from which we might create the following config
# vuln-reach-config.toml
packages = [
{name: "vue-loader-vue3", version: "17.0.1"},
...
]
When running vuln-reach-cli
with this config, it fails
$ vuln-reach-cli ./vuln-reach-config.toml
Downloading @vue/test-utils-vue3-2.2.0 to ./tarballs/@vue/test-utils-vue3-2.2.0.tgz...
Downloading vue-loader-vue3-17.0.1 to ./tarballs/vue-loader-vue3-17.0.1.tgz...
Error: error decoding response body: missing field `versions` at line 1 column 21
Caused by:
missing field `versions` at line 1 column 21
Expected Behavior
vuln-reach
can download packages that have been specified via an alias
Actual Behavior
vuln-reach
fails to download packages referenced by an alias