search

aboutcode-org / scancode-toolkit

:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
https://github.com/aboutcode-org/scancode-toolkit/releases/
2.07k stars 536 forks source link

Incorrect dependencies purl #2015

Open pombredanne opened 4 years ago

pombredanne commented 4 years ago

Description

I have this (simplified) package-lock.json file: package-lock.json.txt

{
  "name": "bqplot", 
  "version": "0.5.6", 
  "lockfileVersion": 1, 
  "requires": true, 
  "dependencies": {
    "ws": {
      "version": "3.3.3", 
      "resolved": "https://registry.npmjs.org/ws/-/ws-3.3.3.tgz", 
      "integrity": "sha512-nnWLa/NwZSt4KQJu51MYlCcSQ5g7INpOrOMt4XV8j4dqTXdmlUmSHQ8/oLC069ckre0fRsgfvsKwbTdtKLCDkA==", 
      "dev": true, 
      "requires": {
        "async-limiter": "~1.0.0", 
        "safe-buffer": "~5.1.0", 
        "ultron": "~1.1.0"
      }
    }
  }
}

I scan this with develop and scancode -p --json-pp p.txt package-lock.json: p.txt and I get this dependencies section:

          "dependencies": [
            {
              "purl": "pkg:npm/async-limiter@%7E1.0.0",
              "requirement": "~1.0.0",
              "scope": "requires-dev",
              "is_runtime": false,
              "is_optional": true,
              "is_resolved": true
            },
            {
              "purl": "pkg:npm/safe-buffer@%7E5.1.0",
              "requirement": "~5.1.0",
              "scope": "requires-dev",
              "is_runtime": false,
              "is_optional": true,
              "is_resolved": true
            },
            {
              "purl": "pkg:npm/ultron@%7E1.1.0",
              "requirement": "~1.1.0",
              "scope": "requires-dev",
              "is_runtime": false,
              "is_optional": true,
              "is_resolved": true
            }
          ],

These are NOT resolved and we should instead have this:

          "dependencies": [
            {
              "purl": "pkg:npm/async-limiter",
              "requirement": "~1.0.0",
              "scope": "requires-dev",
              "is_runtime": false,
              "is_optional": true,
              "is_resolved": false
            },
            {
              "purl": "pkg:npm/safe-buffer",
              "requirement": "~5.1.0",
              "scope": "requires-dev",
              "is_runtime": false,
              "is_optional": true,
              "is_resolved": false
            },
            {
              "purl": "pkg:npm/ultron",
              "requirement": "~1.1.0",
              "scope": "requires-dev",
              "is_runtime": false,
              "is_optional": true,
              "is_resolved": false
            }
          ],

Furthermore the value returned with Python 3.8 is: "purl": "pkg:npm/safe-buffer@~5.1.0", instead of "purl": "pkg:npm/safe-buffer@%7E5.1.0", The tilde is not escaped and should be per the Package URL spec. This is likely either a 3.8 bug OR a Package URL library bug.

System configuration

Linux, latest develop branch, Python 2

pombredanne commented 3 years ago

Revisiting this, the npms in a package-lock-json are resolved by construction and by definition.

With the caveat here is the lockfile listed here use tilde ranges https://github.com/npm/node-semver#tilde-ranges-123-12-1 which is problematic as this means not resolved. So IMHO the right way is to mark as resolved IFF the version in an npm is NOT a semver range at all. Consider using the univers library for this