Description
Yarn and npm support specifying packages via aliases, see https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases. The config format of vuln-reach-cli does not have enough information to resolve such packages (see example below).
Aliases are certainly not the most common method of referencing packages, but since all transitive dependencies must be specified in the vuln-reach config, it seems like it is enough if one dependency in a project is specified via an alias to make vuln-reach not applicable.
Here is an example:
// package.json
dependencies: {
"vue-loader-vue3": "npm:vue-loader@17",
}Corresponding lockfile entry:
// yarn.lock
"vue-loader-vue3@npm:vue-loader@17":
version "17.0.1"
resolved "https://registry.yarnpkg.com/vue-loader/-/vue-loader-17.0.1.tgz#c0ee8875e0610a0c2d13ba9b4d50a9c8442e7a3a"
integrity sha512-/OOyugJnImKCkAKrAvdsWMuwoCqGxWT5USLsjohzWbMgOwpA5wQmzQiLMzZd7DjhIfunzAGIApTOgIylz/kwcg==
dependencies:
chalk "^4.1.0"
hash-sum "^2.0.0"
loader-utils "^2.0.0"
If we use phylum cli to parse the transitive packages, we get
$ phylum parse yarn.lock | jq '.[] | select(.name == "vue-loader-vue3")'
{
"name": "vue-loader-vue3",
"version": "17.0.1",
"type": "npm",
"lockfile": "yarn.lock"
}
from which we might create the following config
# vuln-reach-config.toml
packages = [
{name: "vue-loader-vue3", version: "17.0.1"},
...
]
When running vuln-reach-cli with this config, it fails
$ vuln-reach-cli ./vuln-reach-config.toml
Downloading @vue/test-utils-vue3-2.2.0 to ./tarballs/@vue/test-utils-vue3-2.2.0.tgz...
Downloading vue-loader-vue3-17.0.1 to ./tarballs/vue-loader-vue3-17.0.1.tgz...
Error: error decoding response body: missing field `versions` at line 1 column 21
Caused by:
missing field `versions` at line 1 column 21
Expected Behavior
vuln-reach can download packages that have been specified via an alias
Actual Behavior
vuln-reach fails to download packages referenced by an alias
Description
Yarn and npm support specifying packages via aliases, see https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases. The config format of
vuln-reach-clidoes not have enough information to resolve such packages (see example below).Aliases are certainly not the most common method of referencing packages, but since all transitive dependencies must be specified in the vuln-reach config, it seems like it is enough if one dependency in a project is specified via an alias to make vuln-reach not applicable.
Here is an example:
Corresponding lockfile entry:
If we use phylum cli to parse the transitive packages, we get
from which we might create the following config
When running
vuln-reach-cliwith this config, it failsExpected Behavior
vuln-reachcan download packages that have been specified via an aliasActual Behavior
vuln-reachfails to download packages referenced by an alias