npm: support aliases in yarn lock v1

schischi · schischi · commit 2638a71089f5 · 2023-10-20T01:53:50.000+02:00
When parsing a `yarn.lock v1` file, ScanCode does not handle aliases properly. Aliases have the form: `<alias-package>@npm:<package>` More info about aliases: https://classic.yarnpkg.com/lang/en/docs/cli/add/#toc-yarn-add-alias The current code incorrecly parse aliases and end up throwing an exception, resulting in empty results. A single alias in a yarn.lock file is gonna make the parser return 0 packages. This patch adds the logic to handle them by simply dropping the alias part, and just keeping the package part. Test plan: updated the unit tests. Signed-off-by: Adrien Schildknecht <adrs@fb.com>
diff --git a/src/packagedcode/npm.py b/src/packagedcode/npm.py
@@ -632,6 +632,10 @@ def parse(cls, location):
                         ns_name, _, constraint = req.rpartition('@')
                         ns, _ , name = ns_name.rpartition('/')
                         constraint = constraint.strip("\"'")
+                        # If we have an alias, just keep the package part:
+                        # <alias-package>@npm:<package>
+                        if "@npm:" in ns:
+                            ns = ns.split(':')[1]
                         top_requirements.append((ns, name, constraint,))
 
                 else:
diff --git a/tests/packagedcode/data/npm/yarn-lock/v1-complex/yarn.lock b/tests/packagedcode/data/npm/yarn-lock/v1-complex/yarn.lock
@@ -25,3 +25,12 @@
   integrity sha512-3UYcJUj9kvSLbLbUIfQTqzcy5VX7GRZ/CCDrnOaZorFFM01aXp1+GJwuFGV4NDDoAS+mOUyHcO6UD/RfqOks3Q==
   dependencies:
     "@babel/types" "^7.0.0"
+
+"@react-spring/web@9.7.3", "react-spring@npm:@react-spring/web@9.7.3":
+  version "9.7.3"
+  resolved "https://registry.yarnpkg.com/@react-spring/web/-/web-9.7.3.tgz#da977382f91d9af4c400e4aa7dc37d3db07b87e0"
+  integrity sha512-rEvipblmihiz8+Eo01zDp5dqWn6XfYk8q2rlN9c18YIOL4o6nuY/VplDoocUMHYfH4liurpO4o1QudKOO1nAiQ==
+  dependencies:
+    "@react-spring/animated" "9.7.3"
+    "@react-spring/core" "9.7.3"
+    "@react-spring/shared" "9.7.3"
diff --git a/tests/packagedcode/data/npm/yarn-lock/v1-complex/yarn.lock-expected b/tests/packagedcode/data/npm/yarn-lock/v1-complex/yarn.lock-expected
@@ -250,6 +250,89 @@
           "purl": "pkg:npm/%40babel/helper-annotate-as-pure@7.0.0"
         },
         "extra_data": {}
+      },
+      {
+        "purl": "pkg:npm/%40react-spring/web@9.7.3",
+        "extracted_requirement": "9.7.3 9.7.3",
+        "scope": "dependencies",
+        "is_runtime": true,
+        "is_optional": false,
+        "is_resolved": true,
+        "resolved_package": {
+          "type": "npm",
+          "namespace": "@react-spring",
+          "name": "web",
+          "version": "9.7.3",
+          "qualifiers": {},
+          "subpath": null,
+          "primary_language": "JavaScript",
+          "description": null,
+          "release_date": null,
+          "parties": [],
+          "keywords": [],
+          "homepage_url": null,
+          "download_url": "https://registry.yarnpkg.com/@react-spring/web/-/web-9.7.3.tgz",
+          "size": null,
+          "sha1": "da977382f91d9af4c400e4aa7dc37d3db07b87e0",
+          "md5": null,
+          "sha256": null,
+          "sha512":
+          "ac4be2a5b9668a18b3f3e128d35cc3a7976a5a7e977d893cab6ae537d735f1820e2f8a3a9ee63f569943a2871430761f1f8962baba4ee28d50b9d28e3b59c089",
+          "bug_tracking_url": null,
+          "code_view_url": null,
+          "vcs_url": null,
+          "copyright": null,
+          "holder": null,
+          "declared_license_expression": null,
+          "declared_license_expression_spdx": null,
+          "license_detections": [],
+          "other_license_expression": null,
+          "other_license_expression_spdx": null,
+          "other_license_detections": [],
+          "extracted_license_statement": null,
+          "notice_text": null,
+          "source_packages": [],
+          "file_references": [],
+          "extra_data": {},
+          "dependencies": [
+            {
+              "purl": "pkg:npm/%22%40react-spring/animated%22",
+              "extracted_requirement": "9.7.3",
+              "scope": "dependencies",
+              "is_runtime": true,
+              "is_optional": false,
+              "is_resolved": false,
+              "resolved_package": {},
+              "extra_data": {}
+            },
+            {
+              "purl": "pkg:npm/%22%40react-spring/core%22",
+              "extracted_requirement": "9.7.3",
+              "scope": "dependencies",
+              "is_runtime": true,
+              "is_optional": false,
+              "is_resolved": false,
+              "resolved_package": {},
+              "extra_data": {}
+            },
+            {
+              "purl": "pkg:npm/%22%40react-spring/shared%22",
+              "extracted_requirement": "9.7.3",
+              "scope": "dependencies",
+              "is_runtime": true,
+              "is_optional": false,
+              "is_resolved": false,
+              "resolved_package": {},
+              "extra_data": {}
+            }
+          ],
+          "repository_homepage_url": "https://www.npmjs.com/package/@react-spring/web",
+          "repository_download_url": "https://registry.npmjs.org/@react-spring/web/-/web-9.7.3.tgz",
+          "api_data_url": "https://registry.npmjs.org/@react-spring%2fweb/9.7.3",
+          "datasource_id": "yarn_lock_v1",
+          "purl": "pkg:npm/%40react-spring/web@9.7.3"
+        },
+        "extra_data": {}
       }
     ],
     "repository_homepage_url": null,
@@ -258,4 +341,4 @@
     "datasource_id": "yarn_lock_v1",
     "purl": null
   }
-]
+]
