feat(libarary) add include dev dependencies (#2394)

sadayuki-matsuno · web-flow · commit e5999be626bc · 2026-01-19T17:52:28.000+09:00
* feat(libarary) add include dev dependencies

* fix(test) mv Test_convertLibWithScanner to library_test.go
diff --git a/scanner/base.go b/scanner/base.go
@@ -737,7 +737,7 @@ func (l *base) scanLibraries() (err error) {
 			continue
 		}
 
-		libraryScanners, err := AnalyzeLibrary(context.Background(), abspath, contents, filemode, l.ServerInfo.Mode.IsOffline())
+		libraryScanners, err := AnalyzeLibrary(context.Background(), abspath, contents, filemode, l.ServerInfo.Mode.IsOffline(), false)
 		if err != nil {
 			return xerrors.Errorf("Failed to analyze library. err: %w, filepath: %s", err, abspath)
 		}
@@ -747,7 +747,7 @@ func (l *base) scanLibraries() (err error) {
 }
 
 // AnalyzeLibrary : detects library defined in artifact such as lockfile or jar
-func AnalyzeLibrary(ctx context.Context, path string, contents []byte, filemode os.FileMode, isOffline bool) (libraryScanners []models.LibraryScanner, err error) {
+func AnalyzeLibrary(ctx context.Context, path string, contents []byte, filemode os.FileMode, isOffline, includeDevDependencies bool) (libraryScanners []models.LibraryScanner, err error) {
 	ag, err := fanal.NewAnalyzerGroup(fanal.AnalyzerOptions{
 		Group:             fanal.GroupBuiltin,
 		DisabledAnalyzers: disabledAnalyzers,
@@ -806,7 +806,7 @@ func AnalyzeLibrary(ctx context.Context, path string, contents []byte, filemode
 		}
 	}
 
-	libscan, err := convertLibWithScanner(result.Applications)
+	libscan, err := convertLibWithScanner(result.Applications, includeDevDependencies)
 	if err != nil {
 		return nil, xerrors.Errorf("Failed to convert libs. err: %w", err)
 	}
diff --git a/scanner/library.go b/scanner/library.go
@@ -10,11 +10,13 @@ import (
 	"github.com/future-architect/vuls/models"
 )
 
-func convertLibWithScanner(apps []ftypes.Application) ([]models.LibraryScanner, error) {
-	for i := range apps {
-		apps[i].Packages = lo.Filter(apps[i].Packages, func(lib ftypes.Package, _ int) bool {
-			return !lib.Dev
-		})
+func convertLibWithScanner(apps []ftypes.Application, includeDevDependencies bool) ([]models.LibraryScanner, error) {
+	if !includeDevDependencies {
+		for i := range apps {
+			apps[i].Packages = lo.Filter(apps[i].Packages, func(lib ftypes.Package, _ int) bool {
+				return !lib.Dev
+			})
+		}
 	}
 
 	scanners := make([]models.LibraryScanner, 0, len(apps))
diff --git a/scanner/library_test.go b/scanner/library_test.go
@@ -0,0 +1,120 @@
+package scanner
+
+import (
+	"reflect"
+	"testing"
+
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/future-architect/vuls/models"
+)
+
+func Test_convertLibWithScanner(t *testing.T) {
+	type args struct {
+		apps                   []ftypes.Application
+		includeDevDependencies bool
+	}
+	tests := []struct {
+		name string
+		args args
+		want []models.LibraryScanner
+	}{
+		{
+			name: "exclude dev dependencies",
+			args: args{
+				apps: []ftypes.Application{
+					{
+						Type:     ftypes.Npm,
+						FilePath: "package-lock.json",
+						Packages: []ftypes.Package{
+							{Name: "lodash", Version: "4.17.21", Dev: false},
+							{Name: "jest", Version: "29.0.0", Dev: true},
+							{Name: "express", Version: "4.18.0", Dev: false},
+						},
+					},
+				},
+				includeDevDependencies: false,
+			},
+			want: []models.LibraryScanner{
+				{
+					Type:         ftypes.Npm,
+					LockfilePath: "package-lock.json",
+					Libs: []models.Library{
+						{Name: "lodash", Version: "4.17.21", PURL: "pkg:npm/lodash@4.17.21"},
+						{Name: "express", Version: "4.18.0", PURL: "pkg:npm/express@4.18.0"},
+					},
+				},
+			},
+		},
+		{
+			name: "include dev dependencies",
+			args: args{
+				apps: []ftypes.Application{
+					{
+						Type:     ftypes.Npm,
+						FilePath: "package-lock.json",
+						Packages: []ftypes.Package{
+							{Name: "lodash", Version: "4.17.21", Dev: false},
+							{Name: "jest", Version: "29.0.0", Dev: true},
+							{Name: "express", Version: "4.18.0", Dev: false},
+						},
+					},
+				},
+				includeDevDependencies: true,
+			},
+			want: []models.LibraryScanner{
+				{
+					Type:         ftypes.Npm,
+					LockfilePath: "package-lock.json",
+					Libs: []models.Library{
+						{Name: "lodash", Version: "4.17.21", PURL: "pkg:npm/lodash@4.17.21"},
+						{Name: "jest", Version: "29.0.0", PURL: "pkg:npm/jest@29.0.0"},
+						{Name: "express", Version: "4.18.0", PURL: "pkg:npm/express@4.18.0"},
+					},
+				},
+			},
+		},
+		{
+			name: "all dev dependencies excluded",
+			args: args{
+				apps: []ftypes.Application{
+					{
+						Type:     ftypes.Npm,
+						FilePath: "package-lock.json",
+						Packages: []ftypes.Package{
+							{Name: "jest", Version: "29.0.0", Dev: true},
+							{Name: "mocha", Version: "10.0.0", Dev: true},
+						},
+					},
+				},
+				includeDevDependencies: false,
+			},
+			want: []models.LibraryScanner{
+				{
+					Type:         ftypes.Npm,
+					LockfilePath: "package-lock.json",
+					Libs:         []models.Library{},
+				},
+			},
+		},
+		{
+			name: "empty apps",
+			args: args{
+				apps:                   []ftypes.Application{},
+				includeDevDependencies: false,
+			},
+			want: []models.LibraryScanner{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := convertLibWithScanner(tt.args.apps, tt.args.includeDevDependencies)
+			if err != nil {
+				t.Errorf("convertLibWithScanner() error = %v", err)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("convertLibWithScanner() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/scanner/pseudo.go b/scanner/pseudo.go
@@ -131,7 +131,7 @@ func (o *pseudo) scanLibraries() (err error) {
 		}
 
 		trivypath := o.cleanPath(abspath)
-		libraryScanners, err := AnalyzeLibrary(context.Background(), trivypath, contents, filemode, o.getServerInfo().Mode.IsOffline())
+		libraryScanners, err := AnalyzeLibrary(context.Background(), trivypath, contents, filemode, o.getServerInfo().Mode.IsOffline(), false)
 		if err != nil {
 			return xerrors.Errorf("Failed to analyze library. err: %w, filepath: %s", err, trivypath)
 		}
diff --git a/scanner/windows.go b/scanner/windows.go
@@ -5376,7 +5376,7 @@ func (w *windows) scanLibraries() (err error) {
 		}
 
 		trivypath := w.cleanPath(abspath)
-		libraryScanners, err := AnalyzeLibrary(context.Background(), trivypath, contents, filemode, w.ServerInfo.Mode.IsOffline())
+		libraryScanners, err := AnalyzeLibrary(context.Background(), trivypath, contents, filemode, w.ServerInfo.Mode.IsOffline(), false)
 		if err != nil {
 			return xerrors.Errorf("Failed to analyze library. err: %w, filepath: %s", err, trivypath)
 		}

Original file line number	Diff line number	Diff line change
`@@ -737,7 +737,7 @@ func (l *base) scanLibraries() (err error) {`
`737`	`737`	`continue`
`738`	`738`	`}`
`739`	`739`
`740`		`- libraryScanners, err := AnalyzeLibrary(context.Background(), abspath, contents, filemode, l.ServerInfo.Mode.IsOffline())`
	`740`	`+ libraryScanners, err := AnalyzeLibrary(context.Background(), abspath, contents, filemode, l.ServerInfo.Mode.IsOffline(), false)`
`741`	`741`	`if err != nil {`
`742`	`742`	`return xerrors.Errorf("Failed to analyze library. err: %w, filepath: %s", err, abspath)`
`743`	`743`	`}`
`@@ -747,7 +747,7 @@ func (l *base) scanLibraries() (err error) {`
`747`	`747`	`}`
`748`	`748`
`749`	`749`	`// AnalyzeLibrary : detects library defined in artifact such as lockfile or jar`
`750`		`-func AnalyzeLibrary(ctx context.Context, path string, contents []byte, filemode os.FileMode, isOffline bool) (libraryScanners []models.LibraryScanner, err error) {`
	`750`	`+func AnalyzeLibrary(ctx context.Context, path string, contents []byte, filemode os.FileMode, isOffline, includeDevDependencies bool) (libraryScanners []models.LibraryScanner, err error) {`
`751`	`751`	`ag, err := fanal.NewAnalyzerGroup(fanal.AnalyzerOptions{`
`752`	`752`	`Group: fanal.GroupBuiltin,`
`753`	`753`	`DisabledAnalyzers: disabledAnalyzers,`
`@@ -806,7 +806,7 @@ func AnalyzeLibrary(ctx context.Context, path string, contents []byte, filemode`
`806`	`806`	`}`
`807`	`807`	`}`
`808`	`808`
`809`		`- libscan, err := convertLibWithScanner(result.Applications)`
	`809`	`+ libscan, err := convertLibWithScanner(result.Applications, includeDevDependencies)`
`810`	`810`	`if err != nil {`
`811`	`811`	`return nil, xerrors.Errorf("Failed to convert libs. err: %w", err)`
`812`	`812`	`}`
Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ func (o *pseudo) scanLibraries() (err error) {`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`trivypath := o.cleanPath(abspath)`
`134`		`- libraryScanners, err := AnalyzeLibrary(context.Background(), trivypath, contents, filemode, o.getServerInfo().Mode.IsOffline())`
	`134`	`+ libraryScanners, err := AnalyzeLibrary(context.Background(), trivypath, contents, filemode, o.getServerInfo().Mode.IsOffline(), false)`
`135`	`135`	`if err != nil {`
`136`	`136`	`return xerrors.Errorf("Failed to analyze library. err: %w, filepath: %s", err, trivypath)`
`137`	`137`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5376,7 +5376,7 @@ func (w *windows) scanLibraries() (err error) {`
`5376`	`5376`	`}`
`5377`	`5377`
`5378`	`5378`	`trivypath := w.cleanPath(abspath)`
`5379`		`- libraryScanners, err := AnalyzeLibrary(context.Background(), trivypath, contents, filemode, w.ServerInfo.Mode.IsOffline())`
	`5379`	`+ libraryScanners, err := AnalyzeLibrary(context.Background(), trivypath, contents, filemode, w.ServerInfo.Mode.IsOffline(), false)`
`5380`	`5380`	`if err != nil {`
`5381`	`5381`	`return xerrors.Errorf("Failed to analyze library. err: %w, filepath: %s", err, trivypath)`
`5382`	`5382`	`}`