Refactor NPM package updater #1024
Conversation
… location extraction for a given VulnerabilityDetails
eranturgeman
added
safe to test
github-actions
bot
removed
the
safe to test
…r-npm-package-updater
|
please provide a link to a fix pr |
eyalk007
left a comment
eyalk007
left a comment
There was a problem hiding this comment.
reviewed most of files
please tell me you are done so i can rereveiw
| regexpCompleteFormat := fmt.Sprintf(strings.ToLower(dependencyLineFormat), regexpFitImpactedName, regexpFitImpactedVersion) | ||
| return regexp.MustCompile(regexpCompleteFormat) | ||
| } | ||
|
|
||
| // Extracts unique file paths from the vulnerability's component locations. |
| // Matches: "package-name": "version" with optional ^ or ~ prefix | ||
| npmDependencyRegexpPattern = `\s*"%s"\s*:\s*"[~^]?%s"` | ||
| // Regex pattern for replacement - captures the groups for reconstruction | ||
| npmDependencyReplacePattern = `(\s*"%s"\s*:\s*")[~^]?[^"]+(")` |
There was a problem hiding this comment.
regex patterns are self explanatory
no need for comments
| func (npm *NpmPackageHandler) getDescriptorsToFixFromVulnerability(vulnDetails *utils.VulnerabilityDetails) ([]string, error) { | ||
| lockFilePaths := GetVulnerabilityLocations(vulnDetails) |
There was a problem hiding this comment.
I would rename it to getDescriptorsPaths
Also we said its a bug, so that's why we need to do this
so basically we need to delete this function once they fix the bug?
if so add a todo of deleting the function
also delete comment after rename as it will be self explanatory
So something like:
// TODO: This is a workaround. Engine provides lock file paths but we need descriptor paths.
// Delete this function once engine provides descriptor paths directly.
There was a problem hiding this comment.
Yes this would be changed once the bug will be fixed. I coded it before we knew its a but and I maintained it since we dont know when the bug will be fixed. Ill add the comment
| // Change to the descriptor directory for the regeneration of the lock file | ||
| descriptorDir := filepath.Dir(descriptorPath) | ||
| if err = os.Chdir(descriptorDir); err != nil { | ||
| return fmt.Errorf("failed to change directory to '%s': %w", descriptorDir, err) | ||
| } | ||
| defer func() { | ||
| if chErr := os.Chdir(originalWd); chErr != nil { | ||
| err = errors.Join(err, fmt.Errorf("failed to return to original directory: %w", chErr)) | ||
| } | ||
| }() | ||
|
|
||
| if err = npm.regenerateLockFileWithRetry(); err != nil { | ||
| log.Warn(fmt.Sprintf("Failed to regenerate lock file after updating '%s' to version '%s': %s. Rolling back...", vulnDetails.ImpactedDependencyName, vulnDetails.SuggestedFixedVersion, err.Error())) | ||
| if rollbackErr := os.WriteFile(descriptorPath, backupContent, 0644); rollbackErr != nil { | ||
| return fmt.Errorf("failed to rollback descriptor after lock file regeneration failure: %w (original error: %v)", rollbackErr, err) | ||
| } | ||
| return err | ||
| } | ||
|
|
||
| log.Debug(fmt.Sprintf("Successfully updated '%s' from version '%s' to '%s'", vulnDetails.ImpactedDependencyName, vulnDetails.ImpactedDependencyVersion, vulnDetails.SuggestedFixedVersion)) | ||
| return nil |
There was a problem hiding this comment.
separation of concerns
the goal of this func is to update the descriptor
this func is both updating the descriptor and tidying up the lockfile
I would separate to 2 function calls in the loop
and would check with product regarding backup
There was a problem hiding this comment.
not really. the function that is updating the descriptor is called updateVersionInDescriptor. this is why I called this function fixVulnerabilityInDescriptor as it fixes vulnerability and performing all the steps around it.
we can change it to 'fixVulnerability' if you still think it is not clear enough
| descriptorDir := filepath.Dir(descriptorPath) | ||
| if err = os.Chdir(descriptorDir); err != nil { | ||
| return fmt.Errorf("failed to change directory to '%s': %w", descriptorDir, err) | ||
| } | ||
| defer func() { | ||
| if chErr := os.Chdir(originalWd); chErr != nil { | ||
| err = errors.Join(err, fmt.Errorf("failed to return to original directory: %w", chErr)) | ||
| } | ||
| }() | ||
|
|
||
| if err = npm.regenerateLockFileWithRetry(); err != nil { | ||
| log.Warn(fmt.Sprintf("Failed to regenerate lock file after updating '%s' to version '%s': %s. Rolling back...", vulnDetails.ImpactedDependencyName, vulnDetails.SuggestedFixedVersion, err.Error())) | ||
| if rollbackErr := os.WriteFile(descriptorPath, backupContent, 0644); rollbackErr != nil { | ||
| return fmt.Errorf("failed to rollback descriptor after lock file regeneration failure: %w (original error: %v)", rollbackErr, err) | ||
| } | ||
| return err | ||
| } | ||
|
|
||
| log.Debug(fmt.Sprintf("Successfully updated '%s' from version '%s' to '%s'", vulnDetails.ImpactedDependencyName, vulnDetails.ImpactedDependencyVersion, vulnDetails.SuggestedFixedVersion)) | ||
| return nil |
There was a problem hiding this comment.
what if user doesnt have lockfile in git, are we taking this into consideration?
@orto17
There was a problem hiding this comment.
I agree - we talked about it before and as far as I remember this is what we decided.
In V2 we have a logic of 'cleaning' whatever that is not in the remote (like node_modules for example).
we can apply same logic here
| @@ -0,0 +1,297 @@ | |||
| package packagehandlers | |||
There was a problem hiding this comment.
missing test cases:
-
Version Range Mismatch - meaning lockfile resolves to diff version
-
Multiple Occurrences - multiple occurrence of the same version once as lets say a dep and once as a dev dep
-
Diff types of deps - we have peer deps, deps, dev deps, peerDeps, optionalDeps
plus we have overrides -
Maybe a test for the rollback functionality if we keep it
2 participants
This PR changes the NPM package handler to test-based fixes instead of cli command fixes.
As past of the change we ease the installation after a fix is performed to only regenerate the lock file, hence reducing the strict build process we used to have and make the process less error prone