Skip to content

Refactor NPM package updater #1024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eranturgeman wants to merge 9 commits into
base: v3_er
Choose a base branch
from
Open

Refactor NPM package updater #1024

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
aa9c313
refactoring npm package handler to use text based fixes and lock file…
eranturgeman Jan 7, 2026
1b56a43
improving GetVulnerabilityRegexCompiler and adding extractor for file…
eranturgeman Jan 7, 2026
23f38c8
renamed file to better adjust new package refactoring and naming
eranturgeman Jan 7, 2026
5c3e233
adding tests for new functions
eranturgeman Jan 7, 2026
0d44549
fix UpdateDependency test for NPM
eranturgeman Jan 7, 2026
5e027cc
remove comments
eranturgeman Jan 7, 2026
42ba784
Merge branch 'v3_er' of https://github.com/jfrog/frogbot into refacto…
eranturgeman Jan 7, 2026
28504c1
improve tests
eranturgeman Jan 8, 2026
888f5a9
/
eranturgeman Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 15 additions & 6 deletions packagehandlers/commonpackagehandler.go → packagehandlers/commonpackageupdater.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@ import (
"regexp"
"strings"

"github.com/jfrog/frogbot/v2/utils"
"github.com/jfrog/gofrog/datastructures"
"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-cli-security/utils/techutils"
"github.com/jfrog/jfrog-client-go/utils/log"

"github.com/jfrog/frogbot/v2/utils"
)

// PackageHandler interface to hold operations on packages
Expand Down Expand Up @@ -136,10 +136,19 @@ func (cph *CommonPackageHandler) GetAllDescriptorFilesFullPaths(descriptorFilesS
// Note: This function may not support all package manager dependency formats. It is designed for package managers where the dependency's name consists of a single component.
// For example, in Gradle descriptors, a dependency line may consist of two components for the dependency's name (e.g., implementation group: 'junit', name: 'junit', version: '4.7'), therefore this func cannot be utilized in this case.
func GetVulnerabilityRegexCompiler(impactedName, impactedVersion, dependencyLineFormat string) *regexp.Regexp {
// We replace '.' with '\\.' since '.' is a special character in regexp patterns, and we want to capture the character '.' itself
// To avoid dealing with case sensitivity we lower all characters in the package's name and in the file we check
regexpFitImpactedName := strings.ToLower(strings.ReplaceAll(impactedName, ".", "\\."))
regexpFitImpactedVersion := strings.ToLower(strings.ReplaceAll(impactedVersion, ".", "\\."))
regexpFitImpactedName := strings.ToLower(regexp.QuoteMeta(impactedName))
regexpFitImpactedVersion := strings.ToLower(regexp.QuoteMeta(impactedVersion))
regexpCompleteFormat := fmt.Sprintf(strings.ToLower(dependencyLineFormat), regexpFitImpactedName, regexpFitImpactedVersion)
return regexp.MustCompile(regexpCompleteFormat)
}

// Extracts unique file paths from the vulnerability's component locations.
Copy link
Collaborator

@eyalk007 eyalk007 Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove comment

func GetVulnerabilityLocations(vulnDetails *utils.VulnerabilityDetails) []string {
pathsSet := datastructures.MakeSet[string]()
for _, component := range vulnDetails.Components {
if component.Location != nil && component.Location.File != "" {
pathsSet.Add(component.Location.File)
}
}
return pathsSet.ToSlice()
}
Loading