Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug(nodejs): package.json parser fails on object notation for workspaces #6129

Closed
2 tasks
nikpivkin opened this issue Feb 14, 2024 Discussed in #6114 · 3 comments · Fixed by #6231
Closed
2 tasks

bug(nodejs): package.json parser fails on object notation for workspaces #6129

nikpivkin opened this issue Feb 14, 2024 Discussed in #6114 · 3 comments · Fixed by #6231
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@nikpivkin
Copy link
Contributor

nikpivkin commented Feb 14, 2024

Ref:

Discussed in #6114

Originally posted by pjungermann February 13, 2024

Description

Currently, the workspaces field in package.json files is only allowed to be an array of strings. However, it has also an object version.

https://classic.yarnpkg.com/blog/2018/02/15/nohoist/

Example

  "workspaces": {
    "packages": [
      "packages/*",
      "plugins/*"
    ]
  },

Ref to an active open-source project using this notation:
https://github.com/backstage/backstage/blob/master/package.json#L52

Impact e.g. on Trivy scans:

WARN  Unable to parse "package.json" to remove dev dependencies: unable to parse .: parse error: JSON decode error: json: cannot unmarshal object into Go struct field packageJSON.workspaces of type []string

Relates-to: aquasecurity/go-dep-parser#295

Desired Behavior

Parsing package.json files does not fail when workspaces object notation is used.

Actual Behavior

Parser fails and warning gets emitted:

WARN  Unable to parse "package.json" to remove dev dependencies: unable to parse .: parse error: JSON decode error: json: cannot unmarshal object into Go struct field packageJSON.workspaces of type []string

Reproduction Steps

1. Close or create a project with workspaces object notation (e.g., https://github.com/backstage/backstage/blob/master/package.json#L52)
2. Run `trivy fs .`

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

-

Operating System

MacOS Venture 13.6

Version

2024-02-13T10:23:25.765+0100    INFO    Loaded trivy.yaml
Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-13 06:11:52.656032521 +0000 UTC
  NextUpdate: 2024-02-13 12:11:52.656032281 +0000 UTC
  DownloadedAt: 2024-02-13 08:38:29.761065 +0000 UTC
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2023-11-24 02:43:02.401033 +0000 UTC

Checklist

@nikpivkin nikpivkin added the kind/bug Categorizes issue or PR as related to a bug. label Feb 14, 2024
@DmitriyLewen DmitriyLewen self-assigned this Feb 29, 2024
@gobardhan
Copy link

I got the same issue while parsing package-lock.json .

Description :
Currently, the workspaces field in package-lock.json files is only allowed to be an array of strings. However, it has also an object version.

Example:

"workspaces": {
	"nohoist": [
		"**"
	]
}

Desired Behavior
Parsing package-lock.json files does not fail when workspaces object notation is used.

Actual Behavior
DEBUG Walk error file_path="package-lock.json" err="parse error: failed to parse package-lock.json: decode error: cannot set object value to target of type slice"

Command Using:
trivy fs . -d

Trivy Version:

INFO Loaded file_path=trivy.yaml

Version: 0.51.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-12 12:11:25.443676796 +0000 UTC
  NextUpdate: 2024-05-12 18:11:25.443676515 +0000 UTC
  DownloadedAt: 2024-05-12 16:46:18.464060983 +0000 UTC
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-12 16:46:20.143160963 +0000 UTC

Operating System:
Ubuntu 22.04.4 LTS

@DmitriyLewen
Copy link
Contributor

Hello @gobardhan
Thanks for your report!

IIRC only yarn uses nohoist. Also npm docs don't contains info that workspaces can be object.
Can you reproduce the steps for npm to get package-lock.json file with workspace as map?

Regards, Dmitriy

@gobardhan
Copy link

Thanks @DmitriyLewen to highlight that only yarn uses nohoist.
So we have removed the legacy code regarding the nohoist and now we have workspace in JSON array and trivy scan successfully.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants