Merge pull request #103 from advanced-security/juxtin/handle-cycles
Add cycle safety for transitive dependencies
This commit is contained in:
@@ -116,6 +116,25 @@ describe('depgraph', () => {
|
||||
});
|
||||
});
|
||||
|
||||
describe('cycle-tree', () => {
|
||||
let depGraph;
|
||||
beforeAll(() => {
|
||||
depGraph = parseDependencyJson(getTestDataFile("cycle-tree"));
|
||||
});
|
||||
|
||||
it('should parse out the top level dependencies', () => {
|
||||
const mavenDependencies = new MavenDependencyGraph(depGraph);
|
||||
expect(mavenDependencies.getPackageCount()).to.equal(3);
|
||||
});
|
||||
|
||||
it('should be able to generate a manifest despite having a cycle', () => {
|
||||
const mavenDependencies = new MavenDependencyGraph(depGraph);
|
||||
const manifest = mavenDependencies.createManifest();
|
||||
|
||||
expect(manifest.name).to.equal('hadoop-main');
|
||||
expect(manifest.countDependencies()).to.equal(2);
|
||||
})
|
||||
});
|
||||
|
||||
describe('bs-parent-dep-tree', () => {
|
||||
|
||||
|
||||
+9
-3
@@ -85,13 +85,19 @@ export class MavenDependencyGraph {
|
||||
let scope = getDependencyScopeForMavenScope(artifact.scopes);
|
||||
manifest.addDirectDependency(depPackage, scope);
|
||||
|
||||
function addTransitiveDeps(dependencies) {
|
||||
function addTransitiveDeps(dependencies, seen: Set<string> = new Set()) {
|
||||
if (dependencies) {
|
||||
dependencies.forEach(transitiveDep => {
|
||||
const transitiveDepArtifact = packageUrlToArtifact[transitiveDep.packageURL.toString()];
|
||||
let purl = transitiveDep.packageURL.toString();
|
||||
if (seen.has(purl)) {
|
||||
// we're in a cycle! skip this one.
|
||||
return;
|
||||
}
|
||||
const transitiveDepArtifact = packageUrlToArtifact[purl];
|
||||
const transitiveDepScope = getDependencyScopeForMavenScope(transitiveDepArtifact.scopes);
|
||||
manifest.addIndirectDependency(transitiveDep, transitiveDepScope);
|
||||
addTransitiveDeps(transitiveDep.dependencies);
|
||||
seen.add(purl);
|
||||
addTransitiveDeps(transitiveDep.dependencies, seen);
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
@@ -58,12 +58,12 @@ export async function generateSnapshot(directory: string, mvnConfig?: MavenConfi
|
||||
? snapshotConfig.correlator
|
||||
: snapshot.job?.correlator;
|
||||
|
||||
const specifiedRef = getNonEmtptyValue(snapshotConfig?.ref);
|
||||
const specifiedRef = getNonEmptyValue(snapshotConfig?.ref);
|
||||
if (specifiedRef) {
|
||||
snapshot.ref = specifiedRef;
|
||||
}
|
||||
|
||||
const specifiedSha = getNonEmtptyValue(snapshot?.sha);
|
||||
const specifiedSha = getNonEmptyValue(snapshot?.sha);
|
||||
if (specifiedSha) {
|
||||
snapshot.sha = specifiedSha;
|
||||
}
|
||||
@@ -173,7 +173,7 @@ function getRepositoryRelativePath(file) {
|
||||
return result;
|
||||
}
|
||||
|
||||
function getNonEmtptyValue(str?: string) {
|
||||
function getNonEmptyValue(str?: string) {
|
||||
if (str) {
|
||||
const trimmed = str.trim();
|
||||
if (trimmed.length > 0) {
|
||||
|
||||
@@ -0,0 +1,57 @@
|
||||
{
|
||||
"graphName" : "hadoop-main",
|
||||
"artifacts" : [ {
|
||||
"id" : "org.apache.hadoop:hadoop-annotations:jar:compile",
|
||||
"numericId" : 1,
|
||||
"groupId" : "org.apache.hadoop",
|
||||
"artifactId" : "hadoop-annotations",
|
||||
"version" : "3.5.0-SNAPSHOT",
|
||||
"optional" : false,
|
||||
"scopes" : [ "compile" ],
|
||||
"types" : [ "jar" ]
|
||||
}, {
|
||||
"id" : "jdiff:jdiff:jar:provided",
|
||||
"numericId" : 2,
|
||||
"groupId" : "jdiff",
|
||||
"artifactId" : "jdiff",
|
||||
"version" : "1.0.9",
|
||||
"optional" : false,
|
||||
"scopes" : [ "provided" ],
|
||||
"types" : [ "jar" ]
|
||||
}, {
|
||||
"id" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
|
||||
"numericId" : 3,
|
||||
"groupId" : "org.apache.hadoop",
|
||||
"artifactId" : "hadoop-project-dist",
|
||||
"version" : "3.5.0-SNAPSHOT",
|
||||
"optional" : false,
|
||||
"scopes" : [ "compile" ],
|
||||
"types" : [ "pom" ]
|
||||
} ],
|
||||
"dependencies" : [ {
|
||||
"from" : "org.apache.hadoop:hadoop-annotations:jar:compile",
|
||||
"to" : "jdiff:jdiff:jar:provided",
|
||||
"numericFrom" : 1,
|
||||
"numericTo" : 2,
|
||||
"resolution" : "INCLUDED"
|
||||
}, {
|
||||
"from" : "org.apache.hadoop:hadoop-annotations:jar:compile",
|
||||
"to" : "jdiff:jdiff:jar:provided",
|
||||
"numericFrom" : 1,
|
||||
"numericTo" : 3,
|
||||
"resolution" : "INCLUDED"
|
||||
}, {
|
||||
"from" : "jdiff:jdiff:jar:provided",
|
||||
"to" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
|
||||
"numericFrom" : 2,
|
||||
"numericTo" : 3,
|
||||
"resolution" : "INCLUDED"
|
||||
}, {
|
||||
"from" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
|
||||
"to" : "jdiff:jdiff:jar:provided",
|
||||
"numericFrom" : 3,
|
||||
"numericTo" : 2,
|
||||
"resolution" : "INCLUDED"
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user