Merge pull request #103 from advanced-security/juxtin/handle-cycles

Add cycle safety for transitive dependencies
This commit is contained in:
Justin Holguín
2025-04-03 11:29:17 -07:00
committed by GitHub
4 changed files with 88 additions and 6 deletions
+19
View File
@@ -116,6 +116,25 @@ describe('depgraph', () => {
});
});
describe('cycle-tree', () => {
let depGraph;
beforeAll(() => {
depGraph = parseDependencyJson(getTestDataFile("cycle-tree"));
});
it('should parse out the top level dependencies', () => {
const mavenDependencies = new MavenDependencyGraph(depGraph);
expect(mavenDependencies.getPackageCount()).to.equal(3);
});
it('should be able to generate a manifest despite having a cycle', () => {
const mavenDependencies = new MavenDependencyGraph(depGraph);
const manifest = mavenDependencies.createManifest();
expect(manifest.name).to.equal('hadoop-main');
expect(manifest.countDependencies()).to.equal(2);
})
});
describe('bs-parent-dep-tree', () => {
+9 -3
View File
@@ -85,13 +85,19 @@ export class MavenDependencyGraph {
let scope = getDependencyScopeForMavenScope(artifact.scopes);
manifest.addDirectDependency(depPackage, scope);
function addTransitiveDeps(dependencies) {
function addTransitiveDeps(dependencies, seen: Set<string> = new Set()) {
if (dependencies) {
dependencies.forEach(transitiveDep => {
const transitiveDepArtifact = packageUrlToArtifact[transitiveDep.packageURL.toString()];
let purl = transitiveDep.packageURL.toString();
if (seen.has(purl)) {
// we're in a cycle! skip this one.
return;
}
const transitiveDepArtifact = packageUrlToArtifact[purl];
const transitiveDepScope = getDependencyScopeForMavenScope(transitiveDepArtifact.scopes);
manifest.addIndirectDependency(transitiveDep, transitiveDepScope);
addTransitiveDeps(transitiveDep.dependencies);
seen.add(purl);
addTransitiveDeps(transitiveDep.dependencies, seen);
});
}
}
+3 -3
View File
@@ -58,12 +58,12 @@ export async function generateSnapshot(directory: string, mvnConfig?: MavenConfi
? snapshotConfig.correlator
: snapshot.job?.correlator;
const specifiedRef = getNonEmtptyValue(snapshotConfig?.ref);
const specifiedRef = getNonEmptyValue(snapshotConfig?.ref);
if (specifiedRef) {
snapshot.ref = specifiedRef;
}
const specifiedSha = getNonEmtptyValue(snapshot?.sha);
const specifiedSha = getNonEmptyValue(snapshot?.sha);
if (specifiedSha) {
snapshot.sha = specifiedSha;
}
@@ -173,7 +173,7 @@ function getRepositoryRelativePath(file) {
return result;
}
function getNonEmtptyValue(str?: string) {
function getNonEmptyValue(str?: string) {
if (str) {
const trimmed = str.trim();
if (trimmed.length > 0) {
@@ -0,0 +1,57 @@
{
"graphName" : "hadoop-main",
"artifacts" : [ {
"id" : "org.apache.hadoop:hadoop-annotations:jar:compile",
"numericId" : 1,
"groupId" : "org.apache.hadoop",
"artifactId" : "hadoop-annotations",
"version" : "3.5.0-SNAPSHOT",
"optional" : false,
"scopes" : [ "compile" ],
"types" : [ "jar" ]
}, {
"id" : "jdiff:jdiff:jar:provided",
"numericId" : 2,
"groupId" : "jdiff",
"artifactId" : "jdiff",
"version" : "1.0.9",
"optional" : false,
"scopes" : [ "provided" ],
"types" : [ "jar" ]
}, {
"id" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
"numericId" : 3,
"groupId" : "org.apache.hadoop",
"artifactId" : "hadoop-project-dist",
"version" : "3.5.0-SNAPSHOT",
"optional" : false,
"scopes" : [ "compile" ],
"types" : [ "pom" ]
} ],
"dependencies" : [ {
"from" : "org.apache.hadoop:hadoop-annotations:jar:compile",
"to" : "jdiff:jdiff:jar:provided",
"numericFrom" : 1,
"numericTo" : 2,
"resolution" : "INCLUDED"
}, {
"from" : "org.apache.hadoop:hadoop-annotations:jar:compile",
"to" : "jdiff:jdiff:jar:provided",
"numericFrom" : 1,
"numericTo" : 3,
"resolution" : "INCLUDED"
}, {
"from" : "jdiff:jdiff:jar:provided",
"to" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
"numericFrom" : 2,
"numericTo" : 3,
"resolution" : "INCLUDED"
}, {
"from" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
"to" : "jdiff:jdiff:jar:provided",
"numericFrom" : 3,
"numericTo" : 2,
"resolution" : "INCLUDED"
}
]
}