Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(pnpm): add support of Lockfile v9 #6509

Closed
DmitriyLewen opened this issue Apr 17, 2024 Discussed in #6503 · 6 comments · Fixed by #6617
Closed

feat(pnpm): add support of Lockfile v9 #6509

DmitriyLewen opened this issue Apr 17, 2024 Discussed in #6503 · 6 comments · Fixed by #6617
Assignees
@DmitriyLewen
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Milestone
v0.52.0

Comments

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Apr 17, 2024
edited
Loading

Description

pnpm released lockfile v9 (see pnpm/pnpm#7666, pnpm/pnpm#7861).
We need to add support for this.

Discussed in #6503
@DmitriyLewen DmitriyLewen added the kind/feature Categorizes issue or PR as related to a new feature. label Apr 17, 2024
@DmitriyLewen
Copy link
Contributor Author

I created pnpm/spec#6 about specification for lockfile v9.

@bcurtin144
Copy link

One issue I've noticed is that Trivy is treating all @types/[package] entries as if they are the package.

For example, with lockfileVersion: '6.0' the YAML for nodemailer and @types/nodemailer are:

packages:
  /@types/nodemailer@6.4.14:
    resolution: {integrity: sha512-fUWthHO9k9DSdPCSPRqcu6TWhYyxTBg382vlNIttSe9M7XfsT06y0f24KHXtbnijPGGRIcVvdKHTNikOI6qiHA==}
    dependencies:
      '@types/node': 20.12.4
    dev: true

  /nodemailer@6.9.13:
    resolution: {integrity: sha512-7o38Yogx6krdoBf3jCAqnIN4oSQFx+fMa0I7dK1D+me9kBxx12D+/33wSb+fhOCtIxvYJ+4x4IMEhmhCKfAiOA==}
    engines: {node: '>=6.0.0'}
    dev: false

Trivy does not detect any problems with these packages. But with lockfileVersion: '9.0', the YAML has become

packages:
  '@types/nodemailer@6.4.14':
    resolution: {integrity: sha512-fUWthHO9k9DSdPCSPRqcu6TWhYyxTBg382vlNIttSe9M7XfsT06y0f24KHXtbnijPGGRIcVvdKHTNikOI6qiHA==}

  nodemailer@6.9.13:
    resolution: {integrity: sha512-7o38Yogx6krdoBf3jCAqnIN4oSQFx+fMa0I7dK1D+me9kBxx12D+/33wSb+fhOCtIxvYJ+4x4IMEhmhCKfAiOA==}
    engines: {node: '>=6.0.0'}

snapshots:
  '@types/nodemailer@6.4.14':
    dependencies:
      '@types/node': 20.12.7

  nodemailer@6.9.13: {}

When Trivy runs on this file, the output includes

├────────────┼─────────────────────┼──────────┤        ├───────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ nodemailer │ CVE-2020-7769       │ CRITICAL │        │ 6.4.14            │ 6.4.16               │ This affects the package nodemailer before 6.4.16. Use of    │
│            │                     │          │        │                   │                      │ crafted reci ......                                          │
│            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2020-7769                    │
│            ├─────────────────────┼──────────┤        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2021-23400      │ MEDIUM   │        │                   │ 6.6.1                │ The package nodemailer before 6.6.1 are vulnerable to HTTP   │
│            │                     │          │        │                   │                      │ Header Inje ......                                           │
│            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2021-23400                   │
│            ├─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│            │ GHSA-9h6g-pr28-7cqp │          │        │                   │ 6.9.9                │ nodemailer ReDoS when trying to send a specially crafted     │
│            │                     │          │        │                   │                      │ email                                                        │
│            │                     │          │        │                   │                      │ https://github.com/advisories/GHSA-9h6g-pr28-7cqp            │
└────────────┴─────────────────────┴──────────┴────────┴───────────────────┴──────────────────────┴──────────────────────────────────────────────────────────────┘

@anbraten
Copy link

Am I right that there should be a check added for the version arround:

trivy/pkg/dependency/parser/nodejs/pnpm/parse.go

Line 56 in a5d485c

lockVer := p.parseLockfileVersion(lockFile)

@DmitriyLewen DmitriyLewen mentioned this issue May 3, 2024
Merged
6 tasks
@knqyf263 knqyf263 added this to the v0.52.0 milestone May 7, 2024
@svrnwnsch
Copy link

Very nice to see that the next version will support the new pnpm lock format. Is there already some estimation when this might be released?

@DmitriyLewen
Copy link
Contributor Author

Hello @svrnwnsch
https://github.com/aquasecurity/trivy/milestone/34

@jobnbackpack
Copy link

waiting for this as well. as it is fixed it would be nice to ship this instead of waiting for other features ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
Trivy Roadmap
Archived in project
Milestone
v0.52.0
Development

Successfully merging a pull request may close this issue.

feat(nodejs): add v9 pnpm lock file support DmitriyLewen/trivy
6 participants
@svrnwnsch @knqyf263 @anbraten @bcurtin144 @jobnbackpack @DmitriyLewen