bug: yarn 2 lock file parsing issues snyk#56

regevbr · Apr 14, 2020 · 0d1275c · 0d1275c
1 parent 988b46a
commit 0d1275c
Show file tree

Hide file tree

Showing 17 changed files with 1,043 additions and 13 deletions.
diff --git a/lib/parsers/yarn2-lock-parse.ts b/lib/parsers/yarn2-lock-parse.ts
@@ -61,9 +61,23 @@ export class Yarn2LockParser implements LockfileParser {
       _.forEach(rawYarnLock, (versionData: Yarn2LockDep, masterKey) => {
         masterKey.split(',')
             .map((key) => {
-              return this.yarnLockfileParser.parseResolution(key.replace(/#.*$/, '').trim()).descriptor;
-            })
-            .map((resolution) => {
+              const normalizedKey = key
+                  .replace(/#.*$/, '')
+                  .replace(/::.*$/, '')
+                  .trim();
+              const fileProtocol = normalizedKey.match(/^(.+)@(file:.+)$/);
+              if (fileProtocol) {
+                return `${fileProtocol[1]}@${fileProtocol[2]}`;
+              }
+              const gitProtocol = normalizedKey.match(/^(.+)@(git\+ssh:.+)$/);
+              if (gitProtocol) {
+                return key;
+              }
+              const httpsProtocol = normalizedKey.match(/^(.+)@(https?:.+)$/);
+              if (httpsProtocol) {
+                return key;
+              }
+              const resolution = this.yarnLockfileParser.parseResolution(normalizedKey).descriptor;
               const name = resolution.fullName;
               const fullVersion = resolution.description;
               const parts = fullVersion.split(':');

diff --git a/test/lib/fixtures/external-tarball/yarn2/.yarnrc.yml b/test/lib/fixtures/external-tarball/yarn2/.yarnrc.yml
@@ -0,0 +1 @@
+yarnPath: .yarn/releases/yarn-rc.js
diff --git a/test/lib/fixtures/external-tarball/yarn2/yarn.lock b/test/lib/fixtures/external-tarball/yarn2/yarn.lock
@@ -0,0 +1,116 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 4
+
+"body-parser@https://github.com/expressjs/body-parser/archive/1.9.0.tar.gz":
+  version: 1.9.0
+  resolution: "body-parser@https://github.com/expressjs/body-parser/archive/1.9.0.tar.gz"
+  dependencies:
+    bytes: 1.0.0
+    depd: ~1.0.0
+    iconv-lite: 0.4.4
+    media-typer: 0.3.0
+    on-finished: 2.1.0
+    qs: 2.2.4
+    raw-body: 1.3.0
+    type-is: ~1.5.1
+  checksum: 2/1380bebaedb3cf8fe402f5f54b0cb9058e770ac3a7916c908277d922e8de61abc7c14401c4e922ab144796179a7abbb495070f25a7885392a6bdedd9ffc43c27
+  languageName: node
+  linkType: hard
+
+"bytes@npm:1, bytes@npm:1.0.0":
+  version: 1.0.0
+  resolution: "bytes@npm:1.0.0"
+  checksum: 2/ece30287a729bcd942822049ac83ea716c1f59eb3ad27af66fb22ca8c1ff62fd4547b574091e7f784e91f892df896ec978413133c85505a732da1998886d4258
+  languageName: node
+  linkType: hard
+
+"depd@npm:~1.0.0":
+  version: 1.0.1
+  resolution: "depd@npm:1.0.1"
+  checksum: 2/de68884c3ed486659c3515cca8b97f9e40b97f899f5f7c054e6f5ff78549800266be1367fd475a0cc9248b3161dc55572c1a559632ad8f0d0849cfe890c33a40
+  languageName: node
+  linkType: hard
+
+"ee-first@npm:1.0.5":
+  version: 1.0.5
+  resolution: "ee-first@npm:1.0.5"
+  checksum: 2/1e984f485887e3488adf796bdaf173b71cd9c0bc31cf3f2c1f6e6077d50c77637af0b452a2c0ed16f03c498c63b8418e4a2b2cbf9497266a82fdbf686cca47a6
+  languageName: node
+  linkType: hard
+
+"external-tarball@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "external-tarball@workspace:."
+  dependencies:
+    body-parser: "https://github.com/expressjs/body-parser/archive/1.9.0.tar.gz"
+  languageName: unknown
+  linkType: soft
+
+"iconv-lite@npm:0.4.4":
+  version: 0.4.4
+  resolution: "iconv-lite@npm:0.4.4"
+  checksum: 2/20b017106bcc9a425b93e7c921db0dff9ace206a0c95bcab7f9ad4667e71e57f60d6ae5188df9ac5113256014bcaf0003f3a159337d4086437cbedd1728e86e4
+  languageName: node
+  linkType: hard
+
+"media-typer@npm:0.3.0":
+  version: 0.3.0
+  resolution: "media-typer@npm:0.3.0"
+  checksum: 2/be1c825782df7f38eebd451d778f6407bb15a59c8807a69e7f2ad74a25440e474536441c6bf583fdf2803ea23b866e91ff68f565cda297211dd89147758c8df3
+  languageName: node
+  linkType: hard
+
+"mime-db@npm:~1.12.0":
+  version: 1.12.0
+  resolution: "mime-db@npm:1.12.0"
+  checksum: 2/e55b1b044dba864869a01f26c58922690e07404b281cf6d5a7d59d115013d8c42b5007a4699fce8976fd86a6d48ad61b27461540449733b79c4bfc940a2d0568
+  languageName: node
+  linkType: hard
+
+"mime-types@npm:~2.0.9":
+  version: 2.0.14
+  resolution: "mime-types@npm:2.0.14"
+  dependencies:
+    mime-db: ~1.12.0
+  checksum: 2/36e3a0fcfe68d15d00d86c5951d6c1ff5156848c245c176f8e0b22425568a2db6a26d3e27cf0154535202531ad19430e93e1b60950220617d8bf4dff06e6b752
+  languageName: node
+  linkType: hard
+
+"on-finished@npm:2.1.0":
+  version: 2.1.0
+  resolution: "on-finished@npm:2.1.0"
+  dependencies:
+    ee-first: 1.0.5
+  checksum: 2/2abfc77ff9bcaf28d1b59d67afb7b6a95a61d43a823b26b7ad106400570ebf09a4c0b3f9d303c51af3162568b0d368a147c0ef14c0a220c717a1789d07cdf739
+  languageName: node
+  linkType: hard
+
+"qs@npm:2.2.4":
+  version: 2.2.4
+  resolution: "qs@npm:2.2.4"
+  checksum: 2/5e59b29c6108f9d8f9cc778b83267d60189255bd346bc63250790fb10fc66dda82f599a9d944dd8b1beb0356338b979eef1ce0d875a377bba4aee8aae410e088
+  languageName: node
+  linkType: hard
+
+"raw-body@npm:1.3.0":
+  version: 1.3.0
+  resolution: "raw-body@npm:1.3.0"
+  dependencies:
+    bytes: 1
+    iconv-lite: 0.4.4
+  checksum: 2/f0f5acddf484dbe6d25303f74be635fbfae70372815abb800150ced4af5d71dccb5c993bea1bb355e12a9ecce99f008dee455aa14839a5e2aac008472db82e74
+  languageName: node
+  linkType: hard
+
+"type-is@npm:~1.5.1":
+  version: 1.5.7
+  resolution: "type-is@npm:1.5.7"
+  dependencies:
+    media-typer: 0.3.0
+    mime-types: ~2.0.9
+  checksum: 2/abbac8488069060159f1ec5ff66188a022bd83e49d29a0f722a00846e559d5775d91fc41d17bf2188ddaf98494313d8b5f0336b4866345b0d2bb16b22c98ae67
+  languageName: node
+  linkType: hard
diff --git a/test/lib/fixtures/file-as-version/yarn2/.yarnrc.yml b/test/lib/fixtures/file-as-version/yarn2/.yarnrc.yml
@@ -0,0 +1 @@
+yarnPath: .yarn/releases/yarn-rc.js
diff --git a/test/lib/fixtures/file-as-version/yarn2/yarn.lock b/test/lib/fixtures/file-as-version/yarn2/yarn.lock
@@ -0,0 +1,39 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 4
+
+"debug@npm:^2.2.0":
+  version: 2.6.9
+  resolution: "debug@npm:2.6.9"
+  dependencies:
+    ms: 2.0.0
+  checksum: 2/559f44f98cf25e2ee489022aec173afbff746564cb108c4493becb95bc3c017a67bdaa25a0ff64801fd32c35051d00af0e56cc7f762ae2c3bc089496e5a1c31b
+  languageName: node
+  linkType: hard
+
+"ms@npm:2.0.0":
+  version: 2.0.0
+  resolution: "ms@npm:2.0.0"
+  checksum: 2/1a230340cc7f322fbe916783d8c8d60455407c6b7fb7f901d6ee34eb272402302c5c7f070a97b8531245cbb4ca6a0a623f6a128d7e5a5440cefa2c669c0b35bb
+  languageName: node
+  linkType: hard
+
+"shared@file:./some-file::locator=pkg-dev-deps-only%40workspace%3A.":
+  version: 0.0.1
+  resolution: "shared@file:./some-file::locator=pkg-dev-deps-only%40workspace%3A."
+  dependencies:
+    debug: ^2.2.0
+  checksum: 2/544f1f4dae9d705c413d45f337b205dff70c0b701d7af857c6f2c1394682fd31c1df2fc386fa2cacf0c46776d1244166d1718bc4a9387967a83ea0b17169b232
+  languageName: node
+  linkType: hard
+
+"pkg-dev-deps-only@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "pkg-dev-deps-only@workspace:."
+  dependencies:
+    debug: ^2.2.0
+    pkg-dev-deps-only-nested: "file:../test2"
+  languageName: unknown
+  linkType: soft
diff --git a/test/lib/fixtures/git-ssh-url-deps/yarn2/.yarnrc.yml b/test/lib/fixtures/git-ssh-url-deps/yarn2/.yarnrc.yml
@@ -0,0 +1 @@
+yarnPath: .yarn/releases/yarn-rc.js
diff --git a/test/lib/fixtures/git-ssh-url-deps/yarn2/yarn.lock b/test/lib/fixtures/git-ssh-url-deps/yarn2/yarn.lock
@@ -0,0 +1,116 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 4
+
+"body-parser@git+ssh://[email protected]/expressjs/body-parser.git#1.9.0":
+  version: 1.9.0
+  resolution: "body-parser@git+ssh://[email protected]/expressjs/body-parser.git#commit:263f602e6ae34add6332c1eb4caa808893b0b711"
+  dependencies:
+    bytes: 1.0.0
+    depd: ~1.0.0
+    iconv-lite: 0.4.4
+    media-typer: 0.3.0
+    on-finished: 2.1.0
+    qs: 2.2.4
+    raw-body: 1.3.0
+    type-is: ~1.5.1
+  checksum: 2/6c007bcec8f162cd5b3d945e6332e8890f483c9e758ea8a2acf00ad7b7f7d174d0e76f171c1469f51a50fa3dddaac75f1afb0d1c266325f96f648a60d1751fdc
+  languageName: node
+  linkType: hard
+
+"bytes@npm:1, bytes@npm:1.0.0":
+  version: 1.0.0
+  resolution: "bytes@npm:1.0.0"
+  checksum: 2/ece30287a729bcd942822049ac83ea716c1f59eb3ad27af66fb22ca8c1ff62fd4547b574091e7f784e91f892df896ec978413133c85505a732da1998886d4258
+  languageName: node
+  linkType: hard
+
+"depd@npm:~1.0.0":
+  version: 1.0.1
+  resolution: "depd@npm:1.0.1"
+  checksum: 2/de68884c3ed486659c3515cca8b97f9e40b97f899f5f7c054e6f5ff78549800266be1367fd475a0cc9248b3161dc55572c1a559632ad8f0d0849cfe890c33a40
+  languageName: node
+  linkType: hard
+
+"ee-first@npm:1.0.5":
+  version: 1.0.5
+  resolution: "ee-first@npm:1.0.5"
+  checksum: 2/1e984f485887e3488adf796bdaf173b71cd9c0bc31cf3f2c1f6e6077d50c77637af0b452a2c0ed16f03c498c63b8418e4a2b2cbf9497266a82fdbf686cca47a6
+  languageName: node
+  linkType: hard
+
+"git-ssh-url-deps@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "git-ssh-url-deps@workspace:."
+  dependencies:
+    body-parser: "git+ssh://[email protected]/expressjs/body-parser.git#1.9.0"
+  languageName: unknown
+  linkType: soft
+
+"iconv-lite@npm:0.4.4":
+  version: 0.4.4
+  resolution: "iconv-lite@npm:0.4.4"
+  checksum: 2/20b017106bcc9a425b93e7c921db0dff9ace206a0c95bcab7f9ad4667e71e57f60d6ae5188df9ac5113256014bcaf0003f3a159337d4086437cbedd1728e86e4
+  languageName: node
+  linkType: hard
+
+"media-typer@npm:0.3.0":
+  version: 0.3.0
+  resolution: "media-typer@npm:0.3.0"
+  checksum: 2/be1c825782df7f38eebd451d778f6407bb15a59c8807a69e7f2ad74a25440e474536441c6bf583fdf2803ea23b866e91ff68f565cda297211dd89147758c8df3
+  languageName: node
+  linkType: hard
+
+"mime-db@npm:~1.12.0":
+  version: 1.12.0
+  resolution: "mime-db@npm:1.12.0"
+  checksum: 2/e55b1b044dba864869a01f26c58922690e07404b281cf6d5a7d59d115013d8c42b5007a4699fce8976fd86a6d48ad61b27461540449733b79c4bfc940a2d0568
+  languageName: node
+  linkType: hard
+
+"mime-types@npm:~2.0.9":
+  version: 2.0.14
+  resolution: "mime-types@npm:2.0.14"
+  dependencies:
+    mime-db: ~1.12.0
+  checksum: 2/36e3a0fcfe68d15d00d86c5951d6c1ff5156848c245c176f8e0b22425568a2db6a26d3e27cf0154535202531ad19430e93e1b60950220617d8bf4dff06e6b752
+  languageName: node
+  linkType: hard
+
+"on-finished@npm:2.1.0":
+  version: 2.1.0
+  resolution: "on-finished@npm:2.1.0"
+  dependencies:
+    ee-first: 1.0.5
+  checksum: 2/2abfc77ff9bcaf28d1b59d67afb7b6a95a61d43a823b26b7ad106400570ebf09a4c0b3f9d303c51af3162568b0d368a147c0ef14c0a220c717a1789d07cdf739
+  languageName: node
+  linkType: hard
+
+"qs@npm:2.2.4":
+  version: 2.2.4
+  resolution: "qs@npm:2.2.4"
+  checksum: 2/5e59b29c6108f9d8f9cc778b83267d60189255bd346bc63250790fb10fc66dda82f599a9d944dd8b1beb0356338b979eef1ce0d875a377bba4aee8aae410e088
+  languageName: node
+  linkType: hard
+
+"raw-body@npm:1.3.0":
+  version: 1.3.0
+  resolution: "raw-body@npm:1.3.0"
+  dependencies:
+    bytes: 1
+    iconv-lite: 0.4.4
+  checksum: 2/f0f5acddf484dbe6d25303f74be635fbfae70372815abb800150ced4af5d71dccb5c993bea1bb355e12a9ecce99f008dee455aa14839a5e2aac008472db82e74
+  languageName: node
+  linkType: hard
+
+"type-is@npm:~1.5.1":
+  version: 1.5.7
+  resolution: "type-is@npm:1.5.7"
+  dependencies:
+    media-typer: 0.3.0
+    mime-types: ~2.0.9
+  checksum: 2/abbac8488069060159f1ec5ff66188a022bd83e49d29a0f722a00846e559d5775d91fc41d17bf2188ddaf98494313d8b5f0336b4866345b0d2bb16b22c98ae67
+  languageName: node
+  linkType: hard