Skip to content

Commit

Permalink
Merge pull request #5135 from jeremylong/npm-fixes
Browse files Browse the repository at this point in the history 
fix: resolve reported issues with npm
  • Loading branch information
@jeremylong
jeremylong committed Dec 13, 2022
2 parents 119c472 + 38f6a52 commit df4477c
Show file tree
Hide file tree
Showing 7 changed files with 52 additions and 18 deletions.
2 changes: 1 addition & 1 deletion core/pom.xml
View file
Expand Up @@ -189,7 +189,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<artifactId>cpe-parser</artifactId>
</dependency>
<dependency>
<groupId>com.vdurmont</groupId>
<groupId>org.semver4j</groupId>
<artifactId>semver4j</artifactId>
</dependency>
<dependency>
Expand Down
7 changes: 3 additions & 4 deletions core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java
View file
Expand Up @@ -21,9 +21,8 @@
import com.github.packageurl.PackageURL;
import com.github.packageurl.PackageURL.StandardTypes;
import com.github.packageurl.PackageURLBuilder;
import com.vdurmont.semver4j.Semver;
import com.vdurmont.semver4j.Semver.SemverType;
import com.vdurmont.semver4j.SemverException;
import org.semver4j.Semver;
import org.semver4j.SemverException;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nodeaudit.Advisory;
import org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch;
Expand Down Expand Up @@ -530,7 +529,7 @@ public static String determineVersionFromMap(String versionRange, Collection<Str
}
for (String v : availableVersions) {
try {
final Semver version = new Semver(v, SemverType.NPM);
final Semver version = new Semver(v);
if (version.satisfies(versionRange)) {
return v;
}
Expand Down
11 changes: 5 additions & 6 deletions core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View file
Expand Up @@ -18,9 +18,8 @@
package org.owasp.dependencycheck.analyzer;

import com.github.packageurl.MalformedPackageURLException;
import com.vdurmont.semver4j.Semver;
import com.vdurmont.semver4j.Semver.SemverType;
import com.vdurmont.semver4j.SemverException;
import org.semver4j.Semver;
import org.semver4j.SemverException;
import java.io.File;
import java.util.Set;
import java.util.regex.Matcher;
Expand Down Expand Up @@ -625,7 +624,7 @@ public static boolean npmVersionsMatch(String current, String next) {
}
}
try {
final Semver v = new Semver(right, SemverType.NPM);
final Semver v = new Semver(right);
return v.satisfies(left);
} catch (SemverException ex) {
LOGGER.trace("ignore", ex);
Expand All @@ -638,15 +637,15 @@ public static boolean npmVersionsMatch(String current, String next) {
}
}
try {
Semver v = new Semver(left, SemverType.NPM);
Semver v = new Semver(left);
if (!right.isEmpty() && v.satisfies(right)) {
return true;
}
if (!right.contains(" ")) {
left = current;
right = stripLeadingNonNumeric(right);
if (right != null) {
v = new Semver(right, SemverType.NPM);
v = new Semver(right);
return v.satisfies(left);
}
}
Expand Down
7 changes: 4 additions & 3 deletions core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
View file
Expand Up @@ -347,7 +347,7 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,
String parentPackage, Engine engine) throws AnalysisException {
final boolean skipDev = getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, false);
final JsonObject deps;

final File modulesRoot = new File(rootFile.getParentFile(), "node_modules");
final int lockJsonVersion = json.containsKey("lockfileVersion") ? json.getInt("lockfileVersion") : 1;
if (lockJsonVersion >= 2) {
deps = json.getJsonObject("packages");
Expand All @@ -370,8 +370,9 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,
} else {
base = Paths.get(baseDir.getPath(), "node_modules", name).toFile();
if (!base.isFile()) {
if ("node_modules".equals(baseDir.getParentFile().getName())) {
base = Paths.get(baseDir.getParent(), name).toFile();
final File test = new File(modulesRoot, name);
if (test.isDirectory()) {
base = test;
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIT.java
View file
Expand Up @@ -17,7 +17,7 @@
*/
package org.owasp.dependencycheck.data.nvdcve;

import com.vdurmont.semver4j.Semver;
import org.semver4j.Semver;
import org.owasp.dependencycheck.BaseDBTestCase;
import java.util.Properties;
import org.junit.After;
Expand Down Expand Up @@ -99,7 +99,7 @@ public void testGetProperty_String() throws DatabaseException {
DatabaseProperties instance = cveDb.getDatabaseProperties();
String result = instance.getProperty(key);

Semver ver = new Semver(result, Semver.SemverType.LOOSE);
Semver ver = new Semver(result);
assertTrue(ver.getMajor() >= 5);
}

Expand Down
35 changes: 35 additions & 0 deletions core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java
View file
@@ -0,0 +1,35 @@
/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.owasp.dependencycheck.utils;

import static org.junit.Assert.assertTrue;

import org.junit.Test;
import org.semver4j.Semver;

/**
*
* @author Jeremy Long
*/
public class SemverTest {

/**
* Test of semver4j. See https://github.com/jeremylong/DependencyCheck/issues/5128#issuecomment-1343080426
*/
@Test
public void testSemver() {
Semver semver = new Semver("3.1.4");
assertTrue(semver.satisfies("^3.0.0-0"));
}
}
4 changes: 2 additions & 2 deletions pom.xml
View file
Expand Up @@ -1068,9 +1068,9 @@ Copyright (c) 2012 - Jeremy Long
<version>0.0.2.1</version>
</dependency>
<dependency>
<groupId>com.vdurmont</groupId>
<groupId>org.semver4j</groupId>
<artifactId>semver4j</artifactId>
<version>3.1.0</version>
<version>4.0.0</version>
</dependency>
<dependency>
<groupId>org.jetbrains</groupId>
Expand Down

0 comments on commit df4477c

Please sign in to comment.