Merge pull request #221 from snyk/feat/add-yarn-lock-support

Add yarn lock support

package.json

@@ -62,7 +62,7 @@
     "snyk-gradle-plugin": "1.3.1",
     "snyk-module": "1.8.2",
     "snyk-mvn-plugin": "1.2.2",
-    "snyk-nodejs-lockfile-parser": "1.4.1",
+    "snyk-nodejs-lockfile-parser": "1.5.1",
     "snyk-nuget-plugin": "1.6.5",
     "snyk-php-plugin": "1.5.1",
     "snyk-policy": "1.12.0",

src/lib/protect/get-vuln-source.js

@@ -32,6 +32,11 @@ function getVulnSource(vuln, cwd, live) {
     try {
       source = resolve.sync(from.slice(-1).pop(), viaPath);
     } catch (e) {
+      if (e.code === 'NO_PACKAGE_FOUND') {
+        e = 'Error: `' +e.message + '`\nWe can\'t patch without ' +
+          'dependencies installed. Please run `npm ' +
+          'install` or  `yarn install` first.';
+      }
       if (live) {
         throw e;
       }

src/lib/snyk-test/npm/index.js

@@ -54,7 +54,8 @@ function test(root, options) {
       options.file = options.file || 'package.json';
       return Promise.resolve()
         .then(() => {
-          if (options.file.endsWith('package-lock.json')) {
+          if (options.file.endsWith('package-lock.json')
+            || options.file.endsWith('yarn.lock')) {
             return generateDependenciesFromLockfile(root, options);
           }
           return getDependenciesFromNodeModules(root, options)
@@ -104,9 +105,10 @@ function test(root, options) {
 
 function generateDependenciesFromLockfile(root, options) {
   debug('Lockfile detected, generating dependency tree from lockfile');
-  var lockFileFullPath = path.resolve(root, options.file);
+  const fileName = options.file;
+  var lockFileFullPath = path.resolve(root, fileName);
   if (!fileSystem.existsSync(lockFileFullPath)) {
-    throw new Error('LockFile package-lock.json not found at location: ' +
+    throw new Error('Lockfile ' + fileName + ' not found at location: ' +
     lockFileFullPath);
   }
 
@@ -124,22 +126,25 @@ function generateDependenciesFromLockfile(root, options) {
     + lockFileFullPath + '\n However the package.json is missing!');
   }
 
-  if (options.file.endsWith('package-lock.json') && fileSystem.existsSync(shrinkwrapFullPath)) {
-    throw new Error('`npm-shrinkwrap.json` was found while using package-lock.json.\n'
-    + 'Please run your command again without `--file=package-lock.json` flag.');
+  if (fileSystem.existsSync(shrinkwrapFullPath)) {
+    throw new Error('`npm-shrinkwrap.json` was found while using lockfile.\n'
+    + 'Please run your command again without `--file=' + fileName + '` flag.');
   }
 
   var manifestFile = fileSystem.readFileSync(manifestFileFullPath);
-  var lockFile = fileSystem.readFileSync(lockFileFullPath);
+  var lockFile = fileSystem.readFileSync(lockFileFullPath, 'utf-8');
 
   analytics.add('local', true);
-  analytics.add('using package-lock.json to get dependency tree', true);
+  analytics.add('using lockfile (' + fileName + ') package-lock.json to get dependency tree', true);
+
+  const lockFileType = fileName.endsWith('yarn.lock') ?
+    lockFileParser.LockfileType.yarn : lockFileParser.LockfileType.npm;
 
   var resolveModuleSpinnerLabel = `Analyzing npm dependencies for ${lockFileFullPath}`;
   debug(resolveModuleSpinnerLabel);
   return spinner(resolveModuleSpinnerLabel)
     .then(function () {
-      return lockFileParser.buildDepTree(manifestFile, lockFile, options.dev);
+      return lockFileParser.buildDepTree(manifestFile, lockFile, options.dev, lockFileType);
     })
     // clear spinner in case of success or failure
     .then(spinner.clear(resolveModuleSpinnerLabel))

test/acceptance/cli.acceptance.test.js

@@ -582,6 +582,95 @@ test('`test npm-package-missing-dep ` in package-lock works', function (t) {
     });
 });
 
+// Unfortunately, lockfile parser for yarn doesn't work on node < 6
+// https://github.com/snyk/nodejs-lockfile-parser/blob/master/lib/parsers/yarn-lock-parse.ts#L32
+if (parseInt(process.version.slice(1).split('.')[0], 10) < 6) {
+  test('Testing yarn.lock on node 4', async (t) => {
+    return cli.test('npm-package-missing-dep', {file: 'yarn.lock'})
+      .catch((e) => {
+        t.includes(e.message,
+          'less than 6. Please upgrade your Node.js',
+          'Information about non-supported environment is shown');
+      });
+  });
+} else {
+  test('`test npm-package --file=yarn.lock ` sends pkg info', function (t) {
+    chdirWorkspaces();
+    return cli.test('npm-package', {file: 'yarn.lock'})
+      .then(function () {
+        var req = server.popRequest();
+        var pkg = req.body;
+        t.equal(req.method, 'POST', 'makes POST request');
+        t.match(req.url, '/vuln/npm', 'posts to correct url');
+        t.ok(pkg.dependencies['debug'], 'dependency');
+        t.ok(pkg.dependencies['debug'].dependencies['ms'], 'transitive dependency');
+        t.notOk(pkg.dependencies['object-assign'],
+          'no dev dependency');
+        t.notOk(pkg.from, 'no "from" array on root');
+        t.notOk(pkg.dependencies['debug'].from,
+          'no "from" array on dep');
+      });
+  });
+
+  test('`test npm-package --file=yarn.lock --dev` sends pkg info', function (t) {
+    chdirWorkspaces();
+    return cli.test('npm-package', {file: 'yarn.lock', dev: true})
+      .then(function () {
+        var req = server.popRequest();
+        var pkg = req.body;
+        t.equal(req.method, 'POST', 'makes POST request');
+        t.match(req.url, '/vuln/npm', 'posts to correct url');
+        t.ok(pkg.dependencies['debug'], 'dependency');
+        t.ok(pkg.dependencies['debug'].dependencies['ms'], 'transitive dependency');
+        t.ok(pkg.dependencies['object-assign'],
+          'dev dependency included');
+        t.notOk(pkg.from, 'no "from" array on root');
+        t.notOk(pkg.dependencies['debug'].from,
+          'no "from" array on dep');
+      });
+  });
+
+  test('`test npm-package-shrinkwrap --file=yarn.lock ` with npm-shrinkwrap errors', function (t) {
+    t.plan(1);
+    chdirWorkspaces();
+    return cli.test('npm-package-shrinkwrap', {file: 'yarn.lock'})
+      .catch((e) => {
+        t.includes(e.message, '--file=yarn.lock', 'Contains enough info about error');
+      });
+  });
+
+  test('`test npm-package-with-subfolder --file=yarn.lock ` picks top-level files', function (t) {
+    chdirWorkspaces();
+    return cli.test('npm-package-with-subfolder', {file: 'yarn.lock'})
+      .then(function () {
+        var req = server.popRequest();
+        var pkg = req.body;
+        t.equal(pkg.name, 'npm-package-top-level', 'correct package is taken');
+        t.ok(pkg.dependencies['to-array'], 'dependency');
+      });
+  });
+
+  test('`test npm-package-with-subfolder --file=subfolder/yarn.lock ` picks subfolder files', function (t) {
+    chdirWorkspaces();
+    return cli.test('npm-package-with-subfolder', {file: 'subfolder/yarn.lock'})
+      .then(function () {
+        var req = server.popRequest();
+        var pkg = req.body;
+        t.equal(pkg.name, 'npm-package-subfolder', 'correct package is taken');
+        t.ok(pkg.dependencies['to-array'], 'dependency');
+      });
+  });
+
+  test('`test npm-package-missing-dep --file=yarn.lock ` with missing dep errors', function (t) {
+    t.plan(1);
+    chdirWorkspaces();
+    return cli.test('npm-package-missing-dep', {file: 'yarn.lock'})
+      .catch((e) => {
+        t.includes(e.message, 'out of sync', 'Contains enough info about error');
+      });
+  });
+}
+
 test('`test` on a yarn package does work and displays appropriate text',
 function (t) {
   chdirWorkspaces('yarn-app');

test/acceptance/workspaces/npm-package-missing-dep/yarn.lock

@@ -0,0 +1,13 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+debug@2.2.0:
+  version "2.2.0"
+  resolved "http://registry.npmjs.org/debug/-/debug-2.2.0.tgz#f87057e995b1a1f6ae6a4960664137bc56f039da"
+  dependencies:
+    ms "0.7.1"
+
+object-assign@4.1.1:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/object-assign/-/object-assign-4.1.1.tgz#2109adc7965887cfc05cbbd442cac8bfbb360863"