(fix) Exclude dev dependencies from npm's package-lock.json and Fix J…

…ava DB download endpoint (#1893) * (fix) Exclude dev dependencies from npm's package-lock.json * chore(integration) update * choir(integration) add lib scan names to makefile * fix(javadb) add schema version only once
future-architect · Apr 17, 2024 · 8f40251 · 8f40251
1 parent cfbe47b
commit 8f40251
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 6 deletions.
diff --git a/GNUmakefile b/GNUmakefile
@@ -90,7 +90,7 @@ NOW=$(shell date '+%Y-%m-%dT%H-%M-%S%z')
 NOW_JSON_DIR := '${BASE_DIR}/$(NOW)'
 ONE_SEC_AFTER=$(shell date -d '+1 second' '+%Y-%m-%dT%H-%M-%S%z')
 ONE_SEC_AFTER_JSON_DIR := '${BASE_DIR}/$(ONE_SEC_AFTER)'
-LIBS := 'bundler' 'dart' 'elixir' 'pip' 'pipenv' 'poetry' 'composer' 'npm' 'yarn' 'pnpm' 'cargo' 'gomod' 'gosum' 'gobinary' 'jar' 'jar-wrong-name-log4j-core' 'war' 'pom' 'gradle' 'nuget-lock' 'nuget-config' 'dotnet-deps' 'dotnet-package-props' 'conan' 'swift-cocoapods' 'swift-swift' 'rust-binary'
+LIBS := 'bundler' 'dart' 'elixir' 'pip' 'pipenv' 'poetry' 'composer' 'npm-v1' 'npm-v2' 'npm-v3' 'yarn' 'pnpm' 'cargo' 'gomod' 'gosum' 'gobinary' 'jar' 'jar-wrong-name-log4j-core' 'war' 'pom' 'gradle' 'nuget-lock' 'nuget-config' 'dotnet-deps' 'dotnet-package-props' 'conan' 'swift-cocoapods' 'swift-swift' 'rust-binary'
 
 diff:
 	# git clone git@github.com:vulsio/vulsctl.git

diff --git a/detector/javadb/javadb.go b/detector/javadb/javadb.go
@@ -7,7 +7,6 @@ package javadb
 import (
 	"context"
 	"errors"
-	"fmt"
 	"os"
 	"path/filepath"
 	"time"
@@ -40,12 +39,11 @@ func UpdateJavaDB(trivyOpts config.TrivyOpts, noProgress bool) error {
 
 	if (meta.Version != db.SchemaVersion || meta.NextUpdate.Before(time.Now().UTC())) && !trivyOpts.TrivySkipJavaDBUpdate {
 		// Download DB
-		repo := fmt.Sprintf("%s:%d", trivyOpts.TrivyJavaDBRepository, db.SchemaVersion)
-		logging.Log.Infof("Trivy Java DB Repository: %s", repo)
+		logging.Log.Infof("Trivy Java DB Repository: %s", trivyOpts.TrivyJavaDBRepository)
 		logging.Log.Info("Downloading Trivy Java DB...")
 
 		var a *oci.Artifact
-		if a, err = oci.NewArtifact(repo, noProgress, types.RegistryOptions{}); err != nil {
+		if a, err = oci.NewArtifact(trivyOpts.TrivyJavaDBRepository, noProgress, types.RegistryOptions{}); err != nil {
 			return xerrors.Errorf("Failed to new oci artifact. err: %w", err)
 		}
 		if err = a.Download(context.Background(), dbDir, oci.DownloadOption{MediaType: "application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip"}); err != nil {

diff --git a/integration b/integration
diff --git a/scanner/library.go b/scanner/library.go
@@ -4,12 +4,19 @@ import (
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/purl"
 	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/samber/lo"
 
 	"github.com/future-architect/vuls/logging"
 	"github.com/future-architect/vuls/models"
 )
 
 func convertLibWithScanner(apps []ftypes.Application) ([]models.LibraryScanner, error) {
+	for i := range apps {
+		apps[i].Libraries = lo.Filter(apps[i].Libraries, func(lib ftypes.Package, index int) bool {
+			return !lib.Dev
+		})
+	}
+
 	scanners := make([]models.LibraryScanner, 0, len(apps))
 	for _, app := range apps {
 		libs := make([]models.Library, 0, len(app.Libraries))
+2,069 −0		data/lockfile/npm-v1/package-lock.json
+6,472 −0		data/lockfile/npm-v2/package-lock.json
+16,569 −0		data/lockfile/npm-v3/package-lock.json
+0 −2,440		data/lockfile/package-lock.json
+10 −2		int-config.toml
+10 −2		int-redis-config.toml