Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unmarshalling package-lock.json can cause errors #1631

Closed
eleftherias opened this issue Nov 13, 2023 · 0 comments · Fixed by #1666
Closed

Unmarshalling package-lock.json can cause errors #1631

eleftherias opened this issue Nov 13, 2023 · 0 comments · Fixed by #1666
Assignees
@eleftherias
Labels
bug Something isn't working dependencies Pull requests that update a dependency file priority: high High priority size/m

Comments

@eleftherias
Copy link
Contributor

Describe the issue

With certain changes to the package-lock.json file, Minder isn't able to unmarshall the JSON correctly and check for vulnerabilities.

Example PR that reproduces the issue: https://github.com/eleftheria-test/public-repo/pull/21/files#diff-053150b640a7ce75eff69d1a22cae7f0f94ad64ce9a855db544dda0929316519

Error message:

{"level":"debug","profile":"stacklok-remediate-profile","ruleType":"pr_vulnerability_check","eval_status":"error","projectId":"6918633e-8b9f-493b-8147-b30c888db98a","repositoryId":"f596c281-8943-41fc-b4bb-f80c499f8f81","exception.message":"error ingesting data: error ingesting file package-lock.json: error parsing file package-lock.json: failed to unmarshal npm package: invalid character '}' after top-level value","Timestamp":1699877410335589000,"message":"result - evaluation"}

To Reproduce

  • Register an empty repository
  • Create a profile with PR vulnerability scanning turned on
  • Create an npm project in that repo, for example npm init
  • Add a dependency to the npm project, for example npm i --save lodash
  • Create a PR in the registered repo with the newly created package.json and package-lock.json
  • Notice that Minder does not commend on the PR and Minder server has an error

(note: creating a brand new package-lock.json is only one scenario where the unmarshalling fails. There are other scenarios as well. See the example PR listed above.)

What version are you using?

No response
@eleftherias eleftherias added bug Something isn't working dependencies Pull requests that update a dependency file javascript priority: high High priority size/m labels Nov 13, 2023
@eleftherias eleftherias self-assigned this Nov 14, 2023
eleftherias added a commit to eleftherias/minder that referenced this issue Nov 15, 2023
@eleftherias
Update package-lock.json parsing strategy
2b5ef71 
- Start by finding any version changes
- Then find the package name whose version was changed

Fix mindersec#1631
@eleftherias eleftherias mentioned this issue Nov 15, 2023
Merged
eleftherias added a commit to eleftherias/minder that referenced this issue Nov 16, 2023
@eleftherias
Update package-lock.json parsing strategy
06c0be4 
- Start by finding any version changes
- Then find the package name whose version was changed

Fix mindersec#1631
eleftherias added a commit that referenced this issue Nov 16, 2023
@eleftherias
Update package-lock.json parsing strategy (#1666)
9a391fd 
- Start by finding any version changes
- Then find the package name whose version was changed

Fix #1631
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
bug Something isn't working dependencies Pull requests that update a dependency file priority: high High priority size/m
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update package-lock.json parsing strategy eleftherias/minder
1 participant
@eleftherias