Improves name identification for yarn v1 lock files with self aliases (#1668)

Signed-off-by: Prabhu Subramanian <[email protected]>

Author: prabhu

lib/cli/index.js

@@ -6095,6 +6095,9 @@ export async function createCsharpBom(path, options) {
       );
       // Create the slices file if it doesn't exist
       if (!safeExistsSync(slicesFile)) {
+        thoughtLog(
+          "Alright, the next step is to invoke the dosai command to identify evidence of occurrences for various components.",
+        );
         const sliceResult = getDotnetSlices(resolve(path), resolve(slicesFile));
         if (!sliceResult && DEBUG_MODE) {
           console.log(

lib/helpers/logger.js

@@ -31,6 +31,7 @@ export function thoughtLog(s, args) {
   if (!s?.endsWith(".") && !s?.endsWith("?") && !s?.endsWith("!")) {
     s = `${s}.`;
   }
+  s = s.replaceAll("'.'", "'<project dir>'");
   if (args) {
     tlogger.log(colorizeText(`${s}`), args);
   } else {

lib/helpers/utils.js

@@ -1638,7 +1638,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
 }
 
 /**
- * Given a lock file this method would return an Object with the identiy as the key and parsed name and value
+ * Given a lock file this method would return an Object with the identity as the key and parsed name and value
  * eg: "@actions/core@^1.2.6", "@actions/core@^1.6.0":
  *        version "1.6.0"
  * would result in two entries
@@ -1650,7 +1650,7 @@ export function yarnLockToIdentMap(lockData) {
   let currentIdents = [];
   lockData.split("\n").forEach((l) => {
     l = l.replace("\r", "");
-    if (l === "\n" || l.startsWith("#")) {
+    if (l === "\n" || !l.length || l.startsWith("#")) {
       return;
     }
     // "@actions/core@^1.2.6", "@actions/core@^1.6.0":
@@ -1707,14 +1707,22 @@ export function yarnLockToIdentMap(lockData) {
 function _parseYarnLine(l) {
   let name = "";
   let group = "";
-  const prefixAtSymbol = l.startsWith("@");
+  let prefixAtSymbol = l.startsWith("@");
   const tmpA = l.split("@");
   // ignore possible leading empty strings
   if (tmpA[0] === "") {
     tmpA.shift();
   }
+  let fullName;
   if (tmpA.length >= 2) {
-    const fullName = tmpA[0];
+    if (tmpA.length === 4) {
+      if (tmpA[1] === "npm:") {
+        prefixAtSymbol = true;
+      }
+      fullName = tmpA[2];
+    } else {
+      fullName = tmpA[0];
+    }
     if (fullName.indexOf("/") > -1) {
       const parts = fullName.split("/");
       group = (prefixAtSymbol ? "@" : "") + parts[0];
@@ -1891,16 +1899,26 @@ export async function parseYarnLock(yarnLockFile) {
           if (dgroupname.endsWith(":")) {
             dgroupname = dgroupname.substring(0, dgroupname.length - 1);
           }
-          let range = tmpA[1].replace(/["']/g, "");
+          let dgroupnameToUse = dgroupname;
+          const range = tmpA[1].replace(/["']/g, "");
+          let versionRange = range;
           // Deal with range with npm: prefix such as npm:string-width@^4.2.0, npm:@types/ioredis@^4.28.10
           if (range.startsWith("npm:")) {
-            range = range.split("@").splice(-1)[0];
+            versionRange = range.split("@").splice(-1)[0];
+            dgroupnameToUse = range
+              .replace("npm:", "")
+              .replace(`@${versionRange}`, "");
           }
-          const resolvedVersion = identMap[`${dgroupname}|${range}`];
+          const resolvedVersion =
+            identMap[`${dgroupname}|${versionRange}`] ||
+            identMap[`${dgroupnameToUse}|${versionRange}`];
+          // Handle case where the dependency name is really an alias.
+          // Eg: legacy-swc-helpers "npm:@swc/helpers@=0.4.14". Here the dgroupname=@swc/helpers
+
           const depPurlString = new PackageURL(
             "npm",
             null,
-            dgroupname,
+            dgroupnameToUse,
             resolvedVersion,
             null,
             null,
@@ -14183,6 +14201,9 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
   }
   const slicesData = JSON.parse(readFileSync(slicesFile, "utf-8"));
   if (slicesData && Object.keys(slicesData)) {
+    thoughtLog(
+      "Let's thoroughly inspect the dependency slice to identify where and how the components are used.",
+    );
     if (slicesData.Dependencies) {
       for (const adep of slicesData.Dependencies) {
         // Case 1: Dependencies slice has the .dll file
@@ -14274,6 +14295,10 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
         });
       }
     }
+  } else if (slicesData?.Dependencies || slicesData?.MethodCalls) {
+    thoughtLog(
+      "I didn't find any occurrence evidence or detailed imported modules, even though there is good dependency slice data from dosai. This is surprising.",
+    );
   }
   return pkgList;
 }

types/lib/helpers/utils.d.ts

@@ -139,7 +139,7 @@ export function parsePkgLock(pkgLockFile: string, options?: object): Promise<{
     dependenciesList: any;
 }>;
 /**
- * Given a lock file this method would return an Object with the identiy as the key and parsed name and value
+ * Given a lock file this method would return an Object with the identity as the key and parsed name and value
  * eg: "@actions/core@^1.2.6", "@actions/core@^1.6.0":
  *        version "1.6.0"
  * would result in two entries