chore: lint

Author: d3vco

lib/go-parser/go-binary.ts

@@ -223,6 +223,25 @@ export function parseGoVersion(rawVersion: string): string {
   return ver.includes(".", ver.indexOf(".") + 1) ? ver : ver + ".0";
 }
 
+/**
+ * Strips the "go" prefix from a Go version string and validates the format.
+ * Returns the cleaned version (e.g., "1.21.0") or empty string if invalid.
+ * Rejects RC/beta/devel versions since we cannot accurately match vulnerabilities
+ * against pre-release builds.
+ */
+export function parseGoVersion(rawVersion: string): string {
+  // Only match release versions (e.g., "go1.21" or "go1.21.5").
+  // Reject RC/beta (go1.21rc1, go1.22beta2) and devel builds.
+  const match = rawVersion.match(/^go(\d+\.\d+(?:\.\d+)?)$/);
+  if (!match) {
+    return "";
+  }
+  const ver = match[1];
+  // Ensure three-segment semver (e.g., "1.19" → "1.19.0") because
+  // @snyk/vuln uses node's semver library which requires three segments.
+  return ver.includes(".", ver.indexOf(".") + 1) ? ver : ver + ".0";
+}
+
 export function extractModuleInformation(
   binary: Elf,
 ): [name: string, deps: GoModule[], goVersion: string] {

lib/response-builder.ts

@@ -12,12 +12,7 @@ import * as types from "./types";
 import { truncateAdditionalFacts } from "./utils";
 import { PLUGIN_VERSION } from "./version";
 
-export {
-  buildResponse,
-  expandDockerfilePackages,
-  excludeBaseImageDeps,
-  annotateWithLayerIds,
-};
+export { buildResponse };
 
 async function buildResponse(
   depsAnalysis: StaticAnalysis & {
@@ -31,39 +26,14 @@ async function buildResponse(
   options?: Partial<types.PluginOptions>,
 ): Promise<types.PluginResponse> {
   const deps = depsAnalysis.depTree.dependencies;
-
-  // Expand both the Dockerfile packages and the auto-detected user instructions packages,
-  // storing the results back to the original objects.
-  if (dockerfileAnalysis?.dockerfilePackages) {
-    dockerfileAnalysis.dockerfilePackages = expandDockerfilePackages(
-      dockerfileAnalysis.dockerfilePackages,
-      deps,
-    );
-  }
-
-  if (depsAnalysis.autoDetectedUserInstructions?.dockerfilePackages) {
-    depsAnalysis.autoDetectedUserInstructions.dockerfilePackages =
-      expandDockerfilePackages(
-        depsAnalysis.autoDetectedUserInstructions.dockerfilePackages,
-        deps,
-      );
-  }
-
-  // Select a dockerfilePackages object to use for the annotation and exclusion of base image dependencies.
-  // Prioritize the Dockerfile packages over the auto-detected user instructions packages.
-  const dockerfilePkgs =
-    dockerfileAnalysis?.dockerfilePackages ||
-    depsAnalysis.autoDetectedUserInstructions?.dockerfilePackages;
-
+  const dockerfilePkgs = collectDockerfilePkgs(dockerfileAnalysis, deps);
   const finalDeps = excludeBaseImageDeps(
     deps,
     dockerfilePkgs,
     excludeBaseImageVulns,
   );
-  annotateWithLayerIds(finalDeps, dockerfilePkgs);
-
-  // Apply the filtered dependencies back to the depTree
-  depsAnalysis.depTree.dependencies = finalDeps;
+  /** WARNING! Mutates the depTree.dependencies! */
+  annotateLayerIds(finalDeps, dockerfilePkgs);
 
   /** This must be called after all final changes to the DependencyTree. */
   const depGraph = await legacy.depTreeToGraph(
@@ -227,12 +197,17 @@ async function buildResponse(
     autoDetectedLayers &&
     Object.keys(autoDetectedLayers).length > 0
   ) {
+    const autoDetectedPackagesWithChildren = getUserInstructionDeps(
+      autoDetectedPackages,
+      deps,
+    );
+
     const autoDetectedUserInstructionsFact: facts.AutoDetectedUserInstructionsFact =
       {
         type: "autoDetectedUserInstructions",
         data: {
           dockerfileLayers: autoDetectedLayers,
-          dockerfilePackages: autoDetectedPackages!,
+          dockerfilePackages: autoDetectedPackagesWithChildren!,
         },
       };
     additionalFacts.push(autoDetectedUserInstructionsFact);
@@ -364,68 +339,59 @@ async function buildResponse(
   };
 }
 
-/**
- * Returns the package source name from a full dependency name.
- *
- * A package source refers to the top-level package name, such as "bzip2" in "bzip2/libbz2-dev".
- *
- * @param depName - The full dependency name.
- * @returns The package source name.
- */
-function packageSource(depName: string): string {
-  return depName.split("/")[0];
+function collectDockerfilePkgs(
+  dockerAnalysis: DockerFileAnalysis | undefined,
+  deps: {
+    [depName: string]: types.DepTreeDep;
+  },
+) {
+  if (!dockerAnalysis) {
+    return;
+  }
+
+  return getUserInstructionDeps(dockerAnalysis.dockerfilePackages, deps);
 }
 
-/**
- * Expands the list of packages explicitly requested in the Dockerfile to include all transitive dependencies.
- *
- * The returned package map is keyed by the full dependency names. Package names extracted from the Dockerfile
- * (typically in the form of source segments) are copied from the input map into the returned map to maintain
- * compatibility with the CLI dockerfile-attribution logic.
- *
- * @param dockerfilePackages - The packages explicitly requested in a Dockerfile.
- * @param deps - The dependencies of the image.
- * @returns A map of packages attributed to the Dockerfile.
- */
-function expandDockerfilePackages(
+// Iterate over the dependencies list; if one is introduced by the dockerfile,
+// flatten its dependencies and append them to the list of dockerfile
+// packages. This gives us a reference of all transitive deps installed via
+// the dockerfile, and the instruction that installed it.
+function getUserInstructionDeps(
   dockerfilePackages: DockerFilePackages,
-  deps: { [depName: string]: types.DepTreeDep },
+  dependencies: {
+    [depName: string]: types.DepTreeDep;
+  },
 ): DockerFilePackages {
-  const expandedPkgs = { ...dockerfilePackages };
-
-  function collectChildPackages(node: types.DepTreeDep, parentEntry: any) {
-    if (!node.dependencies) {
-      return;
-    }
-    for (const childKey of Object.keys(node.dependencies)) {
-      if (!expandedPkgs[childKey]) {
-        expandedPkgs[childKey] = parentEntry;
-        collectChildPackages(node.dependencies[childKey], parentEntry);
+  for (const dependencyName in dependencies) {
+    if (dependencies.hasOwnProperty(dependencyName)) {
+      const sourceOrName = dependencyName.split("/")[0];
+      const dockerfilePackage = dockerfilePackages[sourceOrName];
+
+      if (dockerfilePackage) {
+        for (const dep of collectDeps(dependencies[dependencyName])) {
+          dockerfilePackages[dep.split("/")[0]] = { ...dockerfilePackage };
+        }
       }
     }
   }
 
-  for (const rootKey of Object.keys(deps)) {
-    const source = packageSource(rootKey);
-    const dockerfileEntry = expandedPkgs[rootKey] || expandedPkgs[source];
-    if (dockerfileEntry) {
-      // Ensure the full dependency name is in the expanded packages.
-      expandedPkgs[rootKey] = dockerfileEntry;
-      collectChildPackages(deps[rootKey], dockerfileEntry);
-    }
-  }
+  return dockerfilePackages;
+}
 
-  return expandedPkgs;
+function collectDeps(pkg) {
+  // ES5 doesn't have Object.values, so replace with Object.keys() and map()
+  return pkg.dependencies
+    ? Object.keys(pkg.dependencies)
+        .map((name) => pkg.dependencies[name])
+        .reduce((allDeps, pkg) => {
+          return [...allDeps, ...collectDeps(pkg)];
+        }, Object.keys(pkg.dependencies))
+    : [];
 }
 
-/**
- * Excludes base image dependencies from the dependency tree if excludeBaseImageVulns is true.
- *
- * @param deps - The dependencies of the image.
- * @param dockerfilePkgs - The expanded packages attributed to the Dockerfile.
- * @param excludeBaseImageVulns - Whether to exclude base image dependencies.
- * @returns The dependencies of the image.
- */
+// Skip processing if option disabled or dockerfilePkgs is undefined. We
+// can't exclude anything in that case, because we can't tell which deps are
+// from dockerfile and which from base image.
 function excludeBaseImageDeps(
   deps: {
     [depName: string]: types.DepTreeDep;
@@ -437,48 +403,39 @@ function excludeBaseImageDeps(
     return deps;
   }
 
-  return Object.keys(deps)
+  return extractDockerfileDeps(deps, dockerfilePkgs);
+}
+
+function extractDockerfileDeps(
+  allDeps: {
+    [depName: string]: types.DepTreeDep;
+  },
+  dockerfilePkgs: DockerFilePackages,
+) {
+  return Object.keys(allDeps)
     .filter((depName) => dockerfilePkgs[depName])
     .reduce((extractedDeps, depName) => {
-      extractedDeps[depName] = deps[depName];
+      extractedDeps[depName] = allDeps[depName];
       return extractedDeps;
     }, {});
 }
 
-/**
- * Annotates the dependency tree with layer IDs. Mutates the recieved dependency tree.
- *
- * @param deps - The dependencies of the image.
- * @param dockerfilePkgs - The expanded packages attributed to the Dockerfile.
- */
-function annotateWithLayerIds(
-  deps: { [depName: string]: types.DepTreeDep },
-  dockerfilePkgs: DockerFilePackages | undefined,
-): void {
+function annotateLayerIds(deps, dockerfilePkgs) {
   if (!dockerfilePkgs) {
     return;
   }
 
-  function annotateRecursive(currentDeps: {
-    [depName: string]: types.DepTreeDep;
-  }) {
-    for (const depKey of Object.keys(currentDeps)) {
-      const node = currentDeps[depKey];
-      const dockerfileEntry = dockerfilePkgs![depKey];
-
-      if (dockerfileEntry) {
-        node.labels = {
-          ...(node.labels || {}),
-          dockerLayerId: instructionDigest(dockerfileEntry.instruction),
-        };
-
-        // Only progress down the dependency tree if the current node is a dockerfile package.
-        if (node.dependencies) {
-          annotateRecursive(node.dependencies);
-        }
-      }
+  for (const dep of Object.keys(deps)) {
+    const pkg = deps[dep];
+    const dockerfilePkg = dockerfilePkgs[dep];
+    if (dockerfilePkg) {
+      pkg.labels = {
+        ...(pkg.labels || {}),
+        dockerLayerId: instructionDigest(dockerfilePkg.instruction),
+      };
+    }
+    if (pkg.dependencies) {
+      annotateLayerIds(pkg.dependencies, dockerfilePkgs);
     }
   }
-
-  annotateRecursive(deps);
 }