feat: accept local package-lock.json as target

KirilldogU · KirilldogU · commit 69fb0cb12a98 · 2025-04-09T16:54:36.000-04:00
Signed-off-by: Kirill Usubyan &lt;kusubyan@mitre.org&gt;
diff --git a/hipcheck/src/cli.rs b/hipcheck/src/cli.rs
@@ -13,9 +13,9 @@ use crate::{
 	shell::{color_choice::ColorChoice, verbosity::Verbosity},
 	source,
 	target::{
-		pm, LocalGitRepo, MavenPackage, Package, PackageHost, Sbom, SbomStandard, SingleTargetSeed,
-		SingleTargetSeedKind, TargetSeed, TargetSeedKind, TargetType, ToTargetSeed,
-		ToTargetSeedKind, VcsUrl,
+		pm, LocalGitRepo, MavenPackage, MultiTargetSeed, MultiTargetSeedKind, Package, PackageHost,
+		Sbom, SbomStandard, SingleTargetSeed, SingleTargetSeedKind, TargetSeed, TargetSeedKind,
+		TargetType, ToTargetSeed, ToTargetSeedKind, VcsUrl,
 	},
 };
 use clap::{Parser as _, ValueEnum};
@@ -651,7 +651,13 @@ impl ToTargetSeed for CheckArgs {
 
 				Ok(TargetSeed::Single(seed))
 			}
-			TargetSeedKind::Multi(_multi_target_seed_kind) => todo!(),
+			TargetSeedKind::Multi(multi_target_seed_kind) => {
+				let seed = MultiTargetSeed {
+					kind: multi_target_seed_kind,
+					specifier: command.get_specifier().to_string(),
+				};
+				Ok(TargetSeed::Multi(seed))
+			}
 		}
 	}
 }
@@ -673,6 +679,9 @@ pub enum CheckCommand {
 	/// Analyze packages specified in an SBOM document
 	#[command(hide = true)]
 	Sbom(CheckSbomArgs),
+	/// Analyze npm dependencies specified in an package-lock.json document
+	#[command(hide = true)]
+	PackageLockJson(CheckPackageLockJsonArgs),
 }
 
 impl CheckCommand {
@@ -684,6 +693,7 @@ impl CheckCommand {
 			Pypi(args) => &args.package,
 			Repo(args) => &args.source,
 			Sbom(args) => &args.path,
+			PackageLockJson(args) => &args.path,
 		}
 	}
 }
@@ -696,6 +706,7 @@ impl ToTargetSeedKind for CheckCommand {
 			CheckCommand::Pypi(args) => args.to_target_seed_kind(),
 			CheckCommand::Repo(args) => args.to_target_seed_kind(),
 			CheckCommand::Sbom(args) => args.to_target_seed_kind(),
+			CheckCommand::PackageLockJson(args) => args.to_target_seed_kind(),
 		}
 	}
 }
@@ -887,6 +898,24 @@ impl ToTargetSeedKind for CheckSbomArgs {
 	}
 }
 
+#[derive(Debug, Clone, clap::Args)]
+pub struct CheckPackageLockJsonArgs {
+	/// package-lock.json to analyze
+	pub path: String,
+}
+
+impl ToTargetSeedKind for CheckPackageLockJsonArgs {
+	fn to_target_seed_kind(&self) -> Result<TargetSeedKind> {
+		let path = PathBuf::from(&self.path);
+		if path.exists() && self.path.ends_with("package-lock.json") {
+			return Ok(TargetSeedKind::Multi(MultiTargetSeedKind::PackageLockJson(
+				path,
+			)));
+		}
+		Err(hc_error!("The provided package-lock.json does not exist"))
+	}
+}
+
 #[derive(Debug, Clone, clap::Args)]
 pub struct SchemaArgs {
 	#[clap(subcommand)]
@@ -1616,6 +1645,7 @@ mod tests {
 			CheckCommand::Pypi(args) => args.package,
 			CheckCommand::Repo(args) => args.source,
 			CheckCommand::Sbom(args) => args.path,
+			CheckCommand::PackageLockJson(args) => args.path,
 		}
 	}
 
diff --git a/hipcheck/src/target/mod.rs b/hipcheck/src/target/mod.rs
@@ -60,6 +60,8 @@ pub enum TargetType {
 	Repo,
 	Request,
 	Sbom,
+	#[serde(rename = "package-lock-json")]
+	PackageLockJson,
 }
 
 impl TargetType {
@@ -96,6 +98,9 @@ impl TargetType {
 			|| tgt.ends_with(".cdx.xml")
 		{
 			Some((Sbom, tgt.to_string()))
+		// Otherwise check if it is a package-lock.json for a local npm project
+		} else if tgt.ends_with("package-lock.json") {
+			Some((PackageLockJson, tgt.to_string()))
 		// If is path to a file/dir that exists, treat as a local Repo
 		} else if PathBuf::from(tgt).exists() {
 			Some((Repo, tgt.to_string()))
diff --git a/hipcheck/src/target/types.rs b/hipcheck/src/target/types.rs
@@ -237,11 +237,25 @@ impl Display for SingleTargetSeedKind {
 	}
 }
 
+impl Display for MultiTargetSeedKind {
+	fn fmt(&self, f: &mut Formatter) -> fmt::Result {
+		use MultiTargetSeedKind::*;
+		match self {
+			GoMod(path) => {
+				write!(f, "go.mod file at {}", path.display())
+			}
+			PackageLockJson(path) => {
+				write!(f, "package-lock.json file at {}", path.display())
+			}
+		}
+	}
+}
+
 impl Display for TargetSeed {
 	fn fmt(&self, f: &mut Formatter) -> fmt::Result {
 		match self {
 			TargetSeed::Single(x) => x.kind.fmt(f),
-			TargetSeed::Multi(_x) => unimplemented!(),
+			TargetSeed::Multi(x) => x.kind.fmt(f),
 		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,9 @@ use crate::{`
`13`	`13`	`shell::{color_choice::ColorChoice, verbosity::Verbosity},`
`14`	`14`	`source,`
`15`	`15`	`target::{`
`16`		`- pm, LocalGitRepo, MavenPackage, Package, PackageHost, Sbom, SbomStandard, SingleTargetSeed,`
`17`		`- SingleTargetSeedKind, TargetSeed, TargetSeedKind, TargetType, ToTargetSeed,`
`18`		`- ToTargetSeedKind, VcsUrl,`
	`16`	`+ pm, LocalGitRepo, MavenPackage, MultiTargetSeed, MultiTargetSeedKind, Package, PackageHost,`
	`17`	`+ Sbom, SbomStandard, SingleTargetSeed, SingleTargetSeedKind, TargetSeed, TargetSeedKind,`
	`18`	`+ TargetType, ToTargetSeed, ToTargetSeedKind, VcsUrl,`
`19`	`19`	`},`
`20`	`20`	`};`
`21`	`21`	`use clap::{Parser as _, ValueEnum};`
`@@ -651,7 +651,13 @@ impl ToTargetSeed for CheckArgs {`
`651`	`651`
`652`	`652`	`Ok(TargetSeed::Single(seed))`
`653`	`653`	`}`
`654`		`- TargetSeedKind::Multi(_multi_target_seed_kind) => todo!(),`
	`654`	`+ TargetSeedKind::Multi(multi_target_seed_kind) => {`
	`655`	`+ let seed = MultiTargetSeed {`
	`656`	`+ kind: multi_target_seed_kind,`
	`657`	`+ specifier: command.get_specifier().to_string(),`
	`658`	`+ };`
	`659`	`+ Ok(TargetSeed::Multi(seed))`
	`660`	`+ }`
`655`	`661`	`}`
`656`	`662`	`}`
`657`	`663`	`}`
`@@ -673,6 +679,9 @@ pub enum CheckCommand {`
`673`	`679`	`/// Analyze packages specified in an SBOM document`
`674`	`680`	`#[command(hide = true)]`
`675`	`681`	`Sbom(CheckSbomArgs),`
	`682`	`+ /// Analyze npm dependencies specified in an package-lock.json document`
	`683`	`+ #[command(hide = true)]`
	`684`	`+ PackageLockJson(CheckPackageLockJsonArgs),`
`676`	`685`	`}`
`677`	`686`
`678`	`687`	`impl CheckCommand {`
`@@ -684,6 +693,7 @@ impl CheckCommand {`
`684`	`693`	`Pypi(args) => &args.package,`
`685`	`694`	`Repo(args) => &args.source,`
`686`	`695`	`Sbom(args) => &args.path,`
	`696`	`+ PackageLockJson(args) => &args.path,`
`687`	`697`	`}`
`688`	`698`	`}`
`689`	`699`	`}`
`@@ -696,6 +706,7 @@ impl ToTargetSeedKind for CheckCommand {`
`696`	`706`	`CheckCommand::Pypi(args) => args.to_target_seed_kind(),`
`697`	`707`	`CheckCommand::Repo(args) => args.to_target_seed_kind(),`
`698`	`708`	`CheckCommand::Sbom(args) => args.to_target_seed_kind(),`
	`709`	`+ CheckCommand::PackageLockJson(args) => args.to_target_seed_kind(),`
`699`	`710`	`}`
`700`	`711`	`}`
`701`	`712`	`}`
`@@ -887,6 +898,24 @@ impl ToTargetSeedKind for CheckSbomArgs {`
`887`	`898`	`}`
`888`	`899`	`}`
`889`	`900`
	`901`	`+#[derive(Debug, Clone, clap::Args)]`
	`902`	`+pub struct CheckPackageLockJsonArgs {`
	`903`	`+ /// package-lock.json to analyze`
	`904`	`+ pub path: String,`
	`905`	`+}`
	`906`	`+`
	`907`	`+impl ToTargetSeedKind for CheckPackageLockJsonArgs {`
	`908`	`+ fn to_target_seed_kind(&self) -> Result<TargetSeedKind> {`
	`909`	`+ let path = PathBuf::from(&self.path);`
	`910`	`+ if path.exists() && self.path.ends_with("package-lock.json") {`
	`911`	`+ return Ok(TargetSeedKind::Multi(MultiTargetSeedKind::PackageLockJson(`
	`912`	`+ path,`
	`913`	`+ )));`
	`914`	`+ }`
	`915`	`+ Err(hc_error!("The provided package-lock.json does not exist"))`
	`916`	`+ }`
	`917`	`+}`
	`918`	`+`
`890`	`919`	`#[derive(Debug, Clone, clap::Args)]`
`891`	`920`	`pub struct SchemaArgs {`
`892`	`921`	`#[clap(subcommand)]`
`@@ -1616,6 +1645,7 @@ mod tests {`
`1616`	`1645`	`CheckCommand::Pypi(args) => args.package,`
`1617`	`1646`	`CheckCommand::Repo(args) => args.source,`
`1618`	`1647`	`CheckCommand::Sbom(args) => args.path,`
	`1648`	`+ CheckCommand::PackageLockJson(args) => args.path,`
`1619`	`1649`	`}`
`1620`	`1650`	`}`
`1621`	`1651`
Original file line number	Diff line number	Diff line change
`@@ -237,11 +237,25 @@ impl Display for SingleTargetSeedKind {`
`237`	`237`	`}`
`238`	`238`	`}`
`239`	`239`
	`240`	`+impl Display for MultiTargetSeedKind {`
	`241`	`+ fn fmt(&self, f: &mut Formatter) -> fmt::Result {`
	`242`	`+ use MultiTargetSeedKind::*;`
	`243`	`+ match self {`
	`244`	`+ GoMod(path) => {`
	`245`	`+ write!(f, "go.mod file at {}", path.display())`
	`246`	`+ }`
	`247`	`+ PackageLockJson(path) => {`
	`248`	`+ write!(f, "package-lock.json file at {}", path.display())`
	`249`	`+ }`
	`250`	`+ }`
	`251`	`+ }`
	`252`	`+}`
	`253`	`+`
`240`	`254`	`impl Display for TargetSeed {`
`241`	`255`	`fn fmt(&self, f: &mut Formatter) -> fmt::Result {`
`242`	`256`	`match self {`
`243`	`257`	`TargetSeed::Single(x) => x.kind.fmt(f),`
`244`		`- TargetSeed::Multi(_x) => unimplemented!(),`
	`258`	`+ TargetSeed::Multi(x) => x.kind.fmt(f),`
`245`	`259`	`}`
`246`	`260`	`}`
`247`	`261`	`}`