|
| 1 | +import * as debugModule from 'debug'; |
| 2 | + |
| 3 | +const debug = debugModule('snyk-nodejs-lockfile-parser:component-metadata'); |
| 4 | + |
| 5 | +// Maps a Subresource Integrity (SRI) algorithm token to its dep-graph label key. |
| 6 | +// Labels use the `hash:<algorithm>` convention with hyphenated algorithm names |
| 7 | +// (`hash:sha-512`, `hash:sha-256`, ...) and lowercase-hex values. Hex matches the CycloneDX |
| 8 | +// hash `content` format, so downstream SBOM generation can populate CycloneDX component |
| 9 | +// hashes / SPDX package checksums directly. SRI base64 values are decoded to lowercase hex |
| 10 | +// below. |
| 11 | +const SRI_ALG_TO_LABEL: Record<string, string> = { |
| 12 | + md5: 'hash:md5', |
| 13 | + sha1: 'hash:sha-1', |
| 14 | + sha256: 'hash:sha-256', |
| 15 | + sha384: 'hash:sha-384', |
| 16 | + sha512: 'hash:sha-512', |
| 17 | +}; |
| 18 | + |
| 19 | +// Expected raw digest length (bytes) per algorithm. `Buffer.from(x, 'base64')` is lenient and |
| 20 | +// will not throw on a corrupt/truncated value, so we reject anything whose decoded length does |
| 21 | +// not match — otherwise we would emit a hex string that violates the CycloneDX `content` regex. |
| 22 | +const SRI_ALG_BYTES: Record<string, number> = { |
| 23 | + md5: 16, |
| 24 | + sha1: 20, |
| 25 | + sha256: 32, |
| 26 | + sha384: 48, |
| 27 | + sha512: 64, |
| 28 | +}; |
| 29 | + |
| 30 | +/** |
| 31 | + * Convert a lockfile `integrity` (SRI) string into `hash:<algorithm>` labels with |
| 32 | + * lowercase-hex values. Returns an empty object (and debug-logs) when the value is absent |
| 33 | + * or unparseable — never throws. |
| 34 | + */ |
| 35 | +export function hashLabelsFromIntegrity( |
| 36 | + integrity: string | undefined, |
| 37 | + nodeId: string, |
| 38 | +): Record<string, string> { |
| 39 | + if (!integrity) { |
| 40 | + debug(`No integrity for ${nodeId}; skipping hash labels`); |
| 41 | + return {}; |
| 42 | + } |
| 43 | + |
| 44 | + const labels: Record<string, string> = {}; |
| 45 | + // SRI may contain multiple whitespace-separated hashes, each "<alg>-<base64>[?opts]". |
| 46 | + for (const token of integrity.trim().split(/\s+/)) { |
| 47 | + const dashIdx = token.indexOf('-'); |
| 48 | + if (dashIdx === -1) { |
| 49 | + debug(`Unrecognised integrity "${token}" for ${nodeId}; skipping`); |
| 50 | + continue; |
| 51 | + } |
| 52 | + const alg = token.slice(0, dashIdx).toLowerCase(); |
| 53 | + const base64 = token.slice(dashIdx + 1).split('?')[0]; // strip optional ?opts |
| 54 | + const key = SRI_ALG_TO_LABEL[alg]; |
| 55 | + if (!key || !base64) { |
| 56 | + debug(`Unrecognised integrity "${token}" for ${nodeId}; skipping`); |
| 57 | + continue; |
| 58 | + } |
| 59 | + const digest = Buffer.from(base64, 'base64'); |
| 60 | + if (digest.length !== SRI_ALG_BYTES[alg]) { |
| 61 | + debug( |
| 62 | + `Integrity "${token}" for ${nodeId} decoded to ${digest.length} bytes, ` + |
| 63 | + `expected ${SRI_ALG_BYTES[alg]} for ${alg}; skipping`, |
| 64 | + ); |
| 65 | + continue; |
| 66 | + } |
| 67 | + labels[key] = digest.toString('hex'); |
| 68 | + } |
| 69 | + |
| 70 | + return labels; |
| 71 | +} |
| 72 | + |
| 73 | +/** |
| 74 | + * Produce a `distribution:url` label from a lockfile `resolved` value when it is an |
| 75 | + * http(s) tarball URL. `resolved` can also be a `file:`/workspace path for local deps; |
| 76 | + * those are debug-logged and skipped. |
| 77 | + */ |
| 78 | +export function distributionUrlLabel( |
| 79 | + resolved: string | undefined, |
| 80 | + nodeId: string, |
| 81 | +): Record<string, string> { |
| 82 | + if (!resolved) { |
| 83 | + debug(`No resolved URL for ${nodeId}; skipping distribution:url label`); |
| 84 | + return {}; |
| 85 | + } |
| 86 | + |
| 87 | + let url: URL; |
| 88 | + try { |
| 89 | + url = new URL(resolved); |
| 90 | + } catch { |
| 91 | + debug( |
| 92 | + `resolved "${resolved}" for ${nodeId} is not a parseable URL; skipping distribution:url label`, |
| 93 | + ); |
| 94 | + return {}; |
| 95 | + } |
| 96 | + |
| 97 | + // URL normalises the scheme to lowercase, so this also accepts HTTPS://, Http://, etc. |
| 98 | + if (url.protocol !== 'http:' && url.protocol !== 'https:') { |
| 99 | + debug( |
| 100 | + `resolved "${resolved}" for ${nodeId} is not an http(s) URL; skipping distribution:url label`, |
| 101 | + ); |
| 102 | + return {}; |
| 103 | + } |
| 104 | + |
| 105 | + // Strip any embedded basic-auth userinfo (scheme://user:pass@host) so private-registry |
| 106 | + // credentials never leak into the emitted label or downstream SBOM externalReferences. |
| 107 | + if (url.username || url.password) { |
| 108 | + url.password = ''; |
| 109 | + url.username = ''; |
| 110 | + debug(`Stripped credentials from resolved URL for ${nodeId}`); |
| 111 | + } |
| 112 | + |
| 113 | + return { 'distribution:url': url.toString() }; |
| 114 | +} |
| 115 | + |
| 116 | +/** |
| 117 | + * Build the full set of component-metadata labels (package hashes + distribution URL) for a |
| 118 | + * node, sourced from its lockfile `integrity` / `resolved` values. |
| 119 | + */ |
| 120 | +export function getComponentMetadataLabels(node: { |
| 121 | + id: string; |
| 122 | + integrity?: string; |
| 123 | + resolved?: string; |
| 124 | +}): Record<string, string> { |
| 125 | + return { |
| 126 | + ...hashLabelsFromIntegrity(node.integrity, node.id), |
| 127 | + ...distributionUrlLabel(node.resolved, node.id), |
| 128 | + }; |
| 129 | +} |
0 commit comments