Add lockfile path (#1153)

* Submit packages with lockfile paths

* Update phylum types

* Use to_owned for lockfile path

Co-authored-by: Kyle Willmon <[email protected]>

* changes for updated phylum-types

* additional format changes

* update: changelog

* refactor: add IntoIter for ParsedLockfile

* Update changelog

* Update extensions

* Make lockfile_path optional

* Update description

* fmt fixes

* Remove trailing comma

Co-authored-by: Kyle Willmon <[email protected]>

* docs: update changelog

* refactor: reflect changes from updated phylum types

* docs: modify lockfile description

---------

Co-authored-by: Kyle Willmon <[email protected]>

CHANGELOG.md

@@ -8,6 +8,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+### Changed
+- Include lockfile paths when analyzing projects
+
 ## [5.5.0] - 2023-07-18
 
 ### Added

cli/src/api/mod.rs

@@ -10,7 +10,9 @@ use phylum_types::types::group::{
 use phylum_types::types::job::{
     AllJobsStatusResponse, SubmitPackageRequest, SubmitPackageResponse,
 };
-use phylum_types::types::package::{PackageDescriptor, PackageSpecifier, PackageSubmitResponse};
+use phylum_types::types::package::{
+    PackageDescriptor, PackageDescriptorAndLockfile, PackageSpecifier, PackageSubmitResponse,
+};
 use phylum_types::types::project::{
     CreateProjectRequest, CreateProjectResponse, ProjectSummaryResponse,
 };
@@ -277,7 +279,7 @@ impl PhylumApi {
     /// Submit a new request to the system
     pub async fn submit_request(
         &self,
-        package_list: &[PackageDescriptor],
+        package_list: &[PackageDescriptorAndLockfile],
         project: ProjectId,
         label: Option<String>,
         group_name: Option<String>,
@@ -500,11 +502,17 @@ mod tests {
 
         let client = build_phylum_api(&mock_server).await?;
 
-        let pkg = PackageDescriptor {
+        let package_descriptor = PackageDescriptor {
             name: "react".to_string(),
             version: "16.13.1".to_string(),
             package_type: PackageType::Npm,
         };
+
+        let pkg = PackageDescriptorAndLockfile {
+            package_descriptor,
+            lockfile: Some("package-lock.json".to_owned()),
+        };
+
         let project_id = ProjectId::new_v4();
         let label = Some("mylabel".to_string());
         client.submit_request(&[pkg], project_id, label, None).await?;
@@ -530,11 +538,17 @@ mod tests {
 
         let client = build_phylum_api(&mock_server).await?;
 
-        let pkg = PackageDescriptor {
+        let package_descriptor = PackageDescriptor {
             name: "react".to_string(),
             version: "16.13.1".to_string(),
             package_type: PackageType::Npm,
         };
+
+        let pkg = PackageDescriptorAndLockfile {
+            package_descriptor,
+            lockfile: Some("package-lock.json".to_owned()),
+        };
+
         let project_id = ProjectId::new_v4();
         let label = Some("mylabel".to_string());
         client.submit_request(&[pkg], project_id, label, None).await?;

cli/src/commands/extensions/api.rs

@@ -22,7 +22,8 @@ use phylum_types::types::auth::{AccessToken, RefreshToken};
 use phylum_types::types::common::{JobId, ProjectId};
 use phylum_types::types::group::ListUserGroupsResponse;
 use phylum_types::types::package::{
-    Package, PackageDescriptor, PackageSpecifier as PTPackageSpecifier, PackageSubmitResponse,
+    Package, PackageDescriptor, PackageDescriptorAndLockfile,
+    PackageSpecifier as PTPackageSpecifier, PackageSubmitResponse,
 };
 use phylum_types::types::project::ProjectSummaryResponse;
 use reqwest::StatusCode;
@@ -137,7 +138,7 @@ struct ProcessOutput {
 #[op]
 async fn analyze(
     op_state: Rc<RefCell<OpState>>,
-    packages: Vec<PackageDescriptor>,
+    packages: Vec<PackageDescriptorAndLockfile>,
     project: Option<String>,
     group: Option<String>,
     label: Option<String>,

cli/src/commands/jobs.rs

@@ -116,7 +116,7 @@ pub async fn handle_submission(api: &mut PhylumApi, matches: &clap::ArgMatches)
                 );
             }
 
-            packages.extend(res.packages.into_iter());
+            packages.extend(res.into_iter());
         }
 
         if let Some(base) = matches.get_one::<String>("base") {
@@ -159,11 +159,14 @@ pub async fn handle_submission(api: &mut PhylumApi, matches: &clap::ArgMatches)
                     let pkg_version = pkg_info.pop().unwrap();
                     let pkg_name = pkg_info.join(":");
 
-                    packages.push(PackageDescriptor {
-                        name: pkg_name.to_owned(),
-                        version: pkg_version.to_owned(),
-                        package_type: request_type.to_owned(),
-                    });
+                    packages.push(
+                        PackageDescriptor {
+                            name: pkg_name.to_owned(),
+                            version: pkg_version.to_owned(),
+                            package_type: request_type.to_owned(),
+                        }
+                        .into(),
+                    );
                     line.clear();
                 },
                 Err(err) => {
@@ -198,6 +201,8 @@ pub async fn handle_submission(api: &mut PhylumApi, matches: &clap::ArgMatches)
 
     if synch {
         if pretty_print {
+            #[cfg(feature = "vulnreach")]
+            let packages: Vec<_> = packages.into_iter().map(|pkg| pkg.package_descriptor).collect();
             #[cfg(feature = "vulnreach")]
             if let Err(err) = vulnreach(api, matches, packages, job_id.to_string()).await {
                 print_user_failure!("Reachability analysis failed: {err:?}");

cli/src/commands/parse.rs

@@ -1,11 +1,12 @@
 //! `phylum parse` command for lockfile parsing
 
 use std::path::{Path, PathBuf};
+use std::vec::IntoIter;
 use std::{fs, io};
 
 use anyhow::{anyhow, Context, Result};
 use phylum_lockfile::{LockfileFormat, Package, PackageVersion, Parse, ThirdPartyVersion};
-use phylum_types::types::package::PackageDescriptor;
+use phylum_types::types::package::{PackageDescriptor, PackageDescriptorAndLockfile};
 use walkdir::WalkDir;
 
 use crate::commands::{CommandResult, ExitCode};
@@ -17,6 +18,31 @@ pub struct ParsedLockfile {
     pub packages: Vec<PackageDescriptor>,
 }
 
+pub struct ParsedLockfileIterator {
+    path: PathBuf,
+    packages: IntoIter<PackageDescriptor>,
+}
+
+impl Iterator for ParsedLockfileIterator {
+    type Item = PackageDescriptorAndLockfile;
+
+    fn next(&mut self) -> Option<Self::Item> {
+        self.packages.next().map(|package_descriptor| PackageDescriptorAndLockfile {
+            package_descriptor,
+            lockfile: Some(self.path.to_string_lossy().into_owned()),
+        })
+    }
+}
+
+impl IntoIterator for ParsedLockfile {
+    type IntoIter = ParsedLockfileIterator;
+    type Item = PackageDescriptorAndLockfile;
+
+    fn into_iter(self) -> Self::IntoIter {
+        ParsedLockfileIterator { path: self.path, packages: self.packages.into_iter() }
+    }
+}
+
 pub fn lockfile_types(add_auto: bool) -> Vec<&'static str> {
     let mut lockfile_types = LockfileFormat::iter().map(|format| format.name()).collect::<Vec<_>>();
 
@@ -31,10 +57,11 @@ pub fn lockfile_types(add_auto: bool) -> Vec<&'static str> {
 pub fn handle_parse(matches: &clap::ArgMatches) -> CommandResult {
     let lockfiles = config::lockfiles(matches, phylum_project::get_current_project().as_ref())?;
 
-    let mut pkgs: Vec<PackageDescriptor> = Vec::new();
+    let mut pkgs: Vec<PackageDescriptorAndLockfile> = Vec::new();
 
     for lockfile in lockfiles {
-        pkgs.extend(parse_lockfile(lockfile.path, Some(&lockfile.lockfile_type))?.packages);
+        let parsed_lockfile = parse_lockfile(lockfile.path, Some(&lockfile.lockfile_type))?;
+        pkgs.extend(parsed_lockfile.into_iter());
     }
 
     serde_json::to_writer_pretty(&mut io::stdout(), &pkgs)?;

cli/tests/end_to_end/extension.rs

@@ -152,7 +152,8 @@ pub async fn get_job_status() {
     let project = create_project().await;
     let analyze = format!(
         "
-        const pkg = {{ name: 'typescript', version: '4.7.4', type: 'npm' }};
+        const pkg = {{ name: 'typescript', version: '4.7.4', type: 'npm', lockfile: \
+         'package-lock.json' }};
         const jobId = await PhylumApi.analyze([pkg], {project:?});
         console.log(await PhylumApi.getJobStatus(jobId));"
     );

extensions/CHANGELOG.md

@@ -8,7 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 
+### Added
+
 - Added `getJobStatusRaw` and `checkPackagesRaw` APIs for detailed analysis results
+- Allow `lockfile` in packages passed to `PhylumApi.analyze()`
 
 ## 5.5.0 - 2023-07-18