Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support returning the full dependency tree for packages #5

Open
aron opened this issue Sep 22, 2021 · 0 comments
Open

Support returning the full dependency tree for packages #5

aron opened this issue Sep 22, 2021 · 0 comments

Comments

@aron
Copy link
Contributor

aron commented Sep 22, 2021

The problem

Build a dependencies web service to provide a full list of all transitive dependencies for a given package, the same way npm builds a dependency tree when a user does npm install.

Background

Developers working with NodeJS use packages in their code. A package is a functional NodeJS module that includes versioning, documentation, dependencies (in the form of other packages), and more. NodeJS has a managed packages environment called npm, which regularly gets updated with new packages and new versions of existing packages.

Snyk scans NodeJS packages to identify and assist developers in remediating vulnerabilities prior to merging their code back with its project.

In order for Snyk to identify these vulnerabilities in certain packages, this is what happens:

  1. The user provides the name of the package for analysis.
  2. We fetch the overall set of dependencies from the relevant package manager, for the given package.
  3. We compare the set of dependencies that we retrieve with our database of vulnerable packages in order to identify whether any of the dependencies are vulnerable.
  4. For any package that we identify as vulnerable, we then list all available remediation paths (upgrades and/or patches for vulnerable packages) for the user.
  5. The user chooses their preferred remediation actions from the list, and we apply them by creating a PR for the relevant repository.

Details

The web-server should return the full package dependency tree based on a given package name and version (user input), which we could then later use for stage 3 above.

Considerations

  • There are currently over 3M packages on npmjs.com, and the number is growing all the time.
  • The packages update from time to time, just as their dependencies do too.
  • There are many different packages, with different edge cases. Some packages to look out for are:
    • express
    • npm
    • trucolor
    • @snyk/snyk-docker-plugin
  • A user may provide invalid input (e.g. a non-existing package), causing the web-server to crash if there is no error handling in place.
  • Vulnerabilities may exist in older versions of some package, but fixed in newer versions.

Design and Implementation Details

  1. Extend the working web-server that, given an HTTP request containing the name of a published npm package and version, returns the entire set of dependencies for the package.
  2. Present the dependencies in a tree view (e.g. JSON).
  3. Account for asynchronous fetching of dependencies as you see fit.
  4. Consider caching relevant data so that repeated requests resolve with minimum latency.
  5. Code should be reasonably easy to read and understand.
  6. Ensure there are tests of any kind (integration, unit etc.) that cover core functionality and ensure requirements are implemented correctly.
  7. Consider how to handle errors.
This was referenced Sep 22, 2021
@snyk snyk locked and limited conversation to collaborators Sep 22, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant