feat: throw NotSupportedEcosystem for NX Build Project (#265)

Author: snyk-tim

.gitignore

@@ -3,6 +3,7 @@
 dist
 node_modules
 package-lock.json
+!test/fixtures/**/package-lock.json
 
 # Diagnostic reports (https://nodejs.org/api/report.html)
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json

lib/errors/index.ts

@@ -4,3 +4,4 @@ export { FileNotFoundError } from './file-not-found-error';
 export { FileNotProcessableError } from './file-not-processable-error';
 export { InvalidManifestError } from './invalid-manifest-error';
 export { InvalidTargetFile } from './invalid-target-file';
+export { NotSupportedEcosystem } from './not-supported-ecosystem-error';

lib/errors/not-supported-ecosystem-error.ts

@@ -0,0 +1,9 @@
+export class NotSupportedEcosystem extends Error {
+  public code = 422;
+  public name = 'NotSupportedEcosystem';
+
+  public constructor(...args) {
+    super(...args);
+    Error.captureStackTrace(this, NotSupportedEcosystem);
+  }
+}

lib/nuget-parser/index.ts

@@ -13,6 +13,7 @@ import {
   CliCommandError,
   FileNotProcessableError,
   InvalidManifestError,
+  NotSupportedEcosystem,
 } from '../errors';
 import {
   AssemblyVersions,
@@ -539,6 +540,27 @@ export async function buildDepTreeFromFiles(
     projectRootFolder,
   );
 
+  if (manifestType === ManifestType.PROJECT_JSON) {
+    let json: any;
+    try {
+      json = JSON.parse(fileContent);
+    } catch (err) {
+      throw new FileNotProcessableError(`Failed to parse project.json: ${err}`);
+    }
+
+    const hasAnyRequiredProp = [
+      'dependencies',
+      'frameworks',
+      'runtimes',
+      'supports',
+    ].some((prop) => prop in json);
+    if (!hasAnyRequiredProp) {
+      throw new NotSupportedEcosystem(
+        'project.json file is not a valid project.json file',
+      );
+    }
+  }
+
   const tree = {
     dependencies: {},
     meta: {},

test/fixtures/npm-nx-build-platform/nx.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "./node_modules/nx/schemas/nx-schema.json"
+}

test/fixtures/npm-nx-build-platform/package-lock.json

@@ -0,0 +1,14 @@
+{
+  "name": "with-vulnerable-lodash-dep",
+  "version": "1.2.3",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "license": "ISC",
+  "dependencies": {
+    "lodash": "4.17.15"
+  }
+}

test/fixtures/npm-nx-build-platform/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "with-vulnerable-lodash-dep",
+  "$schema": "./node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "src",
+  "projectType": "application",
+  "targets": {
+    "build": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "npm run build"
+      },
+      "inputs": ["default"],
+      "outputs": ["{projectRoot}/dist"]
+    },
+    "test": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "npm test"
+      },
+      "inputs": ["default"]
+    },
+    "lint": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "npm run lint"
+      },
+      "inputs": ["default"]
+    }
+  },
+  "tags": []
+}

test/fixtures/npm-nx-build-platform/project.json

@@ -6,6 +6,7 @@ import * as dotnet from '../lib/nuget-parser/cli/dotnet';
 import * as depGraphLib from '@snyk/dep-graph';
 import * as depGraphLegacyLib from '@snyk/dep-graph/dist/legacy';
 import { legacyPlugin as pluginApi } from '@snyk/cli-interface';
+import { NotSupportedEcosystem } from '../lib/errors';
 
 const INSPECT_OPTIONS = {
   useFixForImprovedDotnetFalsePositives: true,
@@ -67,6 +68,15 @@ describe('when calling plugin.inspect with various configs', () => {
     ).rejects.toThrow('Could not find a <packages> tag');
   });
 
+  it('fails gracefully on NX build platform project', async () => {
+    const filePath = './test/fixtures/npm-nx-build-platform/';
+    const manifestFile = 'project.json';
+
+    await expect(
+      async () => await plugin.inspect(filePath, manifestFile, INSPECT_OPTIONS),
+    ).rejects.toThrow(NotSupportedEcosystem);
+  });
+
   it('should parse dotnet-cli project with packages.config only', async () => {
     const packagesConfigOnlyPath =
       './test/fixtures/packages-config/config-only/';