fix(pnpm): workaround for yaml.v3 question-mark in inline object

murphysecurity · Apr 11, 2024 · cc94465 · cc94465
1 parent fe4091c
commit cc94465
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/module/pnpm/shared/yaml.go b/module/pnpm/shared/yaml.go
@@ -0,0 +1,10 @@
+package shared
+
+import (
+	"bytes"
+	"gopkg.in/yaml.v3"
+)
+
+func ParseYaml(data []byte, target any) error {
+	return yaml.Unmarshal(bytes.ReplaceAll(data, []byte{'?'}, []byte("(QuestionMark)")), target)
+}
diff --git a/module/pnpm/v5/v5.go b/module/pnpm/v5/v5.go
@@ -1,10 +1,8 @@
 package v5
 
 import (
-	"bytes"
 	"github.com/murphysecurity/murphysec/model"
 	"github.com/murphysecurity/murphysec/module/pnpm/shared"
-	"gopkg.in/yaml.v3"
 	"strings"
 )
 
@@ -151,7 +149,7 @@ func (c *circleDetector) With(name, version string) *circleDetector {
 func ParseLockfile(data []byte) (*Lockfile, error) {
 	var lockfile Lockfile
 	// workaround for unquoted question-mark in inline object
-	if e := yaml.Unmarshal(bytes.ReplaceAll(data, []byte{'?'}, []byte("(QuestionMark)")), &lockfile); e != nil {
+	if e := shared.ParseYaml(data, &lockfile); e != nil {
 		return nil, e
 	}
 	lockfile.buildIndexes()

diff --git a/module/pnpm/version_indicator.go b/module/pnpm/version_indicator.go
@@ -2,7 +2,7 @@ package pnpm
 
 import (
 	"fmt"
-	"gopkg.in/yaml.v3"
+	"github.com/murphysecurity/murphysec/module/pnpm/shared"
 	"regexp"
 )
 
@@ -12,7 +12,7 @@ type lockfileVersionIndicator struct {
 
 func parseLockfileVersion(data []byte) (string, error) {
 	var indicator lockfileVersionIndicator
-	if e := yaml.Unmarshal(data, &indicator); e != nil {
+	if e := shared.ParseYaml(data, &indicator); e != nil {
 		return "", fmt.Errorf("parseLockfileVersion: %w", e)
 	}
 	return indicator.LockfileVersion, nil