Add npm package.json support

[RTann]

Background

ACS's scanner supports scanning npm package.json files for vulnerabilities. ACS is looking to add this ability to ClairCore.

ClairCore now has the ability to obtain language-specific vulnerability data from OSV. OSV's database includes npm data, so ClairCore has a datasource for npm packages.

Proposal

ACS's package.json scanning support is pretty straightforward. Simply look for a regular file called package.json. ACS attempts to ensure this file is meant for NodeJS instead of some random file which happens to be called package.json by checking if node_modules or nodejs are in the file path, as well. Once we are sure this is a file in which we are interested, we can decode the file to look for the required fields.

This may look like the following:

type packageJSON struct {
	Name    `json:"name"`
	Version `json:"version"`
}

...

var pkg packageJSON
err := json.NewDecoder(reader).Decode(&pkg)
...

We may determine the related vulnerabilities by matching the package name, version, and repository ("https://www.npmjs.com/").

[hdonnay]

I haven't used node really at all, so this is the package metadata as "installed" on disk, right? As in, it's not a requirements range, but one specific version?

[RTann]

Correct, this is the exact installed version. Requirements range would be in the dependencies section. version is the version of the package in node-semver.

[RTann]

Created https://issues.redhat.com/browse/PROJQUAY-5099 to track this request.

[RTann]

I started a draft PR to see what the implementation may look like: #834