Question

I've encountered a problem with Trivy's Node.js package.json parser regarding package names that include a slash /, such as rxjs/ajax or rxjs/operators.

Example

// rxjs/ajax/package.json
{
  "name": "rxjs/ajax",
  "typings": "./index.d.ts",
  "main": "./index.js"
}

Currently, Trivy fails to parse these packages with the following error: Name can only contain URL-friendly characters

Cause

Looking at the code in parse.go, the regex used in IsValidName is:

var nameRegexp = regexp.MustCompile(`^(@[A-Za-z0-9-._]+/)?[A-Za-z0-9-._]+$`)

This only allows for a single optional scope and then the package name, but prohibits package names containing a slash.
This seems to be intended since in parse_test.go the function TestIsValidName features several tests regarding this case.

While NPM's official documentation prohibits "non-URL-safe characters" in published packages (see RFC 3986, Section 2.3), such names do exist in real-world Node.js projects, particularly in RxJS v6 (maybe even v7) distribution within node_modules/.

Steps to reproduce

• Scan a Node.js project containing rxjs/ajax/package.json such that it features "name": "rxjs/ajax"
• Observe that Trivy raises a Name can only contain URL-friendly characters error

Expected Behavior

Trivy should gracefully handle package names with slashes when parsing package.json files, even if they don't conform to NPM registry standards. These are valid distribution artifacts found in real-world legacy projects.

References

• npm package.json name documentation
• RxJS v6 ajax package.json
• RxJS v6 operators package.json

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Operating System

Windows Server

Version

Should be either 0.70 or 0.69