fix(nodejs): fix infinite loop when package link from package-lock.json file is broken

[DmitriyLewen]

Description

This PR fixes 2 cases:

1. When Packages[x].resolved is empty for link - we don't need to resolve this link.
2. Don't overwrite packages map when resolving links to avoid cases when we updated package is parsed.

Related issues

• Close bug(npm): runtime: out of memory #6854

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

Could you elaborate on that?

[DmitriyLewen]

We update packages map inside of packages loop.

trivy/pkg/dependency/parser/nodejs/npm/parse.go

Lines 232 to 235 in a2d1871

	packages[resolvedPath] = pkg
	// Delete the target package
	delete(packages, pkgPath)

this is bad practice.

When I tested broken link with empty resolved field - this loop would endlessly update packages, check them and we get out of memory error.

[knqyf263]

Can we change the comment to something like "Changing the map during the map iteration causes unexpected behavior" for clarity?

[DmitriyLewen]

Yeah, it make sense.
Updated in b8e52c4

[DmitriyLewen]

@aqua-bot backport release/v0.52

[aqua-bot]

Backport PR created: #6888