Comments (4)
atl-mk
commented on June 14, 2024
1
For reference, this is what the package-lock.json file looks like
{
"name": "test",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "test",
"dependencies": {
"example": "file:./packages/example"
}
},
"node_modules/example": {
"resolved": "packages/example",
"link": true
},
"packages/example": {
"version": "8.8.8",
"license": "Apache-2.0"
}
}
}
So clearly Syft has some level of resolving linked dependencies from the package-lock.json, I don't see any reason to report the dependency alias.
Here's a related use-case that I'm not personally worried about, but could be of interest to you: https://gist.github.com/nandorojo/1b969a0d88cf81ca8a2a334a5bd2ee4a
from syft.
spiffcs
commented on June 14, 2024
1
@anchore/tools I've added this one to Ready.
Based on our team sync we have agreed on removing node_modules/example from the final SBOM.
Here is the documentation for package-lock.json:
https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json#packages
There does not seem to be extra information in the "link" package so taking one over the other (not merging) should be the action here.
No relationships need to be updated for this ticket.
from syft.
spiffcs
commented on June 14, 2024
@atl-mk I definitely see your point that the "link" package in the package-lock.json is does not seem to be handled correctly here.
I'm unsure on which package do you think should be dropped here.
Is exclude working on the way you expect it ?
Do you think that we should be dropping the package that is under the path that was excluded?
Or
Do you think we should be dropping the link packages and not reporting on those as part of the SBOM?
How do you think these "link" packages should be reported as so that the SBOM doesn't lose this information and can express the resolved nature of what was declared in the package.json vs what was cataloged by syft?
from syft.
atl-mk
commented on June 14, 2024
@spiffcs Exclude has no effect here, because Syft is only creating the SBOM from the package-lock.json file. It doesn't matter if the exclude argument is used. I only included it in the reproduction steps to show that's not the issue.
The top and middle one should be merged, like so:
{
"bom-ref": "pkg:npm/example?package-id=4790f192e386e4d1",
"type": "library",
"name": "example",
"version": "8.8.8",
"licenses": [
{
"license": {
"id": "Apache-2.0"
}
}
],
"cpe": "cpe:2.3:a:packages\\/example:packages\\/example:8.8.8:*:*:*:*:*:*:*",
"purl": "pkg:npm/packages/[email protected]",
"properties": [
{
"name": "syft:package:foundBy",
"value": "javascript-lock-cataloger"
},
{
"name": "syft:package:language",
"value": "javascript"
},
{
"name": "syft:package:type",
"value": "npm"
},
{
"name": "syft:package:metadataType",
"value": "javascript-npm-package-lock-entry"
},
{
"name": "syft:location:0:path",
"value": "/package-lock.json"
}
]
},
The name should reflect what is declared normally (just example), and CPE+PackageURL should map to the local files on disk.
from syft.
Related Issues (20)
- syft attest command missing --key flag HOT 1
- Overwrite existing does not work for Targz (or any other Tar implementation of unarchiver)
- Invalid PURLs when cataloging instrumentation classes/jars HOT 3
- Add syft config command
- Using custom templates to parse output does not work anymore HOT 1
- Unable to extract licenses for some NPM packages HOT 4
- Fundamental Windows incompatibility when accessing the file system HOT 4
- timestamp in JSON Syft files HOT 2
- Conversion from CycloneDx-xml to CycloneDx-json metadata.component is missing HOT 3
- publish go-mod/vendor as release artifact HOT 2
- Identifying Go executables embedded inside other Go executables HOT 2
- Fails to detect python wheel license (MIT) HOT 4
- unable to index filesystem for amazonlinux images
- v0.104.0 interface conversion error when creating bom from singularity image HOT 1
- SPDX originator is not always populated
- Wrong CPE for dnsmasq HOT 2
- Enable dotnet-deps-cataloger by default for images and show relationship to dotnet-portable-executable-cataloger artifacts
- Go binary cataloging fails between v0.103.1 and v0.105.0 HOT 4
- Allow for stubbing unknown versions over dropping packages
- Syft TUI can hang when using license fetching from go modules
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.