Closed jc911 closed 3 weeks ago
@jc911, could you triage a bit more and let me know the correct list of direct dependencies for yarn. May be there is some yarn command that we can try and mimic?
Thanks for your response!
For example:
https://github.com/yarnpkg/website
The direct dependencies I think should be devDependencies
and dependencies
in the package.json
"devDependencies": {
"algolia-sitemap": "^2.1.1",
"babel-core": "^6.26.3",
"babel-loader": "^7.1.4",
"babel-plugin-transform-react-constant-elements": "^6.23.0",
"babel-plugin-transform-react-inline-elements": "^6.22.0",
"babel-preset-env": "1.7.0",
"babel-preset-react": "^6.24.1",
"babel-preset-stage-2": "^6.24.1",
"happypack": "^4.0.1",
"lint-staged": "9.0.0",
"pre-commit": "^1.2.2",
"prettier": "^1.13.4",
"webpack": "^3.5.5",
"webpack-bundle-analyzer": "^3.3.2",
"webpack-manifest-plugin": "^1.3.1"
},
"dependencies": {
"@haroenv/react-sparklines": "^1.7.1",
"algoliasearch": "^3.27.1",
"bootstrap": "^4.0.0-alpha.5",
"bytes": "^3.0.0",
"date-fns": "^2.0.0-alpha.7",
"docsearch.js": "^2.5.2",
"jquery": "^3.4.0",
"marked": "^0.4.0",
"popper.js": "^1.14.3",
"prop-types": "^15.6.1",
"qs": "^6.5.2",
"react": "^16.4.0",
"react-dom": "^16.4.2",
"react-instantsearch-dom": "^5.2.0-beta.2",
"react-transition-group": "^1.2.1",
"unescape-html": "^1.0.0",
"unfetch": "^3.0.0",
"xss": "^1.0.3"
},
But in the bom.json there are a lot
{
"ref": "pkg:npm/website@1.0.0",
"dependsOn": [
"pkg:npm/@haroenv/react-sparklines@1.7.1",
"pkg:npm/@samverschueren/stream-to-observable@0.3.0",
"pkg:npm/@types/events@3.0.0",
"pkg:npm/@types/glob@7.1.1",
"pkg:npm/@types/minimatch@3.0.3",
"pkg:npm/@types/node@12.0.10",
"pkg:npm/abbrev@1.1.1",
"pkg:npm/accepts@1.3.7",
"pkg:npm/acorn-dynamic-import@2.0.2",
"pkg:npm/acorn-walk@6.1.1",
"pkg:npm/acorn@4.0.13",
"pkg:npm/acorn@5.6.2",
"pkg:npm/acorn@6.1.1",
"pkg:npm/agentkeepalive@2.2.0",
"pkg:npm/ajv-keywords@3.2.0",
"pkg:npm/ajv@6.5.1",
"pkg:npm/algolia-sitemap@2.1.1",
"pkg:npm/algoliasearch-helper@2.26.1",
"pkg:npm/algoliasearch@3.27.1",
"pkg:npm/align-text@0.1.4",
"pkg:npm/ansi-escapes@3.2.0",
"pkg:npm/ansi-regex@2.1.1",
"pkg:npm/ansi-regex@3.0.0",
"pkg:npm/ansi-styles@2.2.1",
"pkg:npm/ansi-styles@3.2.1",
"pkg:npm/any-observable@0.3.0",
"pkg:npm/anymatch@2.0.0",
"pkg:npm/aproba@1.2.0",
"pkg:npm/are-we-there-yet@1.1.5",
"pkg:npm/argparse@1.0.10",
"pkg:npm/arr-diff@4.0.0",
"pkg:npm/arr-flatten@1.1.0",
"pkg:npm/arr-union@3.1.0",
"pkg:npm/array-flatten@1.1.1",
"pkg:npm/array-union@1.0.2",
"pkg:npm/array-uniq@1.0.3",
"pkg:npm/array-unique@0.3.2",
"pkg:npm/asap@2.0.6",
"pkg:npm/asn1.js@4.10.1",
"pkg:npm/assert@1.4.1",
"pkg:npm/assign-symbols@1.0.0",
"pkg:npm/async-each@1.0.1",
"pkg:npm/async-limiter@1.0.0",
"pkg:npm/async@1.5.0",
"pkg:npm/async@2.6.1",
"pkg:npm/atob@2.1.1",
"pkg:npm/autocomplete.js@0.29.0",
"pkg:npm/babel-code-frame@6.26.0",
"pkg:npm/babel-core@6.26.0",
......
......
"pkg:npm/xtend@4.0.1",
"pkg:npm/y18n@3.2.1",
"pkg:npm/yallist@2.1.2",
"pkg:npm/yallist@3.0.2",
"pkg:npm/yargs-parser@7.0.0",
"pkg:npm/yargs@3.10.0",
"pkg:npm/yargs@8.0.2"
]
},
@jc911 Thank you. Below is the line that needs to be improved to match this behaviour. It is currently matching yarn list
command. Would you be interested in contributing a PR?
https://github.com/CycloneDX/cdxgen/blob/e5d205426d36d419225baceab70a6ae3c34c938c/index.js#L2374
I tested cdxgen with the output of yarn list --depth=0
and found the results to be matching. Closing this bug, since this is not an issue (although I agree that yarn is over-reporting the first level dependencies). You can always feel free to use --required-only
and other filters to limit the components in the SBOM.
The direct dependencies are righ when I use
npm install
(package-lock.json) There are many more direct dependencies in bom.json when I useyarn install
(yarn.lock)Maybe the same question as this issue Dependency Tree failing for yarn.lock files