search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
486 stars 141 forks source link

Direct dependencies not recognized when yarn.lock #1085

Closed jc911 closed 3 weeks ago

jc911 commented 4 weeks ago

The direct dependencies are righ when I use npm install (package-lock.json) There are many more direct dependencies in bom.json when I use yarn install (yarn.lock)

Maybe the same question as this issue Dependency Tree failing for yarn.lock files

prabhu commented 3 weeks ago

@jc911, could you triage a bit more and let me know the correct list of direct dependencies for yarn. May be there is some yarn command that we can try and mimic?

jc911 commented 3 weeks ago

Thanks for your response! For example: https://github.com/yarnpkg/website The direct dependencies I think should be devDependencies and dependencies in the package.json

"devDependencies": {
    "algolia-sitemap": "^2.1.1",
    "babel-core": "^6.26.3",
    "babel-loader": "^7.1.4",
    "babel-plugin-transform-react-constant-elements": "^6.23.0",
    "babel-plugin-transform-react-inline-elements": "^6.22.0",
    "babel-preset-env": "1.7.0",
    "babel-preset-react": "^6.24.1",
    "babel-preset-stage-2": "^6.24.1",
    "happypack": "^4.0.1",
    "lint-staged": "9.0.0",
    "pre-commit": "^1.2.2",
    "prettier": "^1.13.4",
    "webpack": "^3.5.5",
    "webpack-bundle-analyzer": "^3.3.2",
    "webpack-manifest-plugin": "^1.3.1"
  },
"dependencies": {
    "@haroenv/react-sparklines": "^1.7.1",
    "algoliasearch": "^3.27.1",
    "bootstrap": "^4.0.0-alpha.5",
    "bytes": "^3.0.0",
    "date-fns": "^2.0.0-alpha.7",
    "docsearch.js": "^2.5.2",
    "jquery": "^3.4.0",
    "marked": "^0.4.0",
    "popper.js": "^1.14.3",
    "prop-types": "^15.6.1",
    "qs": "^6.5.2",
    "react": "^16.4.0",
    "react-dom": "^16.4.2",
    "react-instantsearch-dom": "^5.2.0-beta.2",
    "react-transition-group": "^1.2.1",
    "unescape-html": "^1.0.0",
    "unfetch": "^3.0.0",
    "xss": "^1.0.3"
  },

But in the bom.json there are a lot

{
      "ref": "pkg:npm/website@1.0.0",
      "dependsOn": [
        "pkg:npm/@haroenv/react-sparklines@1.7.1",
        "pkg:npm/@samverschueren/stream-to-observable@0.3.0",
        "pkg:npm/@types/events@3.0.0",
        "pkg:npm/@types/glob@7.1.1",
        "pkg:npm/@types/minimatch@3.0.3",
        "pkg:npm/@types/node@12.0.10",
        "pkg:npm/abbrev@1.1.1",
        "pkg:npm/accepts@1.3.7",
        "pkg:npm/acorn-dynamic-import@2.0.2",
        "pkg:npm/acorn-walk@6.1.1",
        "pkg:npm/acorn@4.0.13",
        "pkg:npm/acorn@5.6.2",
        "pkg:npm/acorn@6.1.1",
        "pkg:npm/agentkeepalive@2.2.0",
        "pkg:npm/ajv-keywords@3.2.0",
        "pkg:npm/ajv@6.5.1",
        "pkg:npm/algolia-sitemap@2.1.1",
        "pkg:npm/algoliasearch-helper@2.26.1",
        "pkg:npm/algoliasearch@3.27.1",
        "pkg:npm/align-text@0.1.4",
        "pkg:npm/ansi-escapes@3.2.0",
        "pkg:npm/ansi-regex@2.1.1",
        "pkg:npm/ansi-regex@3.0.0",
        "pkg:npm/ansi-styles@2.2.1",
        "pkg:npm/ansi-styles@3.2.1",
        "pkg:npm/any-observable@0.3.0",
        "pkg:npm/anymatch@2.0.0",
        "pkg:npm/aproba@1.2.0",
        "pkg:npm/are-we-there-yet@1.1.5",
        "pkg:npm/argparse@1.0.10",
        "pkg:npm/arr-diff@4.0.0",
        "pkg:npm/arr-flatten@1.1.0",
        "pkg:npm/arr-union@3.1.0",
        "pkg:npm/array-flatten@1.1.1",
        "pkg:npm/array-union@1.0.2",
        "pkg:npm/array-uniq@1.0.3",
        "pkg:npm/array-unique@0.3.2",
        "pkg:npm/asap@2.0.6",
        "pkg:npm/asn1.js@4.10.1",
        "pkg:npm/assert@1.4.1",
        "pkg:npm/assign-symbols@1.0.0",
        "pkg:npm/async-each@1.0.1",
        "pkg:npm/async-limiter@1.0.0",
        "pkg:npm/async@1.5.0",
        "pkg:npm/async@2.6.1",
        "pkg:npm/atob@2.1.1",
        "pkg:npm/autocomplete.js@0.29.0",
        "pkg:npm/babel-code-frame@6.26.0",
        "pkg:npm/babel-core@6.26.0",
        ......
        ......
        "pkg:npm/xtend@4.0.1",
        "pkg:npm/y18n@3.2.1",
        "pkg:npm/yallist@2.1.2",
        "pkg:npm/yallist@3.0.2",
        "pkg:npm/yargs-parser@7.0.0",
        "pkg:npm/yargs@3.10.0",
        "pkg:npm/yargs@8.0.2"
      ]
    },
prabhu commented 3 weeks ago

@jc911 Thank you. Below is the line that needs to be improved to match this behaviour. It is currently matching yarn list command. Would you be interested in contributing a PR?

https://github.com/CycloneDX/cdxgen/blob/e5d205426d36d419225baceab70a6ae3c34c938c/index.js#L2374

prabhu commented 3 weeks ago

I tested cdxgen with the output of yarn list --depth=0 and found the results to be matching. Closing this bug, since this is not an issue (although I agree that yarn is over-reporting the first level dependencies). You can always feel free to use --required-only and other filters to limit the components in the SBOM.