search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. GPT: https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cdxgen
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
583 stars 156 forks source link

[npm] Support for install strategy #486

Open prabhu opened 1 year ago

prabhu commented 1 year ago

While testing with juice-shop, I noticed a few packages were duplicated inside the node_modules directory structure with a different version. We need to verify the version of such non-hoisted packages and set a property to indicate that multiple versions of such packages might be reported.

https://docs.npmjs.com/cli/v9/commands/npm-install?v=true#install-strategy

evinse currently duplicates the result since it cannot determine the exact purl that might get loaded at runtime.

prabhu commented 1 year ago

@noqcks, any thoughts on whether our new implementation with arborist already supports hoisted and duplicate packages?

noqcks commented 1 year ago

can you link me to juice-shop?

prabhu commented 1 year ago

https://github.com/juice-shop/juice-shop

They disable lock file generation - https://github.com/juice-shop/juice-shop/blob/master/.npmrc#L1

noqcks commented 1 year ago

The way we have arborist setup now, no I don't believe it supports it. We're using arborist's loadVirtual function to generate deps, which only looks at a lock file. In order to look at the node_modules folder, we can use loadActual function.

I think ideally what happens is we check for the existence of a node_modules folder with loadActual and then fallback to loadVirtual when one doesn't exist.

docs from loadVirtual - note that loading this way should only be done if there's no node_modules folder

https://www.npmjs.com/package/@npmcli/arborist

prabhu commented 1 year ago

Thank you! It will be nice to look at node_modules first and fallback to lock files. We then set the metadata.lifecycles to build (node_modules / lock files) and pre-build (just package.json) accordingly. wdyt?

https://cyclonedx.org/docs/1.5/json/#metadata_lifecycles_items_oneOf_i0_phase

noqcks commented 1 year ago

I had no idea this setting even existed! CyloneDX always surprises me in good ways with how well designed it is.

Im not clear on why node_modules would be post-build and lock files build though, since they're usually generated at the same time? Feels like they should both be one or the other.

prabhu commented 1 year ago

@noqcks, you're correct. Both belong to build. The core cdx group meets weekly and discusses a range of things. Then, there are industry working groups and specialist groups such as ML-BoM, OBoM, etc.