prabhu
commented
8 months ago @avgkoster, could you share a full example with code to replicate this?
Closed avgkoster closed 8 months ago
prabhu
commented
8 months ago @avgkoster, could you share a full example with code to replicate this?
avgkoster
commented
8 months ago first example (webpack.js, not webpack.config.js), special for bypass filter regexp:
const ModuleFederationPlugin = require("webpack/lib/container/ModuleFederationPlugin");
const qf = require("@angular-architects/module-federation/webpack");
const share = mf.share;
const ShellPlugin = require('webpack-shell-plugin-next');
module.exports = {
output: {
uniqueName: "123",
publicPath: "auto"
},
optimization: {
runtimeChunk: false
},
plugins: [
new ModuleFederationPlugin({
name: "v_pvx",
filename: "remoteEntry.js",
exposes: {
'./Module': './dats/dats.module.ts',
},
shared: share({
"@angular/core": { singleton: true, strictVersion: true, requiredVersion: 'auto' },
"@angular/common": { singleton: true, strictVersion: true, requiredVersion: 'auto' },
"@angular/common/http": { singleton: true, strictVersion: true, requiredVersion: 'auto' },
"@angular/forms": { singleton: true, strictVersion: true, requiredVersion: 'auto' },
"@angular/platform-browser": { singleton: true, strictVersion: true, requiredVersion: 'auto' },
"@angular/router": { singleton: true, strictVersion: true, requiredVersion: 'auto' },
})
}),
new ShellPlugin({
onBuildExit: {
scripts: ["node ./tls/fax-as-path.js"],
blocking: true,
}
})
],
};second example (elements with import {} too do not fall into sbom):
"dependencies": { "@angular/cdk": "^16.2.4",
import { ScrollingModule } from '@angular/cdk/scrolling';
import { CommonModule } from '@angular/common';
import { NgModule } from '@angular/core';
@NgModule({
imports: [
CommonModule,
ScrollingModule,
],
declarations: [
CommonModule,
],
exports: [
CommonModule,
],
})@avgkoster, we have some ignore list so perhaps these are getting filtered out?
https://github.com/CycloneDX/cdxgen/blob/master/analyzer.js#L34
Can you set the environment variables
ASTGEN_IGNORE_DIRS=""
ASTGEN_IGNORE_FILE_PATTERN=""and see if it makes any difference?
avgkoster
commented
8 months ago I also thought at first that it was the filters, I checked with this case, I also tried to include these imports in files where cdxgen fixed the correct imports, too, the effect is negative
prabhu
commented
8 months ago @avgkoster, could you kindly investigate a bit more and see what is going on? We are short of people.
avgkoster
commented
8 months ago Well, let's try : )
prabhu
commented
8 months ago Also, try running evinse, which would take this initial list and create more comprehensive evidence.
https://cyclonedx.github.io/cdxgen/#/ADVANCED?id=evinse-mode-saasbom
avgkoster
commented
8 months ago add PR for this problem https://github.com/CycloneDX/cdxgen/pull/681 Please take a look @prabhu
ver 9.9 1) Do I understand correctly that now the --required only function defines packages as required only because are these packages used directly? and are in evidence occurrenes 2) We found that the import of direct dependencies is incorrect if submodules were also declared in the code
For example: In the package.json "dependencies": { "@angular-architects/module-federation": "^12.5.3"
The code declares a transitive dependency on this const qf= require("@angular-architects/module-federation/webpack");
At the same time, this dependency does not fall into SBOM as required. I think this is incorrect behavior.