Empty component in bom file

[jkobti]

I have a problem creating a bom file for a Vue.js project.

The bom file includes an empty component like this:

<component type="library">
            <name>
            </name>
            <version>
            </version>
            <description>
                <![CDATA[]]>
            </description>
            <licenses>
                <license>
                </license>
            </licenses>
            <purl>pkg:npm/@</purl>
            <modified>false</modified>
</component>

otherwise the bom file can be imported to dependency track only after deleting the empty component.

Any idea how to debug this!

[stevespringett]

In npm's infinite wisdom, they allow anonymous packages to be created if those packages are not distributed on npm. It's a terrible idea and introduces a lot of risk, but there's a possibility that a Vue.js project you're scanning likely has anonymous packages.

I'd recommend using a combination of policy and governance to prevent anonymous packages in your organization. npm command line tools may have something to identify them, not sure. If not, then perhaps just grepping package.json or package-lock.json for empty names and versions will likely tell you the offending packages.

[sanjogpandasp]

I get the same issue on a project JuicyShop which is a vulnerable node project. Here is the package.json file which it had :

{ "name": "juice-shop", "version": "4.2.1", "description": "A Javascript Web Application", "homepage": "https://www.owasp.org/index.php/OWASP_Juice_Shop_Project", "author": "Björn Kimminich <bjoern.kimminich@owasp.org> (https://www.owasp.org/index.php/User:Bjoern_Kimminich)", "contributors": [ "Björn Kimminich", "Aaron Edwards", "Alec Brooks", "Dinis Cruz", "Timo Pagel", "Gorka Vicente", "Alvaro Viebrantz", "Johanna A", "Stephen OBrien", "Joe Butler", "Abhishek bundela", "ninoseki", "Jannik Hollenbach", "Viktor Lindström", "Achim Grimm" ], "private": true, "keywords": [ "web security", "web application security", "webappsec", "owasp", "pentest", "pentesting", "security", "vulnerable", "vulnerability", "broken", "bodgeit" ], "dependencies": { "body-parser": "~1.17", "bower": "~1.8", "colors": "~1.1", "config": "~1.26", "cookie-parser": "~1.4", "cors": "~2.8", "dottie": "~2.0", "errorhandler": "~1.5", "express": "~4.15", "express-jwt": "~5.3", "fs-extra": "^3.0.0", "glob": "~5.0", "grunt": "~1.0", "grunt-angular-templates": "~1.1", "grunt-cli": "~1.2", "grunt-contrib-clean": "~1.1", "grunt-contrib-compress": "~1.4", "grunt-contrib-concat": "~1.0", "grunt-contrib-uglify": "~3.0", "grunt-text-replace": "~0.4", "hashids": "~1.1", "helmet": "~3.6", "html-entities": "~1.2", "js-yaml": "~3.8.2", "jsonwebtoken": "~7.4", "jssha": "~2.3", "morgan": "~1.8", "multer": "~1.3", "pdfkit": "~0.8", "replace": "~0.3", "request": "~2.81.0", "sanitize-html": "1.4.2", "sequelize": "~1.7", "sequelize-restful": "~0.4", "serve-favicon": "~2.4", "serve-index": "~1.9", "socket.io": "~2.0", "sqlite3": "3.1", "z85": "~0.0" }, "devDependencies": { "chai": "~4", "codeclimate-test-reporter": "~0.5", "cross-spawn": "~5.1", "form-data": "~1.0", "frisby": "~0.8", "http-server": "~0.10", "istanbul": "~0.4", "jasmine-node": "~1.14", "jasmine-reporters": "~2.2", "karma": "~1.7", "karma-chrome-launcher": "~2.1", "karma-cli": "~1.0", "karma-coverage": "~1.1", "karma-firefox-launcher": "~1.0", "karma-jasmine": "~1.1", "karma-junit-reporter": "~1.2", "karma-phantomjs-launcher": "~1.0", "karma-safari-launcher": "~1.0", "lcov-result-merger": "~1.2", "mocha": "~3", "nyc": "~11", "phantomjs-prebuilt": "~2.1", "protractor": "~4", "shelljs": "~0.7", "sinon": "~2.3", "sinon-chai": "~2.11", "socket.io-client": "~2.0", "standard": "~10", "stryker": "~0", "stryker-api": "~0", "stryker-html-reporter": "~0", "stryker-jasmine": "~0", "stryker-karma-runner": "~0", "stryker-mocha-runner": "~0" }, "peerDependencies": { "phantomjs-prebuilt": "~2.1" }, "repository": { "type": "git", "url": "git@source.golabs.io:bootcamp/juice-shop.git" }, "bugs": { "url": "https://github.com/bkimminich/juice-shop/issues" }, "license": "MIT", "scripts": { "postinstall": "bower install && grunt minify && grunt docker", "start": "node app", "test": "standard && karma start karma.conf.js && nyc mocha test/server", "frisby": "istanbul cover ./test/apiTests.js", "preupdate-webdriver": "npm install", "update-webdriver": "webdriver-manager update", "preprotractor": "npm run update-webdriver", "protractor": "node test/e2eTests.js", "stryker": "stryker run stryker.client-conf.js", "vagrant": "cd vagrant && vagrant up" }, "engines": { "node": ">=4 <9" }, "standard": { "ignore": [ "/app/private/**", "/vagrant/**" ], "env": { "jasmine": true, "node": true, "browser": true, "mocha": true, "protractor": true }, "globals": [ "angular", "inject" ] }, "nyc": { "include": [ "lib/*.js", "routes/*.js" ], "all": true, "reporter": [ "lcov", "text-summary" ], "report-dir": "./build/reports/coverage/server-tests" } }

and below is the bom.xml file which got generated after running the below command inside the project directory

cyclonedx-bom -o bom.xml

`<?xml version="1.0" encoding="UTF-8"?>

juice-shop 4.2.1 MIT pkg:npm/juice-shop@4.2.1 false `

[stevespringett]

@sanjogpandasp The issue you're reporting has nothing to do with this ticket. However, that output is expected on a clean checkout since node_modules hasn't been populated yet.

You need to run npm install before running CycloneDX which will populate node_modules and create package-lock.json.

[sanjogpandasp]

@sanjogpandasp The issue you're reporting has nothing to do with this ticket. However, that output is expected on a clean checkout since node_modules hasn't been populated yet.

You need to run npm install before running CycloneDX which will populate node_modules and create package-lock.json.

I see, my bad. I was in an impression that cyclondx will pick up dependencies from the package.json file directly.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.