search

CycloneDX / cyclonedx-node-module

creates CycloneDX Software-Bill-of-Materials (SBOM) from node-based projects
https://cyclonedx.org/
Apache License 2.0
124 stars 37 forks source link

How to exclude devDependencies #9

Closed ruimda closed 5 years ago

ruimda commented 5 years ago

Is there a way to create the bom.xml with only the "dependencies", excluding the "devDependencies" ? I'm sending this bom.xml to Dependency Track, and I don't want to register dev dependencies like protractor test lib's or angular-devkit.

stevespringett commented 5 years ago

The node module should not be including devDependencies.

It relies on the read-installed module which excludes devDependencies by default. https://github.com/CycloneDX/cyclonedx-node-module/blob/70eab8ee09255bc95cd96f206599257ba1c1292b/index.js#L155 https://www.npmjs.com/package/read-installed

When obtaining package info, the module will only obtain modules in the dependencies section. https://github.com/CycloneDX/cyclonedx-node-module/blob/70eab8ee09255bc95cd96f206599257ba1c1292b/index.js#L67

If you're seeing devDependencies being included, please supply a package.json which can reproduce the problem.

ruimda commented 5 years ago

So, first did a "npm install --only=prod", and then generated bom. This included only dependencies.

Then I did a "npm install", and generated the bom again. This one includes dev dependencies like karma and protractor.

Here is the package.json file: { "name": "myproject", "version": "0.1.0", "scripts": { "bom": "cyclonedx-bom -o bom.xml" }, "private": true, "dependencies": { "@agm/core": "^1.0.0-beta.5", "@angular/animations": "^6.0.3", "@angular/common": "^6.0.3", "@angular/compiler": "^6.0.3", "@angular/core": "^6.0.3", "@angular/forms": "^6.0.3", "@angular/http": "^6.0.3", "@angular/platform-browser": "^6.0.3", "@angular/platform-browser-dynamic": "^6.0.3", "@angular/router": "^6.0.3", "@google/maps": "^0.5.5", "@test/account": "dev-latest", "@test/animations": "dev-latest", "@test/http-interceptors": "dev-latest", "@test/notifications": "dev-latest", "@test/static-assets": "dev-latest", "@progress/kendo-angular-buttons": "^4.0.0", "@progress/kendo-angular-dateinputs": "2 - 3", "@progress/kendo-angular-dialog": "^3.7.0", "@progress/kendo-angular-dropdowns": "^3.4.2", "@progress/kendo-angular-excel-export": "1 - 2", "@progress/kendo-angular-grid": "^3.6.0", "@progress/kendo-angular-inputs": "2 - 3", "@progress/kendo-angular-intl": "^1.0.0", "@progress/kendo-angular-l10n": "^1.3.0", "@progress/kendo-angular-layout": "^3.1.0", "@progress/kendo-angular-popup": "^2.0.0", "@progress/kendo-angular-tooltip": "^1.1.2", "@progress/kendo-data-query": "^1.0.0", "@progress/kendo-drawing": "^1.0.0", "@progress/kendo-theme-default": "latest", "agm-direction": "^0.6.0", "bootstrap": "^4.1.1", "core-js": "^2.5.4", "install": "^0.11.0", "moment": "^2.22.2", "npm": "^6.1.0", "open-iconic": "^1.1.1", "popper.js": "^1.14.3", "rxjs": "^6.0.0", "rxjs-compat": "^6.3.3", "zone.js": "^0.8.26" }, "devDependencies": { "@angular-devkit/build-angular": "~0.6.0", "@angular-devkit/build-ng-packagr": "~0.6.5", "@angular/cli": "~6.0.0", "@angular/compiler-cli": "^6.0.0", "@angular/language-service": "^6.0.0", "@types/googlemaps": "^3.30.11", "@types/jasmine": "~2.8.6", "@types/jasminewd2": "~2.0.3", "@types/node": "~8.9.4", "codelyzer": "~4.2.1", "jasmine-core": "~2.99.1", "jasmine-spec-reporter": "~4.2.1", "karma": "~1.7.1", "karma-chrome-launcher": "~2.2.0", "karma-coverage-istanbul-reporter": "~1.4.2", "karma-jasmine": "~1.1.1", "karma-jasmine-html-reporter": "^0.2.2", "ng-packagr": "^3.0.0-rc.2", "protractor": "~5.3.0", "ts-node": "~5.0.1", "tsickle": ">=0.25.5", "tslib": "^1.7.1", "tslint": "~5.9.1", "typescript": "~2.7.2", "sonarqube-scanner": "^2.1.0" } }

@test are some internal modules

ruimda commented 5 years ago

Could you reproduce the case? thks

anush-cr commented 5 years ago

@ruimda For what it's worth I ran into this issue and tried to diagnose it. So, read-installed traverses the node_modules folder to build the dependency tree and marks any devDependencies that exists in that folder as extraneous when using the dev: false option which is the default.

I've created PR https://github.com/CycloneDX/cyclonedx-node-module/pull/13 to exclude extraneous packages which should resolve the issue.

ruimda commented 5 years ago

Thanks a lot. I will follow this closely

stevespringett commented 5 years ago

0.2.5 was pushed which should solve this issue. Also included is an updated SPDX license list (v3.5). Please reopen if anyone experiences this problem going forward.

lock[bot] commented 5 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.