search

CycloneDX / cyclonedx-node-npm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.
https://cyclonedx.org/
Apache License 2.0
73 stars 20 forks source link

Missing license information on the components #1188

Closed iamrahul127 closed 5 months ago

iamrahul127 commented 5 months ago

Describe the bug

SBOM generated doesn't have license information included for multiple components.

To Reproduce

angularbom.json package.json package-lock.json

  1. Create angular project using ng new bomissue.
  2. Run npm install in no packages are installed.
  3. Run following command to generate SBOM cyclonedx-npm --short-PURLs --package-lock-only --flatten-components --ignore-npm-errors --output-file angularbom.json
  4. Check generated bom.json. One or more components doesn't has license information even though package.json has for the same component has it.
  5. Example: Following snippet is from generated bom and it doesn't have license information. 
    {
    "type": "library",
    "name": "build-angular",
    "group": "@angular-devkit",
    "version": "16.2.14",
    "bom-ref": "@angular-devkit/build-angular@16.2.14",
    "purl": "pkg:npm/%40angular-devkit/build-angular@16.2.14",
    "externalReferences": [
      {
        "url": "https://registry.npmjs.org/@angular-devkit/build-angular/-/build-angular-16.2.14.tgz",
        "type": "distribution",
        "hashes": [
          {
            "alg": "SHA-512",
            "content": "6d743a8bb40f8709981ee87e0d23640618d3207405d02e9fa99120d80a490373669f313df28427989f409c69c091d7f53239f7c62da0c686563c30f118420d33"
          }
        ],
        "comment": "as detected from npm-ls property \"resolved\" and property \"integrity\""
      }
    ],
    "properties": [
      {
        "name": "cdx:npm:package:path",
        "value": "node_modules/@angular-devkit\\build-angular"
      },
      {
        "name": "cdx:npm:package:development",
        "value": "true"
      }
    ]
  }
  6. Check the package.config located in node_module -> \bomissue\node_modules\@angular-devkit\build-angular\package.json. It has license information. Screenshot as below. image

Expected behavior

I expect generated bom to include following for @angular-devkit/build-angular@16.2.14 component

"licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],

Environment

iamrahul127 commented 5 months ago

@jkowalleck You have asked detailed steps in #1164 issue which is marked closed now. Here are the steps. I am also facing exact same issue. Let me know if you need anymore information.

Apologies to tag you directly.

jkowalleck commented 5 months ago

thank you for the report.

will try to reproduce on windows and investigate.

jkowalleck commented 5 months ago

this flag --package-lock-only you used - this causes the tool to not read any package manifest files, but use the lock file only. 

 --package-lock-only       Whether to only use the lock file, ignoring "node_modules".
                           This means the output will be based only on the few details in and the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory.
                           (default: false)

Unfortunately, your provided lock file does not hold any license information.

technical background: npm's lockfileVersion=2 holds license information for packages, current current lockfileVersion=3 does not. You provided a lock file version 3.