search

CycloneDX / cyclonedx-node-npm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.
https://cyclonedx.org/
Apache License 2.0
73 stars 20 forks source link

"--omit dev" created a lot of "DummyComponent.InterferedDependency..." entries in the BOM #254

Closed AndreVirtimo closed 2 years ago

AndreVirtimo commented 2 years ago

When I'm using the "--omit dev" parameter then I got a lot of entries with the prefix "DummyComponent.InterferedDependency."

I'm using "@cyclonedx/cyclonedx-npm" version 1.2.0 as dev dependency. And it seems this is also in the BOM which I didn't expected.

    {
      "ref": "DummyComponent.InterferedDependency.@cyclonedx/cyclonedx-npm",
      "dependsOn": [
        "DummyComponent.InterferedDependency.@cyclonedx/cyclonedx-library",
        "DummyComponent.InterferedDependency.@cyclonedx/cyclonedx-npm|DummyComponent.InterferedDependency.commander",
        "DummyComponent.InterferedDependency.xmlbuilder2"
      ]
    },
    {
      "ref": "DummyComponent.InterferedDependency.@cyclonedx/cyclonedx-npm|DummyComponent.InterferedDependency.commander"
    },
    {
      "ref": "DummyComponent.InterferedDependency.@cyclonedx/cyclonedx-library",
      "dependsOn": [
        "DummyComponent.InterferedDependency.packageurl-js",
        "DummyComponent.InterferedDependency.xmlbuilder2"
      ]
    },
...

To Reproduce

Snippet from my package.json with to internal dependencies removed.

 "devDependencies": {
    "@cyclonedx/cyclonedx-npm": "^1.2.0",
    "css-loader": "^6.7.1",
    "cypress": "^10.10.0",
    "cypress-intellij-reporter": "^0.0.7",
    "eslint": "8.26.0",
    "eslint-plugin-cypress": "^2.12.1",
    "eslint-plugin-mocha": "^10.1.0",
    "eslint-plugin-node": "^11.1.0",
    "eslint-plugin-no-only-tests": "^3.1.0",
    "file-loader": "^6.2.0",
    "style-loader": "^3.3.1",
    "webpack": "^5.74.0",
    "webpack-cli": "^4.10.0",
    "webpack-merge": "^5.8.0"
  },
  "dependencies": {
    "@amcharts/amcharts4": "^4.10.29",
    "ace-builds": "^1.12.3",
    "ace-diff": "^3.0.3",
    "ajv": "^8.11.0",
    "ajv-formats": "^2.1.1",
    "dompurify": "^2.4.0",
    "froala-editor": "^4.0.15",
    "json-source-map": "^0.6.1",
    "vkbeautify": "^0.99.3"
  },

Expected behavior

No dummy entries and no dev dependencies.

Environment

npm - 8.5.1 node - v17.6.0

macOS 12.6

AndreVirtimo commented 2 years ago

I have tried this on another project without "prod" dependencies and only dev dependencies. It seems that all dev dependencies are added to the BOM as DummyComponent.

jkowalleck commented 2 years ago

thank you for the report, @AndreVirtimo . i will check into this. could you do the broken call again, and paste me the logs? they might look like the following: 

DEBUG | options: {"ignoreNpmErrors":false,"packageLockOnly":false,"omit":[],"flattenComponents":false,"shortPURLs":false,"specVersion":"1.4","outputFormat":"JSON","outputFile":"-","mcType":"application"}
DEBUG | packageFile: /.../some/path/package.json
DEBUG | projectDir: /.../some/path
DEBUG | detected a package lock file
DEBUG | makeNpmRunner caused execSync "npm" undefined
INFO  | gather dependency tree ...
DEBUG | npm-ls: run npm with ["ls","--json","--all","--long"] in "/.../some/path"
INFO  | build BOM ...
INFO  | writing BOM to -

PS: tried to reproduce with all the information you gave and the exact dependencies from your report, and was not able to reproduce. The exact opposite was the case: when called with --omit dev then @cyclonedx/cyclonedx-npm was not in the resulting SBOM. when called without any --omit then @cyclonedx/cyclonedx-npm was part of the SBOM. in both cases no DummyComponent was part of the SBOM.

could you create a github repo with a setup that isolates your issue and makes it reproducible? i would immagine a repo that contains a package.json, a package-lock.json, the sbom.json you produced. Could you include additionally the output from npm ls --omit dev in a file, so that it can be comparred agains the other files? It could be the case that npm might have some troubles.

jkowalleck commented 2 years ago

previously i tried with some arbitrary npm@^8 Since you reported to use npm@8.5.1 I tried again to reproduce with that exact version, and finally was able to see the same you described.

I found the issue was gone when i used npm@^8.7 - see https://github.com/npm/cli/pull/4744 Seams like npm had an issue back then - see https://github.com/npm/cli/issues/4739

I am sorry, you might need to upgrade your NPM to a version >= 8.7.0 to fix this issue.

Will change internal implementations of this tool to circumvent the issue. see #259

AndreVirtimo commented 2 years ago

@jkowalleck thank you for checking this issue.

I can confirm that this issue was gone after updating npm to version 8.19.2.

jkowalleck commented 2 years ago

this issue was fixed in v1.3.0 of cyclonedx-npm