Open jkowalleck opened 4 months ago
I'd argue it's okay to refuse to generate an SBOM if any version number not confirming to semver is encountered. This is because https://docs.npmjs.com/cli/v10/configuring-npm/package-json#version explicitly says "version must be parseable by node-semver"
What it should not do is trying to fix version numbers in any way. In my opinion it's better to not receive an SBOM than to receive one that you cannot trust. What do you think about catching the error and aborting with a message explaining to the user which package had the invalid version number?
If you look in clean.js
within https://www.npmjs.com/package/semver?activeTab=code which is used internally by cyclonedx-node-yarn, you see it strips whitespace, =
characters and the character v
from the version number. Hopefully, repositories such as NPM work the same way when ensuring package versions are unique.
Describe the bug
When attempting to generate the SBOM and a package.json contains for example
"version": "1.0-dev"
it now crashes in a function calledObject.fixVersionField
. This concerns me as I would not expect the SBOM generation to adjust version numbers and instead just take them verbatim.To Reproduce
package.json
Expected behavior
no crashes
Screenshots or output-paste
Environment
v1.0.0-rc.7+git.33febfe
Additional context
as i've learned, is an invalid version identifier according to npm/yarn standards (which appears to adhere to semver), and causes crashes everywhere. So this is somehow expected.
But still, an option could be: in case a crash because of version happens, remove
version
and try again, and add back the version afterwards ... Or find a way to ignore the version when running manifest normalization ...