CycloneDX / cyclonedx-webpack-plugin

Generate CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.
https://cyclonedx.org/
Apache License 2.0
24 stars 8 forks source link

[BUG] Generated bom fails to include package `luxon` #1237

Closed tomsontom closed 1 month ago

tomsontom commented 1 year ago

Describe the bug

If luxon is used in the application. The plugin fails include it in the output.

To Reproduce

Setup

git clone https://github.com/CycloneDX/cyclonedx-webpack-plugin.git
cd cyclonedx-webpack-plugin
npm install
cd tests/integration/webpack5-angular13
npm install --save luxon
npm install --save-dev @types/luxon

Use luxon

Change app.component.ts to look like this:

import { Component } from '@angular/core';
import { DateTime } from 'luxon'; 

console.log(DateTime.now());

@Component({
  selector: 'app-root',
  templateUrl: './app.component.html',
  styleUrls: ['./app.component.css']
})
export class AppComponent {
  title = '@cyclonedx-weboack-plugin-tests/example-webpack5-angular13';
}

Run build

npm run build

Expected behavior

I would expect that dist/.bom/bom.json to contain luxon

Screenshots or output-paste

luxon not contained

Environment

Additional context

The reason luxon is not contained in the output is that "node_modules/luxon/src" contains a filed named "package.json" with the following content

{
  "type": "module",
  "version": "3.4.4"
}

See https://github.com/moment/luxon/blob/3125686af82d9a25c7267a1cf1eb838a3d41144f/src/package.json#L1 and so cyclone is unable to find a name and skips luxon in the output.

A possible fix would be to make https://github.com/CycloneDX/cyclonedx-webpack-plugin/blob/ac87cd733ddb620fdc68dbe4b257e8aabdb02311/src/_helpers.ts#L28 smarter and check if there's a name and version and search on if none is in the loaded package.json

jkowalleck commented 12 months ago

see

jkowalleck commented 12 months ago

A possible fix would be to make [getPackageDescription] smarter and check if there's a name and version and search on if none is in the loaded package.json

nope. not intended for now. see https://github.com/CycloneDX/cyclonedx-webpack-plugin/issues/778#issuecomment-1494201468

A fix would be, if "luxon" added a (proper) name to the package they defined in luxon/src/package.json

jkowalleck commented 12 months ago

:tipping_hand_person: the example from the provided To Reproduce section caused the following SBOM files: bom.from-example.zip

jkowalleck commented 12 months ago

possible solution: if component has no name, then add it anyway with a name like component at [relative path to package.json].

jkowalleck commented 12 months ago

@tomsontom could you pullrequest/help shape a setup for regression tests? something similar to https://github.com/CycloneDX/cyclonedx-webpack-plugin/tree/master/tests/integration/regression-issue745

tomsontom commented 12 months ago

I'll take a look next week

jkowalleck commented 6 months ago

should be fixed by #1284

jkowalleck commented 1 month ago

closed, as this is expected to be fixed as showd in multiple integration tests.

if you think this is still open, please open a new issue.