CycloneDX / cyclonedx-webpack-plugin

Generate CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.
https://cyclonedx.org/
Apache License 2.0
24 stars 9 forks source link

[BUG] Generated bom fails to include package `luxon` #1237

Closed tomsontom closed 1 month ago

tomsontom commented 11 months ago

Describe the bug

If luxon is used in the application. The plugin fails include it in the output.

To Reproduce

Setup

git clone https://github.com/CycloneDX/cyclonedx-webpack-plugin.git
cd cyclonedx-webpack-plugin
npm install
cd tests/integration/webpack5-angular13
npm install --save luxon
npm install --save-dev @types/luxon

Use luxon

Change app.component.ts to look like this:

import { Component } from '@angular/core';
import { DateTime } from 'luxon'; 

console.log(DateTime.now());

@Component({
  selector: 'app-root',
  templateUrl: './app.component.html',
  styleUrls: ['./app.component.css']
})
export class AppComponent {
  title = '@cyclonedx-weboack-plugin-tests/example-webpack5-angular13';
}

Run build

npm run build

Expected behavior

I would expect that dist/.bom/bom.json to contain luxon

Screenshots or output-paste

luxon not contained

Environment

Additional context

The reason luxon is not contained in the output is that "node_modules/luxon/src" contains a filed named "package.json" with the following content

{
  "type": "module",
  "version": "3.4.4"
}

See https://github.com/moment/luxon/blob/3125686af82d9a25c7267a1cf1eb838a3d41144f/src/package.json#L1 and so cyclone is unable to find a name and skips luxon in the output.

A possible fix would be to make https://github.com/CycloneDX/cyclonedx-webpack-plugin/blob/ac87cd733ddb620fdc68dbe4b257e8aabdb02311/src/_helpers.ts#L28 smarter and check if there's a name and version and search on if none is in the loaded package.json

jkowalleck commented 11 months ago

see

jkowalleck commented 11 months ago

A possible fix would be to make [getPackageDescription] smarter and check if there's a name and version and search on if none is in the loaded package.json

nope. not intended for now. see https://github.com/CycloneDX/cyclonedx-webpack-plugin/issues/778#issuecomment-1494201468

A fix would be, if "luxon" added a (proper) name to the package they defined in luxon/src/package.json

jkowalleck commented 11 months ago

:tipping_hand_person: the example from the provided To Reproduce section caused the following SBOM files: bom.from-example.zip

jkowalleck commented 11 months ago

possible solution: if component has no name, then add it anyway with a name like component at [relative path to package.json].

jkowalleck commented 11 months ago

@tomsontom could you pullrequest/help shape a setup for regression tests? something similar to https://github.com/CycloneDX/cyclonedx-webpack-plugin/tree/master/tests/integration/regression-issue745

tomsontom commented 11 months ago

I'll take a look next week

jkowalleck commented 5 months ago

should be fixed by #1284

jkowalleck commented 1 month ago

closed, as this is expected to be fixed as showd in multiple integration tests.

if you think this is still open, please open a new issue.