search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6k stars 553 forks source link

Syft outputs devDependencies for package-lock.json files #2348

Open amascia opened 9 months ago

amascia commented 9 months ago

What happened: When scanning a directory with the following files: package.json

{
    "name": "first_app",
    "version": "1.0.0",
    "description": "a first app",
    "main": "index.js",
    "scripts": {
      "test": "testing"
    },
    "author": "",
    "license": "ISC",
    "dependencies": {
    },
    "devDependencies": {
      "async": "^3.2.4"
    }
  }

package-lock.json

{
    "name": "first_app",
    "version": "1.0.0",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
      "": {
        "name": "first_app",
        "version": "1.0.0",
        "license": "ISC",
        "devDependencies": {
          "async": "^3.2.4"
        }
      },
      "node_modules/async": {
        "version": "3.2.4",
        "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
        "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
        "dev": true
      }
    }
  }

It outputs

 ✔ Indexed file system                                                                                                                                                                                            tests/data/js_dependencies
 ✔ Cataloged packages              [2 packages]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME       VERSION  TYPE
async      3.2.4    npm
first_app  1.0.0    npm

with the async devDependency.

What you expected to happen:

Syft do not output dev-dependencies as it's done when scanning a Pipfile.lock.

Steps to reproduce the issue:

Run syft on a directory containing the above file.

Anything else we need to know?:

Environment:

$ syft version
Application: syft
Version:    0.97.1
BuildDate:  2023-11-17T20:53:01Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/arm64
GoVersion:  go1.21.4
Compiler:   gc
$ sw_vers
ProductName:        macOS
ProductVersion:     14.1.1
BuildVersion:       23B81
tgerla commented 9 months ago

Hey @amascia, we are taking a look and we believe you are probably right that we need to filter out the dev dependencies from these kinds of scans. Thanks for the detailed report and reproduction steps--much appreciated!

atl-mk commented 7 months ago

Hey, I am able to provide Syft both the package.json and the lock file (whether it be package-lock.json or yarn.lock) so Syft has all the information it needs to be able to determine whether or not something is a development only dependency. I'm looking forward to this feature being implemented.

harippriyas commented 1 month ago

+1. Would be a really useful feature. thanks!

arkajnag23 commented 4 weeks ago

@tgerla Very useful feature; Desperately asking to support this, as when delivering regulatory governance data, development dependencies shouldn't be shared; Even the json output contains some information about scope, then team can run some alternative coding to filter off the devDependencies.