search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.14k stars 567 forks source link

Syft Extract dependencies from Package.json in JavaScript Package Cataloger #3108

Open murarishetti opened 2 months ago

murarishetti commented 2 months ago

What would you like to be added: Today, JavaScript package cataloger parses only parent name and version but it did not extract dependencies listed in package.json

Why is this needed: It is a gap in the parser and we are missing dependencies listed in the package manager file

Additional context: In the below package.json file, Syft today extracts only name and version but not dependencies listed.

Source/Input: "Directory"

{
    "name": "test-3p",
    "version": "0.0.1",
    "description": "Test",
    "lockfileVersion": 1,
    "engines": {
      "node": ">=16.17.1"
    },
    "dependencies": {
      "loadash": "4.17.15",
      "epxress": "4.17.1"
    }
}
wagoodman commented 1 week ago

For who picks this up: we should clarify is this a directory scan or an image scan. We've coupled this to #572 which is about adding edges... but this issue is about adding nodes to the SBOM based. We should look at our existing catalogers carefully here: if we start picking up dependencies from the package.json how will this affect both dir scans (where there might not be a node_modules dir but tends to be a package-lock.json) vs an image scan (where there is no source repo, but there tends to be a populated node_modules dir).

murarishetti commented 1 week ago

Input is a directory but node_modules and package-lock.json are not available.