Open murarishetti opened 2 months ago
For who picks this up: we should clarify is this a directory scan or an image scan. We've coupled this to #572 which is about adding edges... but this issue is about adding nodes to the SBOM based. We should look at our existing catalogers carefully here: if we start picking up dependencies from the package.json how will this affect both dir scans (where there might not be a node_modules dir but tends to be a package-lock.json) vs an image scan (where there is no source repo, but there tends to be a populated node_modules dir).
Input is a directory but node_modules and package-lock.json are not available.
What would you like to be added: Today, JavaScript package cataloger parses only parent name and version but it did not extract dependencies listed in package.json
Why is this needed: It is a gap in the parser and we are missing dependencies listed in the package manager file
Additional context: In the below package.json file, Syft today extracts only name and version but not dependencies listed.
Source/Input: "Directory"