search

evanw / esbuild

An extremely fast bundler for the web
https://esbuild.github.io/
MIT License
37.93k stars 1.13k forks source link

Provide support for AWS Inspector compatability #3871

Open JamesSmith04 opened 1 month ago

JamesSmith04 commented 1 month ago

Issue

When using esbuild (with --bundle and --minify options) to package projects for use in a Lambda function, the function can not be scanned by Amazon Inspectors SBOM generator tool.

Ideal Behaviour

It would be nice to be able to pass an option that could retain a 'skeleton' node_modules directory that just contains a package.json for each dependency, like so:

This would allow the SBOM generator tool to find the required dependency metadata to successfully scan for vulnerabilities.

Steps to reproduce:

esbuild src/index.js --bundle --minify --platform=node --target=node18 --outfile=build/index.js

Other possible fixes

It's possible to add a postbuild step which achieves the same thing. For a single project this is an easy fix but for a large organisation with many teams/AWS accounts it is not a great solution and a native esbuild option would be preferable.

hyrious commented 1 month ago

I'm not sure what esbuild needs to do here. Does any other bundler do something similar? If you want to gather bundled dependencies' names, you can enable metafile.

JamesSmith04 commented 1 month ago

Hi and thanks for getting back to me on this :)

AWS Inspector uses a tool called 'SBOM generator'. In the case of Lambda functions this creates a .json file for each function containing a list of all dependencies and a list of known vulnerabilities that are connected with those dependencies.

What we see with projects that are bundled is that the dependency list is always empty because the directory structure that the SBOM generator tool is expecting to find doesn't exist anymore. The tool is attempting to look through the node_modules directory and checks the name and version in the package.json per dependency.

What we'd like is to be able re-create the node_modules directory with only package.json files per dependency, and only for those dependencies that have been bundled. In an example build directory this would look like this (where node_modules is in the above structure and index.js is the bundled project):

This will allow the SBOM generator tool to scan the project for vulnerabilities while also keeping the build size as small as possible.

Here's a bash command that uses the output of the metafile to do this. It would be great to be able to pass an option that could achieve the same thing.

jq -r '.inputs | keys[] | select(startswith("node_modules/")) | split("/")[1]' build/meta.json | xargs -I{} find node_modules/{}/package.json | cpio -pd ./build

Thanks again for the response :)

James

JamesSmith04 commented 1 month ago

That I'm aware of I don't see this in any of the other main bundlers.