search

janbiasi / rollup-plugin-sbom

Create SBOMs in CycloneDX format for your Vite or Rollup projects with ease
MIT License
7 stars 2 forks source link

Dependencies missing #86

Open markusmuellerusi opened 4 months ago

markusmuellerusi commented 4 months ago

Describe the bug Dependencies are important to display the dependency graph i.e. in Dependency-Track. I attached two sbom files. rollup-plugin-sbom.json is created using plugin cyclonedx-npm.json is created from cli with npx @cyclonedx/cyclonedx-npm

The plugin doesn't generate any dependencies, all dependsOn nodes are missing:

    "dependencies": [
        {
            "ref": "pkg:npm/myProject@0.0.1"
        },
        {
            "ref": "pkg:npm/%40sveltejs/kit@2.5.5?vcs_url=git%2Bhttps%3A//github.com/sveltejs/kit.git#packages/kit"
        }, .....

To Reproduce Steps to reproduce the behavior Create the two sboms with plugin and and cli compare the boms

Expected behavior Please see cyclonedx-npm.json. The dependencies are generated.

  "dependencies": [
    {
      "ref": "myProject@0.0.1",
      "dependsOn": [
        "@apollo/client@3.9.11",
        "@cyclonedx/cyclonedx-npm@1.19.0",
        "@graphql-codegen/cli@5.0.2",
        "@graphql-codegen/typescript@4.0.6",
        "@helaba-cm/helaba-design-system@0.6.0",
        "@sveltejs/adapter-auto@3.2.0",
        "@sveltejs/adapter-static@3.0.1",
        "@sveltejs/kit@2.5.5",
        "@sveltejs/vite-plugin-svelte@3.0.2",
        "@sveltestrap/sveltestrap@6.2.7",
        "@types/eslint@8.56.7",
        "@types/jquery@3.5.29",
        "@typescript-eslint/eslint-plugin@7.5.0",
        "@typescript-eslint/parser@7.5.0",
        "eslint-config-prettier@9.1.0",
        "eslint-plugin-svelte@2.35.1",
        "eslint@8.57.0",
        "keycloak-js@24.0.3",
        "prettier-plugin-svelte@3.2.2",
        "prettier@3.2.5",
        "rollup-plugin-sbom@1.1.1",
        "svelte-check@3.6.9",
        "svelte-highlight@7.6.0",
        "svelte-table@0.6.3",
        "svelte@4.2.12",
        "tslib@2.6.2",
        "typescript@5.4.3",
        "vite@5.2.8",
        "vitest@1.4.0"
      ]
    },
    {
      "ref": "@apollo/client@3.9.11",
      "dependsOn": [
        "@graphql-typed-document-node/core@3.2.0",
        "@wry/caches@1.0.1",
        "@wry/equality@0.5.7",
        "@wry/trie@0.5.0",
        "graphql-tag@2.12.6",
        "graphql-ws@5.16.0",
        "graphql@16.8.1",
        "hoist-non-react-statics@3.3.2",
        "optimism@0.18.0",
        "prop-types@15.8.1",
        "rehackt@0.0.6",
        "response-iterator@0.2.6",
        "symbol-observable@4.0.0",
        "ts-invariant@0.10.3",
        "tslib@2.6.2",
        "zen-observable-ts@1.2.5"
      ]
    },....

Environment (please complete the following information):

Additional context

package.json:

    "devDependencies": {
        "rollup-plugin-sbom": "^1.1.1",

vite.config.js:

import { defineConfig } from 'vitest/config';
import { sveltekit } from '@sveltejs/kit/vite';
import sbom from "rollup-plugin-sbom";

export default defineConfig({
    plugins: [
        sveltekit(), 
        sbom({
            specVersion: "1.5",
            outFormats: ['json'],
            outDir:"src"
          })
    ],
    server: {
        port:3000,
        fs: {
            allow:['static']
        },
    },
    test: {
        include: ['src/**/*.{test,spec}.{js,ts}']
    }
});
janbiasi commented 4 months ago

Thanks a lot for providing issue details, this is indeed something we missed out in the inital implementation.

jkowalleck commented 4 months ago

Expected behavior Please see cyclonedx-npm.json. The dependencies are generated. [...]

In the SBOM result, I would expect to not see the same dependency graph like it is generated by cyclonedx-npm, instead I would expect the SBOM result to only include the things that are actually bundled by rollup - after tree-shaking. And this should also affect the dependency graph.

Just saying. :-)

@janbiasi i would consider this as a feature request, not a bug ;-)

github-actions[bot] commented 3 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

markusmuellerusi commented 2 months ago

When will a fix be available? Thanks in advance

janbiasi commented 1 month ago

When will a fix be available? Thanks in advance

Hey @markusmuellerusi

I was enjoying a longer vacation. I've already started working on this feature (not a bug as @jkowalleck mentioned) before - see PR https://github.com/janbiasi/rollup-plugin-sbom/pull/89 - however I can't tell you an exact estimate for that feature as it still requires some work.

In case you're willing to contribute, a PR is also very welcome :)

github-actions[bot] commented 1 week ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.