Closed freed00m closed 2 months ago
Dont know any details about your scanner, but a npm dependency is placed inside the node_modules folder (after installation) and will be listed as dependency entry in the package(-lock).json.
If your scanner search for package.json inside a package i think its wrong interpretation of a npm dependency, IMO.
@danielleroux that's standard SIEMENS npm clearing automation tool.
It doesn't use package-lock.json nor yarn.lock.
I guess it's just weird "@siemens/ix/components - 0.0.0" having in Cynclonedx SBOM
Probably not your issue, as the scanner is probably too eager.
I will blacklist it as it's not a package with meaningful semver and it's contained within "@siemens/ix".
Prerequisites
What happened?
There is placeholder empty
package.json
atnode_modules/@siemens/ix/components/package.json
containingThis is being picked up by the scpautomation and submitted to blackduck as a false dependency "@siemens/ix/components" with version "0.0.0.
Current workaround is to blacklist this single package "@siemens/ix/components" for the scpautomation job https://code.siemens.com/scpautomation/clearing-samples/npm-sample
What type of frontend framework are you seeing the problem on?
Angular
Which version of iX do you use?
v2.1.0
Code to produce this issue.