search

siemens / ix

Siemens Industrial Experience is a design system for designers and developers, to consistently create the perfect digital experience for industrial software products.
https://ix.siemens.io/
MIT License
174 stars 62 forks source link

Dangling package.json is picked up by blackduck oss automation #1234

Closed freed00m closed 2 months ago

freed00m commented 2 months ago

Prerequisites

What happened?

There is placeholder empty package.jsonat node_modules/@siemens/ix/components/package.json containing

{
  "name": "@siemens/ix/components",
  "version": "0.0.0",
  "main": "./index.js",
  "types": "./custom-elements.d.ts",
  "private": true,
  "sideEffects": false
}

This is being picked up by the scpautomation and submitted to blackduck as a false dependency "@siemens/ix/components" with version "0.0.0.

Current workaround is to blacklist this single package "@siemens/ix/components" for the scpautomation job https://code.siemens.com/scpautomation/clearing-samples/npm-sample

What type of frontend framework are you seeing the problem on?

Angular

Which version of iX do you use?

v2.1.0

Code to produce this issue.

npm i "@siemens/ix"

ls node_modules/@siemens/ix/components/ | grep package.json
danielleroux commented 2 months ago

Dont know any details about your scanner, but a npm dependency is placed inside the node_modules folder (after installation) and will be listed as dependency entry in the package(-lock).json.

If your scanner search for package.json inside a package i think its wrong interpretation of a npm dependency, IMO.

freed00m commented 2 months ago

@danielleroux that's standard SIEMENS npm clearing automation tool.

It doesn't use package-lock.json nor yarn.lock.

I guess it's just weird "@siemens/ix/components - 0.0.0" having in Cynclonedx SBOM

Probably not your issue, as the scanner is probably too eager.

I will blacklist it as it's not a package with meaningful semver and it's contained within "@siemens/ix".