Skip to content

Commit a9ab486

Browse files
jkowalleckjkowalleck
authored
feat: gather more info for bundled dependencies (#1301)
- fixes CycloneDX/cyclonedx-javascript-library#1247 --------- Signed-off-by: Jan Kowalleck <[email protected]>
1 parent 042715b commit a9ab486

File tree

46 files changed

+4316
-401
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

46 files changed

+4316
-401
lines changed

.github/workflows/npm-ls_demo-results.yml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -21,15 +21,15 @@ jobs:
2121
fail-fast: false # gather all the results !
2222
matrix:
2323
subject:
24-
- deps-from-git
25-
- alternative-package-registry
24+
# - deps-from-git
25+
# - alternative-package-registry
2626
- bundled-dependencies
27-
- dev-dependencies
28-
- juice-shop
29-
- local-dependencies
30-
- local-workspaces
31-
- package-integrity
32-
- package-with-build-id
27+
# - dev-dependencies
28+
# - juice-shop
29+
# - local-dependencies
30+
# - local-workspaces
31+
# - package-integrity
32+
# - package-with-build-id
3333
additional_npm-ls_args: [ '' ]
3434
npm-version:
3535
## see https://www.npmjs.com/package/npm?activeTab=versions
@@ -41,8 +41,8 @@ jobs:
4141
## action based on https://github.com/actions/node-versions/releases
4242
## see also: https://nodejs.org/en/about/releases/
4343
- '24' # Current
44-
#- '22' # Active LTS
45-
#- '20'
44+
- '22' # Active LTS
45+
- '20'
4646
os:
4747
- ubuntu-latest
4848
- windows-latest

HISTORY.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,11 @@ All notable changes to this project will be documented in this file.
77
<!-- unreleased changes go here -->
88

99
* Runtime Dependencies
10+
* Raised `@cyclonedx/cyclonedx-library@^8.2.0`, was `@^8.0.0` (via [#1301])
1011
* Raised `commander@^14.0.0`, was `@^13.1.0` (via [#1297])
1112

1213
[#1297]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1297
14+
[#1301]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1301
1315

1416
## 3.0.0 - 2025-04-08
1517

demo/bundled-dependencies/README.md

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,13 +11,17 @@ or a list of `string` that identifies the keys in dependencies-lists.
1111
The package [`bundle-dependencies`](https://www.npmjs.com/package/bundle-dependencies)
1212
ships with bundled version of `yargs`.
1313

14+
This package itself has a bundled dependency, whcih can be tested with `npm pack`.
15+
1416
## remarks
1517

1618
* In *npm6* the `_inBundle` property is set to `true` in a dependency
1719
* In *npm8* the `inBundle` property is set to `true` in a dependency.
1820
* Additionally, there is the property `bundleDependencies`(deprecated)/`bundledDependencies` in a component.
1921
Value might be `true`(all), `false`(none), or a list of `string` that point to the keys in dependency list.
2022
* Only one `resolved` can be found, since al the other packages were bundled, and are therefore not resolve.
23+
* Some package managers add a "dist" section to the bundled dependencies - which can be evaluated.
24+
See <https://github.com/CycloneDX/cyclonedx-node-npm/issues/1300>.
2125

2226
## output
2327

@@ -53,7 +57,12 @@ Output of `npm ls --json -a -l` look like this:
5357
// other properties
5458
},
5559
// other dependencies
56-
}
60+
},
61+
// other properties
62+
"dist": {
63+
"shasum": "035e5ea466ac7fea584b00353e33eae4082b9894",
64+
"tarball": "http://registry.npmjs.org/yargs/-/yargs-4.1.0.tgz"
65+
},
5766
}
5867
}
5968
}

demo/bundled-dependencies/project/package.json

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,10 @@
1010
"directory": "demo/bundled-dependencies/project"
1111
},
1212
"dependencies": {
13-
"bundle-dependencies": "1.0.2"
14-
}
13+
"bundle-dependencies": "1.0.2",
14+
"is-obj": "3.0.0"
15+
},
16+
"bundledDependencies": [
17+
"is-obj"
18+
]
1519
}

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@
6969
}
7070
],
7171
"dependencies": {
72-
"@cyclonedx/cyclonedx-library": "^8.0.0",
72+
"@cyclonedx/cyclonedx-library": "^8.2.0",
7373
"commander": "^14.0.0",
7474
"normalize-package-data": "^7.0.0",
7575
"xmlbuilder2": "^3.0.2"

src/builders.ts

Lines changed: 3 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -354,51 +354,6 @@ export class BomBuilder {
354354
}
355355
}
356356

357-
/**
358-
* See {@link https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json#packages | package lock docs} for "integrity"
359-
*
360-
* integrity: A sha512 or sha1 [Standard Subresource Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) string for the artifact that was unpacked in this location.
361-
*/
362-
private readonly integrityRE: ReadonlyMap<Enums.HashAlgorithm, RegExp> = new Map([
363-
// !!! this list is pre-sorted, starting with most-common usage.
364-
365-
/* base64 alphabet: `A-Za-z0-9+/` and `=` for padding
366-
* SHA-512 => base64 over 512 bit => 86 chars + 2 chars padding.
367-
* examples:
368-
* - sha512-zvj65TkFeIt3i6aj5bIvJDzjjQQGs4o/sNoezg1F1kYap9Nu2jcUdpwzRSJTHMMzG0H7bZkn4rNQpImhuxWX2A==
369-
* - sha512-DXUS22Y57/LAFSg3x7Vi6RNAuLpTXwxB9S2nIA7msBb/Zt8p7XqMwdpdc1IU7CkOQUPgAqR5fWvxuKCbneKGmA==
370-
* - sha512-5BejraMXMC+2UjefDvrH0Fo/eLwZRV6859SXRg+FgbhA0R0l6lDqDGAQYhKbXhPN2ofk2kY5sgGyLNL907UXpA==
371-
*/
372-
[Enums.HashAlgorithm['SHA-512'], /^sha512-([a-z0-9+/]{86}==)$/i],
373-
374-
/* base64 alphabet: `A-Za-z0-9+/` and `=` for padding
375-
* SHA-1 => base64 over 160 bit => 27 chars + 1 chars padding.
376-
* examples:
377-
* - sha1-aSbRsZT7xze47tUTdW3i/Np+pAg=
378-
* - sha1-Kq5sNclPz7QV2+lfQIuc6R7oRu0=
379-
* - sha1-XV8g50dxuFICXD7bZslGLuuRPQM=
380-
*/
381-
[Enums.HashAlgorithm['SHA-1'], /^sha1-([a-z0-9+/]{27}=)$/i],
382-
383-
/* base64 alphabet: `A-Za-z0-9+/` and `=` for padding
384-
* SHA-256 => base64 over 256 bit => 43 chars + 1 chars padding.
385-
* examples:
386-
* - sha256-jxzgcB+8dLn7Cjjyg7stGWMftZf6rbdvgoE85TOzmT4=
387-
* - sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
388-
* - sha256-+8Gp+Fjqnhd5FpZL2Iw9N7kaHoRBJ2XimVB3fyZcS3U=
389-
*/
390-
[Enums.HashAlgorithm['SHA-256'], /^sha256-([a-z0-9+/]{43}=)$/i],
391-
392-
/* base64 alphabet: `A-Za-z0-9+/` and `=` for padding
393-
* SHA-384 => base64 over 384 bit => 64 chars + 0 chars padding.
394-
* example:
395-
* - sha384-aDkxLz2zQ0dwcNPAsr7NQXs1cVTUh5TQHXjPtGF+1auBmne2gy9lQt0Yu3OBMe9+
396-
* - sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC
397-
* - sha384-/b2OdaZ/KfcBpOBAOF4uI5hjA+oQI5IRr5B/y7g1eLPkF8txzmRu/QgZ3YwIjeG9
398-
*/
399-
[Enums.HashAlgorithm['SHA-384'], /^sha384-([a-z0-9+/]{64})$/i]
400-
])
401-
402357
/**
403358
* Ignore pattern for `resolved`.
404359
* - ignore: well, just ignore it ... i guess.
@@ -514,16 +469,9 @@ export class BomBuilder {
514469
const hashes = new Models.HashDictionary()
515470
const integrity = data.integrity
516471
if (isString(integrity)) {
517-
for (const [hashAlgorithm, hashRE] of this.integrityRE) {
518-
const hashMatchBase64 = hashRE.exec(integrity) ?? []
519-
if (hashMatchBase64.length === 2) {
520-
hashes.set(
521-
hashAlgorithm,
522-
Buffer.from(hashMatchBase64[1], 'base64').toString('hex')
523-
)
524-
break // there is only one hash in "integrity"
525-
}
526-
}
472+
try {
473+
hashes.set(...Utils.NpmjsUtility.parsePackageIntegrity(integrity))
474+
} catch { /* pass */}
527475
}
528476
component.externalReferences.add(
529477
new Models.ExternalReference(

tests/_data/dummy_projects/with-prepared/node_modules/.package-lock.json

Lines changed: 12 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

tests/_data/dummy_projects/with-prepared/node_modules/is-obj/license

Lines changed: 9 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

tests/_data/dummy_projects/with-prepared/node_modules/is-obj/package.json

Lines changed: 37 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

tests/_data/dummy_projects/with-prepared/package-lock.json

Lines changed: 14 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

tests/_data/dummy_projects/with-prepared/package.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,8 @@
1010
"base64-js": "1.0.1",
1111
"buffer": "^5.4.3",
1212
"bundle-dependencies": "1.0.2",
13-
"ignore": "^5.1.4"
13+
"ignore": "^5.1.4",
14+
"is-obj": "3.0.0"
1415
},
1516
"devDependencies": {
1617
"@types/node": "20.14.10",

tests/_data/dummy_projects/with-prepared/setup.sh

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,5 +32,7 @@ find "$NODE_MODULES_DIR" \
3232
find "$NODE_MODULES_DIR" \
3333
-type d \
3434
\( -name 'build' -or -name 'dist' -or -name 'lib' \) \
35-
\( -path '*/node_modules/@*/*' -or -path '*/node_modules/[^@]*' \) \
36-
| xargs rm -rf
35+
\( -path '*/node_modules/@*/*/*' -or -path '*/node_modules/[^@]*/*' \) \
36+
-print0 \
37+
| xargs -0 \
38+
rm -rf

tests/_data/npm-ls_demo-results/bundled-dependencies/CI_results/npm-ls_npm10_node20_macos-latest.json

Lines changed: 26 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

tests/_data/npm-ls_demo-results/bundled-dependencies/CI_results/npm-ls_npm10_node20_ubuntu-latest.json

Lines changed: 26 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)