Skip to content

fromNodePackageJson - add more dist detections #1247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 of 2 tasks
jkowalleck opened this issue Jun 3, 2025 · 2 comments · Fixed by CycloneDX/cyclonedx-node-npm#1301 or #1246
Closed
1 of 2 tasks

fromNodePackageJson - add more dist detections #1247

jkowalleck opened this issue Jun 3, 2025 · 2 comments · Fixed by CycloneDX/cyclonedx-node-npm#1301 or #1246
Assignees
@jkowalleck
Labels
enhancement New feature or request

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Jun 3, 2025
edited
Loading

Is your feature request related to a problem? Please describe.

some package.json do include a "dist" entry... might come when packages are bundled dependencies, and then the package manifests are enriched by packaging tools and get a "dist" entry to reflect which version was bundled.

this "dist" information shall be added to the SBOM results

example result from package.json:

// ...
                  "dist": {
                    "shasum": "a63b0eec4625a2902534898a5f9eec8aaed046e9",
                    "tarball": "http://registry.npmjs.org/find-up/-/find-up-1.1.0.tgz"
                  },
// ...

Describe the solution you'd like

find the mentioned field and add the dist-url and the hashes to the SBOM

Describe alternatives you've considered

/

Additional context

an example: https://www.npmjs.com/package/bundle-dependencies/v/1.0.2

./node_modules/yargs/package.json is

{
  "_args": [
    [
      "yargs@^4.1.0",
      "/Users/gajus/Documents/dev/gajus/bundle-dependencies"
    ]
  ],
  "_from": "yargs@>=4.1.0 <5.0.0",
  "_id": "[email protected]",
  "_inCache": true,
  "_installable": true,
  "_location": "/yargs",
  "_nodeVersion": "3.2.0",
  "_npmOperationalInternal": {
    "host": "packages-5-east.internal.npmjs.com",
    "tmp": "tmp/yargs-4.1.0.tgz_1455554454146_0.05233815615065396"
  },
  "_npmUser": {
    "email": "[email protected]",
    "name": "bcoe"
  },
  "_npmVersion": "3.3.0",
  "_phantomChildren": {},
  "_requested": {
    "name": "yargs",
    "raw": "yargs@^4.1.0",
    "rawSpec": "^4.1.0",
    "scope": null,
    "spec": ">=4.1.0 <5.0.0",
    "type": "range"
  },
  "_requiredBy": [
    "/"
  ],
  "_resolved": "https://registry.npmjs.org/yargs/-/yargs-4.1.0.tgz",
  "_shasum": "035e5ea466ac7fea584b00353e33eae4082b9894",
  "_shrinkwrap": null,
  "_spec": "yargs@^4.1.0",
  "_where": "/Users/gajus/Documents/dev/gajus/bundle-dependencies",
  "bugs": {
    "url": "https://github.com/bcoe/yargs/issues"
  },
  "dependencies": {
    "camelcase": "^2.0.1",
    "cliui": "^3.0.3",
    "decamelize": "^1.1.1",
    "os-locale": "^1.4.0",
    "pkg-conf": "^1.1.1",
    "read-pkg-up": "^1.0.1",
    "require-main-filename": "^1.0.0",
    "string-width": "^1.0.1",
    "window-size": "^0.2.0",
    "y18n": "^3.2.0",
    "yargs-parser": "^2.1.0"
  },
  "description": "Light-weight option parsing with an argv hash. No optstrings attached.",
  "devDependencies": {
    "chai": "^3.4.1",
    "chalk": "^1.1.1",
    "coveralls": "^2.11.4",
    "cpr": "^1.0.0",
    "es6-promise": "^3.0.2",
    "hashish": "0.0.4",
    "mocha": "^2.4.5",
    "nyc": "^5.2.0",
    "rimraf": "^2.5.0",
    "standard": "^6.0.5",
    "which": "^1.1.2",
    "win-spawn": "^2.0.0"
  },
  "directories": {},
  "dist": {
    "shasum": "035e5ea466ac7fea584b00353e33eae4082b9894",
    "tarball": "http://registry.npmjs.org/yargs/-/yargs-4.1.0.tgz"
  },
  "engine": {
    "node": ">=0.10"
  },
  "files": [
    "index.js",
    "lib",
    "locales",
    "completion.sh.hbs",
    "LICENSE"
  ],
  "gitHead": "3808fabcd36645a1c855385e62c31fd5917ee447",
  "homepage": "http://yargs.js.org/",
  "keywords": [
    "argument",
    "args",
    "option",
    "parser",
    "parsing",
    "cli",
    "command"
  ],
  "license": "MIT",
  "main": "./index.js",
  "maintainers": [
    {
      "email": "[email protected]",
      "name": "bcoe"
    },
    {
      "email": "[email protected]",
      "name": "chevex"
    },
    {
      "email": "[email protected]",
      "name": "nexdrew"
    },
    {
      "email": "[email protected]",
      "name": "nylen"
    }
  ],
  "name": "yargs",
  "optionalDependencies": {},
  "readme": "ERROR: No README data found!",
  "repository": {
    "type": "git",
    "url": "git+ssh://[email protected]/bcoe/yargs.git"
  },
  "scripts": {
    "coverage": "nyc report --reporter=text-lcov | coveralls",
    "pretest": "standard",
    "test": "nyc --cache mocha --require ./test/before.js --timeout=4000 --check-leaks"
  },
  "standard": {
    "ignore": [
      "**/example/**"
    ]
  },
  "version": "4.1.0"
}

Contribution

  • I am willing to provide an implementation
  • I will wait until somebody else implements it
@jkowalleck jkowalleck added enhancement New feature or request help wanted Extra attention is needed labels Jun 3, 2025
@jkowalleck jkowalleck self-assigned this Jun 4, 2025
@jkowalleck jkowalleck removed the help wanted Extra attention is needed label Jun 4, 2025
@jkowalleck
Copy link
Member Author

jkowalleck commented Jun 4, 2025
edited
Loading

research showed:
the behavior comes from bundled dependencies - like in https://www.npmjs.com/package/bundle-dependencies v1.2
there you'd find https://github.com/CycloneDX/cyclonedx-node-npm/blob/042715bb0ba81728ec08fcc678777a1f3ed793f5/tests/_data/dummy_projects/with-prepared/node_modules/bundle-dependencies/node_modules/yargs/package.json#L72-L75
as well as https://github.com/CycloneDX/cyclonedx-node-npm/blob/042715bb0ba81728ec08fcc678777a1f3ed793f5/tests/_data/dummy_projects/with-prepared/node_modules/bundle-dependencies/node_modules/yargs/package.json#L35-L36

@jkowalleck
Copy link
Member Author

jkowalleck commented Jun 4, 2025
edited
Loading

research showed:

  • the _resolved and _shasum were added by npm6 in install-time
    • they no longer exist from npm7 on - we cannot use them
  • "dist" - no real idea where it comes from, but it looks like it is auto-generated by some build-tool.
    • we canprobably leverage it.

@jkowalleck jkowalleck mentioned this issue Jun 4, 2025
Merged
@jkowalleck jkowalleck transferred this issue from CycloneDX/cyclonedx-node-npm Jun 4, 2025
@jkowalleck jkowalleck mentioned this issue Jun 4, 2025
Merged
2 tasks
@jkowalleck jkowalleck changed the title add more dist detections fromNodePackageJson - add more dist detections Jun 5, 2025
jkowalleck added a commit that referenced this issue Jun 5, 2025
@jkowalleck
feat: npmjs related symbols and parsing (#1246)
a8f441d 
fixes #1247

## Added
* `factories.FromNodePackageJson.makeExternalReferences` supports "dist"
field
  * New symbols under `utils.NpmJs`
    * `defaultRepoMatcher`
    * `parsePackageIntegrity`

----

TODO

- [x] implementation
- [x] tests

---------

Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck added a commit to CycloneDX/cyclonedx-node-npm that referenced this issue Jun 5, 2025
@jkowalleck
feat: gather more info for bundled dependencies (#1301)
a9ab486 
- fixes CycloneDX/cyclonedx-javascript-library#1247

---------

Signed-off-by: Jan Kowalleck <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkowalleck jkowalleck

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
1 participant
@jkowalleck