Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for package.json #200

Closed
wagoodman opened this issue Oct 1, 2020 · 0 comments · Fixed by #224
Closed

Add support for package.json #200

wagoodman opened this issue Oct 1, 2020 · 0 comments · Fixed by #224
Assignees
Labels
enhancement New feature or request

Comments

@wagoodman
Copy link
Contributor

wagoodman commented Oct 1, 2020

In order to reduce the number of false positives when scanning images while also keeping the value of grype-vscode [directory] scans, it would be useful when scanning directories to key off of index-like files (e.g. package-lock.json) and installation metadata (e.g. package.json within node_module sub-directories) when scanning images for the javascript cataloger.

AC

  • Dependencies described within yarn.lock and package-lock.json files are not shown during image scans (but are shown during directory scans).
  • The package described in package.json is listed in the SBOM for both image and directory scans.
  • NO dependencies listed in the package.json should be present in the SBOM.

Steps to Test

  • When scanning a directory:
    • ensure there are examples of a package.json, yarn.lock, package-lock.json files in the directory being scanned.
    • ensure the scan finds all javascript example packages.
  • When scanning an image:
    • ensure there are examples of a package.json, yarn.lock, package-lock.json files in the image being scanned.
    • ensure the scan finds all javascript package examples EXCEPT any package-lock.json and yarn.lock references.

Notes for Developer
Should mirror the gemspec cataloger additions made in #203

Today we capture npm packages from discovered package-lock.json and yarn.lock files (which includes top-level dependencies and their dependencies). We should additionally use package.json to discover top-level dependencies, tracking only the package the package.json represents and ignoring any listed dependencies.

@wagoodman wagoodman added the enhancement New feature or request label Oct 1, 2020
@wagoodman wagoodman self-assigned this Oct 7, 2020
@Toure Toure self-assigned this Oct 13, 2020
Toure pushed a commit that referenced this issue Oct 14, 2020
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
Toure pushed a commit that referenced this issue Oct 15, 2020
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
Toure pushed a commit that referenced this issue Oct 16, 2020
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
Toure pushed a commit that referenced this issue Oct 16, 2020
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
Toure pushed a commit that referenced this issue Oct 16, 2020
GijsCalis pushed a commit to GijsCalis/syft that referenced this issue Feb 19, 2024
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
GijsCalis pushed a commit to GijsCalis/syft that referenced this issue Feb 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants