-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for package.json #200
Labels
enhancement
New feature or request
Comments
Toure
pushed a commit
that referenced
this issue
Oct 14, 2020
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
Toure
pushed a commit
that referenced
this issue
Oct 15, 2020
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
Toure
pushed a commit
that referenced
this issue
Oct 16, 2020
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
Toure
pushed a commit
that referenced
this issue
Oct 16, 2020
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
GijsCalis
pushed a commit
to GijsCalis/syft
that referenced
this issue
Feb 19, 2024
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
GijsCalis
pushed a commit
to GijsCalis/syft
that referenced
this issue
Feb 19, 2024
Add support for package.json anchore#200
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In order to reduce the number of false positives when scanning images while also keeping the value of grype-vscode [directory] scans, it would be useful when scanning directories to key off of index-like files (e.g.
package-lock.json
) and installation metadata (e.g.package.json
withinnode_module
sub-directories) when scanning images for the javascript cataloger.AC
yarn.lock
andpackage-lock.json
files are not shown during image scans (but are shown during directory scans).package.json
is listed in the SBOM for both image and directory scans.package.json
should be present in the SBOM.Steps to Test
package.json
,yarn.lock
,package-lock.json
files in the directory being scanned.package.json
,yarn.lock
,package-lock.json
files in the image being scanned.package-lock.json
andyarn.lock
references.Notes for Developer
Should mirror the gemspec cataloger additions made in #203
Today we capture npm packages from discovered
package-lock.json
andyarn.lock
files (which includes top-level dependencies and their dependencies). We should additionally usepackage.json
to discover top-level dependencies, tracking only the package thepackage.json
represents and ignoring any listed dependencies.The text was updated successfully, but these errors were encountered: