Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistency between directory and container cataloging for Javascript #896

Closed
cw-alexcroteau opened this issue Mar 17, 2022 · 3 comments
Closed
Assignees
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog

Comments

@cw-alexcroteau
Copy link

What happened:
When scanning a directory with Syft, licenses won't show up. After investigation, this is because directory scanning does not include NewJavascriptPackageCataloger, but only NewJavascriptLockCataloger.

When scanning an image with Syft, lockfiles are ignored. After investigation, this is for the same reason.

What you expected to happen:
The same catalogers should be supported for both images and directories.

How to reproduce it (as minimally and precisely as possible):

  • Create a minimal package.json with a few packages (for example, express.js)
  • Install the packages with NPM or YARN

Directory:

  • Scan the directory with syft dir:./ | grep licenses
  • No licenses are printed (empty arrays)

Docker:

  • Containerize the application into a tarfile with:
printf "FROM scratch\\nCOPY . /app" | docker build -t test-app -f - ./
docker save test-app > test-app.tar
  • Scan the tarfile with syft docker-archive:test-app.tar -o json | grep licenses
  • Licenses are printed (non-empty arrays)

Anything else we need to know?:

Environment:

  • Output of syft version:
Application:        syft
Version:            0.42.0
JsonSchemaVersion:  3.1.1
BuildDate:          2022-03-17T15:50:38Z
GitCommit:          f4734d28b391800f824a89712897daf19237812c
GitDescription:     v0.42.0
Platform:           linux/amd64
GoVersion:          go1.18
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar):
NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
@cw-alexcroteau cw-alexcroteau added the bug Something isn't working label Mar 17, 2022
@cw-alexcroteau
Copy link
Author

As a solution, I would suggest modifying 'pkg/cataloger/cataloger.go' to include:

javascript.NewJavascriptLockCataloger(), in ImageCatalogers' returned array
javascript.NewJavascriptPackageCataloger(), in ImageCatalogers' returned array

However, these two scanners might generate duplicate results, so we might need some additional tests.

@luhring
Copy link
Contributor

luhring commented Mar 25, 2022

Hi @cw-acroteau. This is intended behavior, but I definitely understand the need to customize cataloger selection for individual use cases. We have an issue open to track this enhancement: #465

@luhring
Copy link
Contributor

luhring commented May 1, 2022

Closing due to inactivity, but we can reopen this if this needs more attention!

@luhring luhring closed this as not planned Won't fix, can't repro, duplicate, stale May 1, 2022
@luhring luhring added the changelog-ignore Don't include this issue in the release changelog label May 1, 2022
@luhring luhring self-assigned this May 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog
Projects
Archived in project
Development

No branches or pull requests

2 participants