New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect BOM when private repos are added #45
Comments
@erichs This is good insight. What is happening is the ordering of searches performed by cdxgen and the presence of node_modules directory. If you remove Hope this helps. |
If there were indeed vulnerable modules versions present in the
In the example repo above, npm/yarn are satisfying a transitive dep declaration like This should be orthogonal to tree-shaking/packing. I think it is actually incorrect to rely on the lockfiles inside of Happy to hop on a screenshare to demo this behavior, if that helps! |
Upon further thought, I'm not fully confident in my claim that:
I think it might be necessary to actually visit the modules on disk (when present) to collect an accurate BOM. (over)-simplifying: |
Sure, let's setup a zoom session to go through this. Can you email me at prabhu @ shiftleft. io |
Perfect, thanks! |
@erichs I've made several changes to the nodejs portion. Could you retest with the latest version and let me know how it looks? |
@prabhu sorry for the delayed response, here. I retested with the isolated problematic yarn.lock file here, and got clean results:
Version 3.0.6 appears to have fixed this issue. 🥇 Thank you! |
Awesome! Thank you for re-testing. |
Related to ShiftLeftSecurity/sast-scan#291,
I have attempted to document my finding here: https://github.com/erichs/testdependency-resolution
The text was updated successfully, but these errors were encountered: