-
-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parsing Javascript files may extract incorrect (and very long) pkg name/version #723
Comments
@prabhu That would'n work for 2 reasons:
I was wondering on which specification you based your code to try to parse the package name and version? I didn't find any specification on how those comments should be written in JavaScript files (minified or not). |
@marob There are no specifications like you figured. So this will be identifying things based on some patterns so there is some visibility into the min files that are being stored or bundled. I am open to improving the logic. |
@marob, are you planning to send a pull request for this? |
@prabhu Maybe, but probably not in the near future. If you have time and an idea on how to improve the parsing, feel free to do it. |
Same. Let's keep this open and see if anyone else contributes. |
In my use case, I have a
projekktor-1.3.09.min.js
file (N.B.: this project looks dead, its website links to dead site/advert spam) that starts with the following line (yes, the version doesn't match, but that's not the issue here):This first line is generated via Grunt.
When parsed through cdxgen
parseMinJs
function,delimiter
is identified as-
because of the one at the end of the line (...License - http://...
), which leads to a mis-identification of the name and version.In the end, cdxgen generates:
This incorrect name/version leads to generating an error in Dependency Track when feeding it that SBOM because of the
purl
exceeding 255 chars (which is the current size limit):The text was updated successfully, but these errors were encountered: