Fix invalid format of generated bom by incomplete package.json files #68
Conversation
peschuster
force-pushed
the
fix-invalid-dependency-output
branch
from
fcd152b
to
6d7a52f
Compare
|
tried to reproduce the example regarding in addition to your fix, @peschuster , could you provide an integration test so the behavior can be reproduced and fixed for good? |
|
This here is the package.json that breaks the output in my project (using babel/runtime 7.17.2): https://github.com/babel/babel/blob/main/packages/babel-runtime/helpers/esm/package.json It is a react project. I will try to create an integration test for it. |
peschuster
force-pushed
the
fix-invalid-dependency-output
branch
6 times, most recently
from
5fb3e64
to
51e7176
Compare
…ency Signed-off-by: Peter Schuster <p.schuster@pilz.de>
…in sub directories of npm packages Signed-off-by: Peter Schuster <p.schuster@pilz.de>
peschuster
force-pushed
the
fix-invalid-dependency-output
branch
from
51e7176
to
f614fbf
Compare
|
@jkowalleck A react example with webpack5 and babel-runtime is now part of the integrations test and the tests are green again (it took some time to find a way through all the pitfalls...) |
| @@ -1481,3 +1481,658 @@ exports[`integration webpack5 with vue2 generated xml file: dist/.bom/bom.xml 1` | |||
| </dependencies> | |||
| </bom>" | |||
| `; | |||
|
|
|||
| exports[`integration webpack5 with react generated json file: dist/.bom/bom.json 1`] = ` | |||
There was a problem hiding this comment.
@peschuster did you review this data?
is it the way you expected it to be?
There was a problem hiding this comment.
Yes I did and it looks correct to me.
|
Thank you for the fix. |
nevermind, will add it in release preparations |
Some packages (like e.g. babel/runtime) contain package.json files in sub directories that don't contain all necessary data for generating boms.
This PR introduces a solution to iterate through parent directories until a package.json with at least a name property is found and prevents incomplete dependency refs from being added to the bom to not generate output that does not comply to the cyclonedx specification.
This should also fix #31.