Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syft fails to resolve npm package aliases #1314

Closed
EricHripko opened this issue Nov 3, 2022 · 3 comments · Fixed by #1349
Closed

syft fails to resolve npm package aliases #1314

EricHripko opened this issue Nov 3, 2022 · 3 comments · Fixed by #1349
Labels
enhancement New feature or request

Comments

@EricHripko
Copy link

Please provide a set of steps on how to reproduce the issue

  • Create a package.json with the following contents:
{
  "name": "tmp",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "@vue/cli-service": "^5.0.8"
  }
}
  • Generate a package-lock.json by running npm install --package-lock-only
  • Run syft .

What happened:
Running syft on such project generates incorrect SBOM because the dependency uses a package alias:

...
@vue/component-compiler-utils             3.3.0                   npm
@vue/vue-loader-v15                       npm:vue-loader@15.10.0  npm
@vue/web-component-wrapper                1.3.0                   npm
...

What you expected to happen:
I expected syft to correctly resolve the npm package alias (from @vue/vue-loader-v15 to vue-loader@15.10.0) and recognise that my project has a dependency on vue-loader@15.10.0.

Anything else we need to know?:

Environment:

  • Output of syft version:
Application:        syft
Version:            0.60.2
JsonSchemaVersion:  4.1.0
BuildDate:          2022-11-02T14:43:28Z
GitCommit:          35f0f2931e310882fe7117c41d57a185d72ca498
GitDescription:     v0.60.2
Platform:           linux/amd64
GoVersion:          go1.18.7
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar):
NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
@EricHripko EricHripko added the bug Something isn't working label Nov 3, 2022
@kzantow
Copy link
Contributor

kzantow commented Nov 3, 2022

Thanks @EricHripko -- we definitely can figure out a way to handle these aliases (I haven't ever encountered them before!). Do you happen to know if this is specific to npm or also something supported yarn or other package managers?

@kzantow kzantow added enhancement New feature or request and removed bug Something isn't working labels Nov 3, 2022
@EricHripko
Copy link
Author

Thank you for a prompt response, @kzantow 👍 I similarly didn't know about aliases until encountering this SBOM quirk; from what I can tell, yarn also supports package aliases.

@Mikcl Mikcl mentioned this issue Nov 18, 2022
Merged
This was referenced Nov 21, 2022
Closed
Closed
Closed
Closed
Closed
@EricHripko
Copy link
Author

Thank you for fixing this up - really appreciate it 🙌

This was referenced Nov 28, 2022
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Dec 5, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

npm-aliases: handle aliases for package-lock.json Mikcl/syft
2 participants
@EricHripko @kzantow