fix: add missing javascript-lock-cataloger in docker image catalogers

[patrikbeno]

example use case:

• build react app
• static content is generated in build/ folder
• add yarn.lock or package-lock.json into build/ folder to enable dependency analysis on image
• node_modules is dev-only, and intentionally not included in image

without javascript-lock-cataloger, syft ignores this layout, and depedencies are not recognized.

I am not aware of other valid aproach to support this layout.

Also:

syft build/ properly detects lock file and dependencies in buid/ folder

but if the same build/ folder is just copied to docker image, syft $myimage behaves differently (ignores lock file and fails to populate dependencies)

[patrikbeno]

#1029 provides more generic approach but requires additional step in CI/build:

syft yarn.lock -o cyclonedx-json > build/sbom.json

[sambhav]

I believe #843 might solve this as well.

[spiffcs]

👋 Thanks for the contribution @patrikbeno!

With #1038 merged in the next release of syft should give you more flexibility in controlling which catalogers run as part of the configuration. I do admit it requires a bit more steps in the CI/Build, but let us know if we can improve the configuration at all on the next release in an issue.

We'll work with you to get syft updated in a way that lets you use the JavascriptLockCataloger cataloger as part of your workflows with syft.

Closing this for now, but please feel free to reach out to me if you have questions or more ideas on how we can update the cataloger configuration for you!