-
Notifications
You must be signed in to change notification settings - Fork 627
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
javascript-lock cataloger not picking up licenses in node_modules package.json files #2260
Comments
Hi @jeremytbrun, would it be possible for you to share the package-lock file you are using, so we can reproduce? Thanks! |
|
I gave it a shot on my system (MacOS Sonoma, Syft 0.94) and I'm getting the appropriate license information in the JSON SBOM:
Do you mind also attaching the resulting SBOM that you're getting? I could compare the results and see if anything jumps out. |
Glad it works. I will say the only change I made to the file before providing it was removing some package references stored in private repository cuz I thought that would break it for you. The private repository is in Azure Artifacts. Not sure if you could try something with a private repository. I will try to get the SBOM to you but it might be a couple days because I'm on vacation. |
Do you mind sharing the exact command syntax you used? |
Sure, I am not an NPM expert so I wasn't quite sure what I was doing with the package lock file, but I ended up doing:
This got the node_modules installed and then I ran:
Hope this helps...happy to dig back in when you are back from vacation. |
I went ahead and pulled the exact same package-lock.json file I supplied earlier and ran the same commands you did. The resulting sbom.json does not have license data like it does if you run it.
This is with version Syft v0.94.0. Also here is the output of
|
Hi @jeremytbrun, I think the difference might be my macOS-based system versus your Windows-based system. We will add this to our backlog to reproduce and fix when we are able. |
I think I might also be affected by this. The licenses section of my javascript outputs are empty, and I am running on Windows |
I might throw my hat into this as well. Running both Will not pick any licenses, although in the |
What happened:
I have a package-lock v3 file and have ran npm install. I've verified all 3rd party packages are installed to the local node_modules folder. When running this I get an syft-json SBOM but all "licenses" nodes are empty []
syft .\ -o syft-json=.\syft.json --catalogers javascript-lock
What you expected to happen:
Based on #1910 and #1548 I'd expect there to be license data inside of the syft-json SBOM because syft should have pulled that out of individual \node_modules\packageName\package.json files.
Steps to reproduce the issue:
Anything else we need to know?:
Environment:
syft version
:Application: syft
Version: 0.94.0
BuildDate: 2023-10-20T17:21:07Z
GitCommit: 8f6bdde
GitDescription: v0.94.0
Platform: windows/amd64
GoVersion: go1.21.3
Compiler: gc
cat /etc/os-release
or similar):Windows 11 Enterprise 21H2
The text was updated successfully, but these errors were encountered: