Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

javascript-lock cataloger not picking up licenses in node_modules package.json files #2260

Open
jeremytbrun opened this issue Oct 26, 2023 · 10 comments
Open

javascript-lock cataloger not picking up licenses in node_modules package.json files #2260

jeremytbrun opened this issue Oct 26, 2023 · 10 comments
Labels
bug Something isn't working ecosystem:windows windows regarding the windows OS

Comments

@jeremytbrun
Copy link

What happened:
I have a package-lock v3 file and have ran npm install. I've verified all 3rd party packages are installed to the local node_modules folder. When running this I get an syft-json SBOM but all "licenses" nodes are empty []

syft .\ -o syft-json=.\syft.json --catalogers javascript-lock

What you expected to happen:
Based on #1910 and #1548 I'd expect there to be license data inside of the syft-json SBOM because syft should have pulled that out of individual \node_modules\packageName\package.json files.

Steps to reproduce the issue:

Anything else we need to know?:

Environment:

  • Output of syft version:
    Application: syft
    Version: 0.94.0
    BuildDate: 2023-10-20T17:21:07Z
    GitCommit: 8f6bdde
    GitDescription: v0.94.0
    Platform: windows/amd64
    GoVersion: go1.21.3
    Compiler: gc
  • OS (e.g: cat /etc/os-release or similar):
    Windows 11 Enterprise 21H2
@jeremytbrun jeremytbrun added the bug Something isn't working label Oct 26, 2023
@tgerla
Copy link
Contributor

tgerla commented Oct 30, 2023

Hi @jeremytbrun, would it be possible for you to share the package-lock file you are using, so we can reproduce? Thanks!

@tgerla tgerla moved this to Awaiting Response in OSS Oct 30, 2023
@jeremytbrun
Copy link
Author

Hi @jeremytbrun, would it be possible for you to share the package-lock file you are using, so we can reproduce? Thanks!

package-lock.json

@tgerla tgerla removed the status in OSS Oct 31, 2023
@tgerla
Copy link
Contributor

tgerla commented Oct 31, 2023

I gave it a shot on my system (MacOS Sonoma, Syft 0.94) and I'm getting the appropriate license information in the JSON SBOM:

  {
   "id": "555a079bf19e0ea1",
   "name": "@angular-devkit/core",
   "version": "15.2.9",
   "type": "npm",
   "foundBy": "javascript-lock-cataloger",
   "locations": [
    {
     "path": "/package-lock.json",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [
    {
     "value": "MIT",
     "spdxExpression": "MIT",
     "type": "declared",
     "urls": [],
     "locations": [
      {
       "path": "/package-lock.json",
       "annotations": {
        "evidence": "primary"
       }
      }
     ]
    }
   ],
...

Do you mind also attaching the resulting SBOM that you're getting? I could compare the results and see if anything jumps out.

@jeremytbrun
Copy link
Author

I gave it a shot on my system (MacOS Sonoma, Syft 0.94) and I'm getting the appropriate license information in the JSON SBOM:

  {
   "id": "555a079bf19e0ea1",
   "name": "@angular-devkit/core",
   "version": "15.2.9",
   "type": "npm",
   "foundBy": "javascript-lock-cataloger",
   "locations": [
    {
     "path": "/package-lock.json",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [
    {
     "value": "MIT",
     "spdxExpression": "MIT",
     "type": "declared",
     "urls": [],
     "locations": [
      {
       "path": "/package-lock.json",
       "annotations": {
        "evidence": "primary"
       }
      }
     ]
    }
   ],
...

Do you mind also attaching the resulting SBOM that you're getting? I could compare the results and see if anything jumps out.

Glad it works. I will say the only change I made to the file before providing it was removing some package references stored in private repository cuz I thought that would break it for you. The private repository is in Azure Artifacts. Not sure if you could try something with a private repository.

I will try to get the SBOM to you but it might be a couple days because I'm on vacation.

@jeremytbrun
Copy link
Author

I gave it a shot on my system (MacOS Sonoma, Syft 0.94) and I'm getting the appropriate license information in the JSON SBOM:

  {
   "id": "555a079bf19e0ea1",
   "name": "@angular-devkit/core",
   "version": "15.2.9",
   "type": "npm",
   "foundBy": "javascript-lock-cataloger",
   "locations": [
    {
     "path": "/package-lock.json",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [
    {
     "value": "MIT",
     "spdxExpression": "MIT",
     "type": "declared",
     "urls": [],
     "locations": [
      {
       "path": "/package-lock.json",
       "annotations": {
        "evidence": "primary"
       }
      }
     ]
    }
   ],
...

Do you mind also attaching the resulting SBOM that you're getting? I could compare the results and see if anything jumps out.

Glad it works. I will say the only change I made to the file before providing it was removing some package references stored in private repository cuz I thought that would break it for you. The private repository is in Azure Artifacts. Not sure if you could try something with a private repository.

I will try to get the SBOM to you but it might be a couple days because I'm on vacation.

Do you mind sharing the exact command syntax you used?

@tgerla
Copy link
Contributor

tgerla commented Oct 31, 2023

Sure, I am not an NPM expert so I wasn't quite sure what I was doing with the package lock file, but I ended up doing:

$ npm ci --legacy-peer-deps

This got the node_modules installed and then I ran:

$ syft . -o syft-json --catalogers javascript-lock  > sbom.json

Hope this helps...happy to dig back in when you are back from vacation.

@tgerla tgerla moved this to Awaiting Response in OSS Nov 2, 2023
@jeremytbrun
Copy link
Author

Sure, I am not an NPM expert so I wasn't quite sure what I was doing with the package lock file, but I ended up doing:

$ npm ci --legacy-peer-deps

This got the node_modules installed and then I ran:

$ syft . -o syft-json --catalogers javascript-lock  > sbom.json

Hope this helps...happy to dig back in when you are back from vacation.

I went ahead and pulled the exact same package-lock.json file I supplied earlier and ran the same commands you did. The resulting sbom.json does not have license data like it does if you run it.

{
   "id": "f0d37ead64b9e42b",
   "name": "@angular-devkit/core",
   "version": "15.2.9",
   "type": "npm",
   "foundBy": "javascript-lock-cataloger",
   "locations": [
    {
     "path": "\\package-lock.json",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [],
...

This is with version Syft v0.94.0. Also here is the output of npm version on my development machine.

{
  npm: '9.8.1',
  node: '18.18.2',
  acorn: '8.10.0',
  ada: '2.6.0',
  ares: '1.19.1',
  brotli: '1.0.9',
  cldr: '43.1',
  icu: '73.2',
  llhttp: '6.0.11',
  modules: '108',
  napi: '9',
  nghttp2: '1.57.0',
  nghttp3: '0.7.0',
  ngtcp2: '0.8.1',
  openssl: '3.0.10+quic',
  simdutf: '3.2.14',
  tz: '2023c',
  undici: '5.26.3',
  unicode: '15.0',
  uv: '1.44.2',
  uvwasi: '0.0.18',
  v8: '10.2.154.26-node.26',
  zlib: '1.2.13.1-motley'
}

@tgerla tgerla removed the status in OSS Nov 9, 2023
@tgerla
Copy link
Contributor

tgerla commented Nov 9, 2023

Hi @jeremytbrun, I think the difference might be my macOS-based system versus your Windows-based system. We will add this to our backlog to reproduce and fix when we are able.

@tgerla tgerla moved this to Backlog in OSS Nov 9, 2023
@spiffcs spiffcs added the windows regarding the windows OS label Feb 8, 2024
@mc-alt
Copy link

mc-alt commented Mar 11, 2024

I think I might also be affected by this. The licenses section of my javascript outputs are empty, and I am running on Windows

@kevin-kortum-trustedshops
Copy link

I might throw my hat into this as well.

Running both
syft --from dir node_modules --output spdx-json=sbom.json
or
syft --from file yarn.lock --select-catalogers javascript --output spdx-json=sbom.json

Will not pick any licenses, although in the node_modules folders most packages provide a license file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working ecosystem:windows windows regarding the windows OS
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tgerla @jeremytbrun @spiffcs @mc-alt @kevin-kortum-trustedshops