Fix generating dependency trees info for dockerized NodeJS projects #927
Conversation
|
Thanks @grgau for the fix. Could you kindly sign the commit by following the below instructions? https://github.com/CycloneDX/cdxgen/pull/927/checks?check_run_id=22859077739 |
grgau
force-pushed
the
fix/nodejs-dependency-tree-docker
branch
2 times, most recently
from
b0d578a
to
3ee6427
Compare
…d app Signed-off-by: grgau <pedro.ferracini@alumni.usp.br>
grgau
force-pushed
the
fix/nodejs-dependency-tree-docker
branch
from
3ee6427
to
6d0e498
Compare
| @@ -1850,12 +1850,6 @@ export async function createNodejsBom(path, options) { | |||
| pkgList = pkgList.concat(dlist); | |||
| } | |||
| } | |||
| return buildBomNSData(options, pkgList, "npm", { | |||
There was a problem hiding this comment.
Should have included a comment here. I think the early return is required to only collect information from package.json alone. This is because for containers we are interested in the post-build lifecycle whereas the lock file could represent the pre-build or build lifecycle and, therefore, might include dev dependencies that may not eventually get included in the image.
As far as the dependency tree goes, I think we can come up with a new function that constructs a tree based on the lock file but only for the components from the package.json files. Such a tree might be useful but not accurate since the dependency tree after tree-shaking could look completely different to build.
There was a problem hiding this comment.
Sorry for the delay, I'll take a look. Is this tree construction currently done in the same function? in the process of calling getAllFiles and then processing the dependencies variable?
There was a problem hiding this comment.
@grgau, best to do some research to see how others are implementing this. For example, npm cli has an sbom command nowadays. Not sure if it can recover the dependency tree from node_modules directory alone using arborist.
|
@grgau any thoughts on how this is handled by other tools? |
Solve issue [NodeJs][Docker] Error getting Dependency Tree in NodeJS Docker images by removing premature return when generating SBOM from dockerized NodeJS images. Because of this return the lock files are not being read and the dependency trees are staying empty.