Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: mark devDependencies as "excluded" in SBOM results #1221

Closed
wants to merge 5 commits into from
Closed

fix: mark devDependencies as "excluded" in SBOM results #1221

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f7aeaf3
changed devDependencies component.scope to excluded solving the issue…
ARRY7686 Sep 29, 2024
d782701
fixed the changes requested by the reviewer
ARRY7686 Oct 1, 2024
5e8b022
fixed the changes requested by the reviewer
ARRY7686 Oct 1, 2024
2181697
fix the issues again
ARRY7686 Oct 1, 2024
9832eae
Merge branch 'set_devdependencies_to_excluded' of https://github.com/…
ARRY7686 Oct 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 54 additions & 11 deletions src/builders.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,9 @@ SPDX-License-Identifier: Apache-2.0
Copyright (c) OWASP Foundation. All Rights Reserved.
*/

import { type Builders, Enums, type Factories, Models, Utils } from '@cyclonedx/cyclonedx-library'
import type { Builders, Factories } from '@cyclonedx/cyclonedx-library'
import { Enums, Models, Utils } from '@cyclonedx/cyclonedx-library'
import type { PackageJson } from '@cyclonedx/cyclonedx-library/dist.d/_helpers/packageJson'
import { existsSync } from 'fs'
import * as normalizePackageData from 'normalize-package-data'
import { type PackageURL } from 'packageurl-js'
Expand Down Expand Up @@ -420,17 +422,58 @@ export class BomBuilder {

private makeComponent (data: any, type?: Enums.ComponentType | undefined): Models.Component | false | undefined {
// older npm-ls versions (v6) hide properties behind a `_`
const isOptional = (data.optional ?? data._optional) === true
const isOptional = (data.optional ?? data._optional) === trueFrom https://github.com/ARRY7686/cyclonedx-node-npm
* branch set_devdependencies_to_excluded -> FETCH_HEAD
hint: You have divergent branches and need to specify how to reconcile them.
hint: You can do so by running one of the following commands sometime before
hint: your next pull:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is this supposed to be?!

hint:
hint: git config pull.rebase false # merge (the default strategy)
hint: git config pull.rebase true # rebase
hint: git config pull.ff only # fast-forward only
hint:
hint: You can replace "git config" with "git config --global" to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.
fatal: Need to specify how to reconcile divergent branches.
if (isOptional && this.omitDependencyTypes.has('optional')) {
this.console.debug('DEBUG | omit optional component: %j %j', data.name, data._id)
return false
}

// older npm-ls versions (v6) hide properties behind a `_`
}From https://github.com/ARRY7686/cyclonedx-node-npm
* branch set_devdependencies_to_excluded -> FETCH_HEAD
hint: You have divergent branches and need to specify how to reconcile them.
hint: You can do so by running one of the following commands sometime before
hint: your next pull:
hint:
hint: git config pull.rebase false # merge (the default strategy)
hint: git config pull.rebase true # rebase
hint: git config pull.ff only # fast-forward only
hint:
hint: You can replace "git config" with "git config --global" to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.
fatal: Need to specify how to reconcile divergent branches.roperties behind a `_`
const isDev = (data.dev ?? data._development) === true
if (isDev && this.omitDependencyTypes.has('dev')) {
this.console.debug('DEBUG | omit dev component: %j %j', data.name, data._id)
return false
// if (isDev && this.omitDependencyTypes.has('dev')) {
jkowalleck marked this conversation as resolved.
Show resolved Hide resolved
// this.console.debug('DEBUG | omit dev component: %j %j', data.name, data._id)
// return false
// }

// Initialize component with a default value
let component: Models.Component | undefined = undefined;
Copy link
Member

@jkowalleck jkowalleck Oct 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this new variable, it is assigned but never read.
so it is useless all along.
please remove this unused variable.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have to assign the component variable a default value as undefined and then can mark it excluded in necessary place

Copy link
Member

@jkowalleck jkowalleck Oct 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did you generate the test results and check if your changes have any effect?
please see https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/CONTRIBUTING.md


// Modify the component's scope for devDependencies
if (isDev) {
// Set the scope of dev dependencies to 'Excluded'
component = this.componentBuilder.makeComponent(data, type);
if (component) {
component.scope = Enums.ComponentScope.Excluded; // This line ensures dev dependencies are marked as excluded
}
} else {
// Handle other component logic (omitted for brevity)
component = this.componentBuilder.makeComponent(data, type);
jkowalleck marked this conversation as resolved.
Show resolved Hide resolved
}

// attention: `data.devOptional` are not to be skipped with devs, since they are still required by optionals.
Expand All @@ -453,7 +496,7 @@ export class BomBuilder {
}
// endregion fix normalizations

const component = this.componentBuilder.makeComponent(
const newComponent = this.componentBuilder.makeComponent(
jkowalleck marked this conversation as resolved.
Show resolved Hide resolved
_dataC as normalizePackageData.Package,
type
)
Expand Down Expand Up @@ -541,8 +584,8 @@ export class BomBuilder {
`${component.group || '-'}/${component.name}@${component.version || '-'}`
/* eslint-enable @typescript-eslint/strict-boolean-expressions, @typescript-eslint/prefer-nullish-coalescing */

return component
}
return newComponent
}

private makePurl (component: Models.Component): PackageURL | undefined {
const purl = this.purlFactory.makeFromComponent(component, this.reproducible)
Expand Down
10 changes: 5 additions & 5 deletions tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.