Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syft outputs devDependencies for package-lock.json files #2348

Open
amascia opened this issue Nov 22, 2023 · 4 comments · May be fixed by #3371
Open

Syft outputs devDependencies for package-lock.json files #2348

amascia opened this issue Nov 22, 2023 · 4 comments · May be fixed by #3371
Labels
enhancement New feature or request

Comments

@amascia
Copy link

amascia commented Nov 22, 2023

What happened:
When scanning a directory with the following files:
package.json

{
    "name": "first_app",
    "version": "1.0.0",
    "description": "a first app",
    "main": "index.js",
    "scripts": {
      "test": "testing"
    },
    "author": "",
    "license": "ISC",
    "dependencies": {
    },
    "devDependencies": {
      "async": "^3.2.4"
    }
  }

package-lock.json

{
    "name": "first_app",
    "version": "1.0.0",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
      "": {
        "name": "first_app",
        "version": "1.0.0",
        "license": "ISC",
        "devDependencies": {
          "async": "^3.2.4"
        }
      },
      "node_modules/async": {
        "version": "3.2.4",
        "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
        "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
        "dev": true
      }
    }
  }

It outputs

 ✔ Indexed file system                                                                                                                                                                                            tests/data/js_dependencies
 ✔ Cataloged packages              [2 packages]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME       VERSION  TYPE
async      3.2.4    npm
first_app  1.0.0    npm

with the async devDependency.

What you expected to happen:

Syft do not output dev-dependencies as it's done when scanning a Pipfile.lock.

Steps to reproduce the issue:

Run syft on a directory containing the above file.

Anything else we need to know?:

Environment:

  • Output of syft version:
$ syft version
Application: syft
Version:    0.97.1
BuildDate:  2023-11-17T20:53:01Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/arm64
GoVersion:  go1.21.4
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
$ sw_vers
ProductName:		macOS
ProductVersion:		14.1.1
BuildVersion:		23B81
@amascia amascia added the bug Something isn't working label Nov 22, 2023
@tgerla
Copy link
Contributor

tgerla commented Dec 14, 2023

Hey @amascia, we are taking a look and we believe you are probably right that we need to filter out the dev dependencies from these kinds of scans. Thanks for the detailed report and reproduction steps--much appreciated!

@tgerla tgerla mentioned this issue Jan 11, 2024
Open
@tgerla tgerla mentioned this issue Feb 1, 2024
Open
38 tasks
@tgerla tgerla added enhancement New feature or request and removed bug Something isn't working labels Feb 1, 2024
@atl-mk
Copy link

atl-mk commented Feb 8, 2024

Hey, I am able to provide Syft both the package.json and the lock file (whether it be package-lock.json or yarn.lock) so Syft has all the information it needs to be able to determine whether or not something is a development only dependency. I'm looking forward to this feature being implemented.

@harippriyas
Copy link
Contributor

+1. Would be a really useful feature. thanks!

@arkajnag23
Copy link

arkajnag23 commented Aug 15, 2024
edited
Loading

@tgerla Very useful feature; Desperately asking to support this, as when delivering regulatory governance data, development dependencies shouldn't be shared;
Even the json output contains some information about scope, then team can run some alternative coding to filter off the devDependencies.

@njv299 njv299 linked a pull request Oct 22, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Exclude devDependencies from package-lock.json parsing njv299/syft
5 participants
@tgerla @amascia @harippriyas @atl-mk @arkajnag23