Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"--omit dev" created a lot of "DummyComponent.InterferedDependency..." entries in the BOM #254

Closed
AndreVirtimo opened this issue Oct 24, 2022 · 5 comments · Fixed by #259
Closed

"--omit dev" created a lot of "DummyComponent.InterferedDependency..." entries in the BOM #254

AndreVirtimo opened this issue Oct 24, 2022 · 5 comments · Fixed by #259
Assignees
@jkowalleck
Labels
bug Something isn't working

Comments

@AndreVirtimo
Copy link

When I'm using the "--omit dev" parameter then I got a lot of entries with the prefix "DummyComponent.InterferedDependency."

I'm using "@cyclonedx/cyclonedx-npm" version 1.2.0 as dev dependency. And it seems this is also in the BOM which I didn't expected.

    {
      "ref": "DummyComponent.InterferedDependency.@cyclonedx/cyclonedx-npm",
      "dependsOn": [
        "DummyComponent.InterferedDependency.@cyclonedx/cyclonedx-library",
        "DummyComponent.InterferedDependency.@cyclonedx/cyclonedx-npm|DummyComponent.InterferedDependency.commander",
        "DummyComponent.InterferedDependency.xmlbuilder2"
      ]
    },
    {
      "ref": "DummyComponent.InterferedDependency.@cyclonedx/cyclonedx-npm|DummyComponent.InterferedDependency.commander"
    },
    {
      "ref": "DummyComponent.InterferedDependency.@cyclonedx/cyclonedx-library",
      "dependsOn": [
        "DummyComponent.InterferedDependency.packageurl-js",
        "DummyComponent.InterferedDependency.xmlbuilder2"
      ]
    },
...

To Reproduce

Snippet from my package.json with to internal dependencies removed.

"devDependencies": {
   "@cyclonedx/cyclonedx-npm": "^1.2.0",
   "css-loader": "^6.7.1",
   "cypress": "^10.10.0",
   "cypress-intellij-reporter": "^0.0.7",
   "eslint": "8.26.0",
   "eslint-plugin-cypress": "^2.12.1",
   "eslint-plugin-mocha": "^10.1.0",
   "eslint-plugin-node": "^11.1.0",
   "eslint-plugin-no-only-tests": "^3.1.0",
   "file-loader": "^6.2.0",
   "style-loader": "^3.3.1",
   "webpack": "^5.74.0",
   "webpack-cli": "^4.10.0",
   "webpack-merge": "^5.8.0"
 },
 "dependencies": {
   "@amcharts/amcharts4": "^4.10.29",
   "ace-builds": "^1.12.3",
   "ace-diff": "^3.0.3",
   "ajv": "^8.11.0",
   "ajv-formats": "^2.1.1",
   "dompurify": "^2.4.0",
   "froala-editor": "^4.0.15",
   "json-source-map": "^0.6.1",
   "vkbeautify": "^0.99.3"
 },

Expected behavior

No dummy entries and no dev dependencies.

Environment

npm - 8.5.1
node - v17.6.0

macOS 12.6
@AndreVirtimo AndreVirtimo added the bug Something isn't working label Oct 24, 2022
@AndreVirtimo
Copy link
Author

I have tried this on another project without "prod" dependencies and only dev dependencies. It seems that all dev dependencies are added to the BOM as DummyComponent.

@jkowalleck jkowalleck self-assigned this Oct 25, 2022
@jkowalleck
Copy link
Member

jkowalleck commented Oct 25, 2022
edited
Loading

thank you for the report, @AndreVirtimo . i will check into this.
could you do the broken call again, and paste me the logs? they might look like the following:

DEBUG | options: {"ignoreNpmErrors":false,"packageLockOnly":false,"omit":[],"flattenComponents":false,"shortPURLs":false,"specVersion":"1.4","outputFormat":"JSON","outputFile":"-","mcType":"application"}
DEBUG | packageFile: /.../some/path/package.json
DEBUG | projectDir: /.../some/path
DEBUG | detected a package lock file
DEBUG | makeNpmRunner caused execSync "npm" undefined
INFO  | gather dependency tree ...
DEBUG | npm-ls: run npm with ["ls","--json","--all","--long"] in "/.../some/path"
INFO  | build BOM ...
INFO  | writing BOM to -

PS: tried to reproduce with all the information you gave and the exact dependencies from your report, and was not able to reproduce.
The exact opposite was the case: when called with --omit dev then @cyclonedx/cyclonedx-npm was not in the resulting SBOM. when called without any --omit then @cyclonedx/cyclonedx-npm was part of the SBOM. in both cases no DummyComponent was part of the SBOM.

could you create a github repo with a setup that isolates your issue and makes it reproducible?
i would immagine a repo that contains a package.json, a package-lock.json, the sbom.json you produced.
Could you include additionally the output from npm ls --omit dev in a file, so that it can be comparred agains the other files? It could be the case that npm might have some troubles.

@jkowalleck
Copy link
Member

jkowalleck commented Oct 26, 2022
edited
Loading

previously i tried with some arbitrary npm@^8
Since you reported to use npm@8.5.1 I tried again to reproduce with that exact version, and finally was able to see the same you described.

I found the issue was gone when i used npm@^8.7 - see npm/cli#4744
Seams like npm had an issue back then - see npm/cli#4739

I am sorry, you might need to upgrade your NPM to a version >= 8.7.0 to fix this issue.

Will change internal implementations of this tool to circumvent the issue. see #259

@jkowalleck jkowalleck mentioned this issue Oct 26, 2022
Merged
2 tasks
@AndreVirtimo
Copy link
Author

@jkowalleck thank you for checking this issue.

I can confirm that this issue was gone after updating npm to version 8.19.2.

@jkowalleck jkowalleck pinned this issue Oct 27, 2022
@jkowalleck
Copy link
Member

this issue was fixed in v1.3.0 of cyclonedx-npm

@jkowalleck jkowalleck unpinned this issue Dec 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkowalleck jkowalleck

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

improve npm compatibility CycloneDX/cyclonedx-node-npm
2 participants
@jkowalleck @AndreVirtimo