Comments (5)
In npm's infinite wisdom, they allow anonymous packages to be created if those packages are not distributed on npm. It's a terrible idea and introduces a lot of risk, but there's a possibility that a Vue.js project you're scanning likely has anonymous packages.
I'd recommend using a combination of policy and governance to prevent anonymous packages in your organization. npm command line tools may have something to identify them, not sure. If not, then perhaps just grepping package.json or package-lock.json for empty names and versions will likely tell you the offending packages.
from cyclonedx-node-module.
I get the same issue on a project JuicyShop which is a vulnerable node project.
Here is the package.json file which it had :
{ "name": "juice-shop", "version": "4.2.1", "description": "A Javascript Web Application", "homepage": "https://www.owasp.org/index.php/OWASP_Juice_Shop_Project", "author": "Björn Kimminich <[email protected]> (https://www.owasp.org/index.php/User:Bjoern_Kimminich)", "contributors": [ "Björn Kimminich", "Aaron Edwards", "Alec Brooks", "Dinis Cruz", "Timo Pagel", "Gorka Vicente", "Alvaro Viebrantz", "Johanna A", "Stephen OBrien", "Joe Butler", "Abhishek bundela", "ninoseki", "Jannik Hollenbach", "Viktor Lindström", "Achim Grimm" ], "private": true, "keywords": [ "web security", "web application security", "webappsec", "owasp", "pentest", "pentesting", "security", "vulnerable", "vulnerability", "broken", "bodgeit" ], "dependencies": { "body-parser": "~1.17", "bower": "~1.8", "colors": "~1.1", "config": "~1.26", "cookie-parser": "~1.4", "cors": "~2.8", "dottie": "~2.0", "errorhandler": "~1.5", "express": "~4.15", "express-jwt": "~5.3", "fs-extra": "^3.0.0", "glob": "~5.0", "grunt": "~1.0", "grunt-angular-templates": "~1.1", "grunt-cli": "~1.2", "grunt-contrib-clean": "~1.1", "grunt-contrib-compress": "~1.4", "grunt-contrib-concat": "~1.0", "grunt-contrib-uglify": "~3.0", "grunt-text-replace": "~0.4", "hashids": "~1.1", "helmet": "~3.6", "html-entities": "~1.2", "js-yaml": "~3.8.2", "jsonwebtoken": "~7.4", "jssha": "~2.3", "morgan": "~1.8", "multer": "~1.3", "pdfkit": "~0.8", "replace": "~0.3", "request": "~2.81.0", "sanitize-html": "1.4.2", "sequelize": "~1.7", "sequelize-restful": "~0.4", "serve-favicon": "~2.4", "serve-index": "~1.9", "socket.io": "~2.0", "sqlite3": "3.1", "z85": "~0.0" }, "devDependencies": { "chai": "~4", "codeclimate-test-reporter": "~0.5", "cross-spawn": "~5.1", "form-data": "~1.0", "frisby": "~0.8", "http-server": "~0.10", "istanbul": "~0.4", "jasmine-node": "~1.14", "jasmine-reporters": "~2.2", "karma": "~1.7", "karma-chrome-launcher": "~2.1", "karma-cli": "~1.0", "karma-coverage": "~1.1", "karma-firefox-launcher": "~1.0", "karma-jasmine": "~1.1", "karma-junit-reporter": "~1.2", "karma-phantomjs-launcher": "~1.0", "karma-safari-launcher": "~1.0", "lcov-result-merger": "~1.2", "mocha": "~3", "nyc": "~11", "phantomjs-prebuilt": "~2.1", "protractor": "~4", "shelljs": "~0.7", "sinon": "~2.3", "sinon-chai": "~2.11", "socket.io-client": "~2.0", "standard": "~10", "stryker": "~0", "stryker-api": "~0", "stryker-html-reporter": "~0", "stryker-jasmine": "~0", "stryker-karma-runner": "~0", "stryker-mocha-runner": "~0" }, "peerDependencies": { "phantomjs-prebuilt": "~2.1" }, "repository": { "type": "git", "url": "[email protected]:bootcamp/juice-shop.git" }, "bugs": { "url": "https://github.com/bkimminich/juice-shop/issues" }, "license": "MIT", "scripts": { "postinstall": "bower install && grunt minify && grunt docker", "start": "node app", "test": "standard && karma start karma.conf.js && nyc mocha test/server", "frisby": "istanbul cover ./test/apiTests.js", "preupdate-webdriver": "npm install", "update-webdriver": "webdriver-manager update", "preprotractor": "npm run update-webdriver", "protractor": "node test/e2eTests.js", "stryker": "stryker run stryker.client-conf.js", "vagrant": "cd vagrant && vagrant up" }, "engines": { "node": ">=4 <9" }, "standard": { "ignore": [ "/app/private/**", "/vagrant/**" ], "env": { "jasmine": true, "node": true, "browser": true, "mocha": true, "protractor": true }, "globals": [ "angular", "inject" ] }, "nyc": { "include": [ "lib/*.js", "routes/*.js" ], "all": true, "reporter": [ "lcov", "text-summary" ], "report-dir": "./build/reports/coverage/server-tests" } }
and below is the bom.xml file which got generated after running the below command inside the project directory
cyclonedx-bom -o bom.xml
<?xml version="1.0" encoding="UTF-8"?> <bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1"> <components> <component type="library"> <name>juice-shop</name> <version>4.2.1</version> <description> <![CDATA[A Javascript Web Application]]> </description> <licenses> <license> <id>MIT</id> </license> </licenses> <purl>pkg:npm/[email protected]</purl> <modified>false</modified> </component> </components> </bom>
from cyclonedx-node-module.
@sanjogpandasp The issue you're reporting has nothing to do with this ticket. However, that output is expected on a clean checkout since node_modules hasn't been populated yet.
You need to run npm install
before running CycloneDX which will populate node_modules and create package-lock.json.
from cyclonedx-node-module.
@sanjogpandasp The issue you're reporting has nothing to do with this ticket. However, that output is expected on a clean checkout since node_modules hasn't been populated yet.
You need to run
npm install
before running CycloneDX which will populate node_modules and create package-lock.json.
I see, my bad.
I was in an impression that cyclondx will pick up dependencies from the package.json file directly.
from cyclonedx-node-module.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from cyclonedx-node-module.
Related Issues (20)
- FF in license file throws error HOT 3
- Invalid or unexpected token in 3.4.1 HOT 2
- URL within ExternalReferences array can contain just a period if project is created by create-react-app
- No dependencies(dependency graph) in the generated bom HOT 1
- bump integration tests: use non-vulnerable components HOT 1
- [YARN] support yarn2/yarn3 HOT 1
- use CDX-JS lib for data models, serialization and everythig. HOT 2
- Question: Does it suffice to run npm install instead of ng build in order to generate the BOM for an Angular project? HOT 2
- chore: have check for license-text file-header
- split code in library and application part HOT 2
- [Yarn] First-use experience has some issues HOT 6
- Exception if #purl is not available HOT 5
- Conflicts between cyclonedx-node-module and cyclonedx-python commands HOT 2
- Is the last element in property "dependencies" meaning "direct dependencies"?
- There are no components in the bom HOT 6
- [PSA] ALTERNATIVES :exclamation: :mega: HOT 1
- Missing feature in Version 4 / cyclonedx-npm to inlcuse License text HOT 3
- "cyclonedx-bom: command not found" when installing [email protected] HOT 3
- SBOM can contain invalid URLs in externalReferences HOT 7
- yarn 3.6.1 lockfile issue HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-node-module.