Empty component in bom file about cyclonedx-node-module HOT 5 CLOSED

In npm's infinite wisdom, they allow anonymous packages to be created if those packages are not distributed on npm. It's a terrible idea and introduces a lot of risk, but there's a possibility that a Vue.js project you're scanning likely has anonymous packages.

I'd recommend using a combination of policy and governance to prevent anonymous packages in your organization. npm command line tools may have something to identify them, not sure. If not, then perhaps just grepping package.json or package-lock.json for empty names and versions will likely tell you the offending packages.

from cyclonedx-node-module.

I get the same issue on a project JuicyShop which is a vulnerable node project.
Here is the package.json file which it had :

{ "name": "juice-shop", "version": "4.2.1", "description": "A Javascript Web Application", "homepage": "https://www.owasp.org/index.php/OWASP_Juice_Shop_Project", "author": "Björn Kimminich <[email protected]> (https://www.owasp.org/index.php/User:Bjoern_Kimminich)", "contributors": [ "Björn Kimminich", "Aaron Edwards", "Alec Brooks", "Dinis Cruz", "Timo Pagel", "Gorka Vicente", "Alvaro Viebrantz", "Johanna A", "Stephen OBrien", "Joe Butler", "Abhishek bundela", "ninoseki", "Jannik Hollenbach", "Viktor Lindström", "Achim Grimm" ], "private": true, "keywords": [ "web security", "web application security", "webappsec", "owasp", "pentest", "pentesting", "security", "vulnerable", "vulnerability", "broken", "bodgeit" ], "dependencies": { "body-parser": "~1.17", "bower": "~1.8", "colors": "~1.1", "config": "~1.26", "cookie-parser": "~1.4", "cors": "~2.8", "dottie": "~2.0", "errorhandler": "~1.5", "express": "~4.15", "express-jwt": "~5.3", "fs-extra": "^3.0.0", "glob": "~5.0", "grunt": "~1.0", "grunt-angular-templates": "~1.1", "grunt-cli": "~1.2", "grunt-contrib-clean": "~1.1", "grunt-contrib-compress": "~1.4", "grunt-contrib-concat": "~1.0", "grunt-contrib-uglify": "~3.0", "grunt-text-replace": "~0.4", "hashids": "~1.1", "helmet": "~3.6", "html-entities": "~1.2", "js-yaml": "~3.8.2", "jsonwebtoken": "~7.4", "jssha": "~2.3", "morgan": "~1.8", "multer": "~1.3", "pdfkit": "~0.8", "replace": "~0.3", "request": "~2.81.0", "sanitize-html": "1.4.2", "sequelize": "~1.7", "sequelize-restful": "~0.4", "serve-favicon": "~2.4", "serve-index": "~1.9", "socket.io": "~2.0", "sqlite3": "3.1", "z85": "~0.0" }, "devDependencies": { "chai": "~4", "codeclimate-test-reporter": "~0.5", "cross-spawn": "~5.1", "form-data": "~1.0", "frisby": "~0.8", "http-server": "~0.10", "istanbul": "~0.4", "jasmine-node": "~1.14", "jasmine-reporters": "~2.2", "karma": "~1.7", "karma-chrome-launcher": "~2.1", "karma-cli": "~1.0", "karma-coverage": "~1.1", "karma-firefox-launcher": "~1.0", "karma-jasmine": "~1.1", "karma-junit-reporter": "~1.2", "karma-phantomjs-launcher": "~1.0", "karma-safari-launcher": "~1.0", "lcov-result-merger": "~1.2", "mocha": "~3", "nyc": "~11", "phantomjs-prebuilt": "~2.1", "protractor": "~4", "shelljs": "~0.7", "sinon": "~2.3", "sinon-chai": "~2.11", "socket.io-client": "~2.0", "standard": "~10", "stryker": "~0", "stryker-api": "~0", "stryker-html-reporter": "~0", "stryker-jasmine": "~0", "stryker-karma-runner": "~0", "stryker-mocha-runner": "~0" }, "peerDependencies": { "phantomjs-prebuilt": "~2.1" }, "repository": { "type": "git", "url": "[email protected]:bootcamp/juice-shop.git" }, "bugs": { "url": "https://github.com/bkimminich/juice-shop/issues" }, "license": "MIT", "scripts": { "postinstall": "bower install && grunt minify && grunt docker", "start": "node app", "test": "standard && karma start karma.conf.js && nyc mocha test/server", "frisby": "istanbul cover ./test/apiTests.js", "preupdate-webdriver": "npm install", "update-webdriver": "webdriver-manager update", "preprotractor": "npm run update-webdriver", "protractor": "node test/e2eTests.js", "stryker": "stryker run stryker.client-conf.js", "vagrant": "cd vagrant && vagrant up" }, "engines": { "node": ">=4 <9" }, "standard": { "ignore": [ "/app/private/**", "/vagrant/**" ], "env": { "jasmine": true, "node": true, "browser": true, "mocha": true, "protractor": true }, "globals": [ "angular", "inject" ] }, "nyc": { "include": [ "lib/*.js", "routes/*.js" ], "all": true, "reporter": [ "lcov", "text-summary" ], "report-dir": "./build/reports/coverage/server-tests" } }

and below is the bom.xml file which got generated after running the below command inside the project directory

cyclonedx-bom -o bom.xml

<?xml version="1.0" encoding="UTF-8"?> <bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1"> <components> <component type="library"> <name>juice-shop</name> <version>4.2.1</version> <description> <![CDATA[A Javascript Web Application]]> </description> <licenses> <license> <id>MIT</id> </license> </licenses> <purl>pkg:npm/[email protected]</purl> <modified>false</modified> </component> </components> </bom>

from cyclonedx-node-module.

@sanjogpandasp The issue you're reporting has nothing to do with this ticket. However, that output is expected on a clean checkout since node_modules hasn't been populated yet.

You need to run npm install before running CycloneDX which will populate node_modules and create package-lock.json.

from cyclonedx-node-module.

@sanjogpandasp The issue you're reporting has nothing to do with this ticket. However, that output is expected on a clean checkout since node_modules hasn't been populated yet.

You need to run npm install before running CycloneDX which will populate node_modules and create package-lock.json.

I see, my bad.
I was in an impression that cyclondx will pick up dependencies from the package.json file directly.

from cyclonedx-node-module.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

from cyclonedx-node-module.