Comments (5)
stevespringett
commented on September 26, 2024
1
Short term, yes, we can get this module to support all node versions. Long term however, we want to support as many hash algs as possible for every component. One of many reasons has to do with conversions. When converting CycloneDX to another format (SPDX for example), SHA1 is actually a requirement. If a SHA512 is the only alg available for a component, then the that data will be lost in conversion whereas if the CycloneDX SBOM had both, it could be convered.
How would you suggest fixing the node module in the short term to support Node v14+?
I'm assuming changes would need to be made at:
https://github.com/CycloneDX/cyclonedx-node-module/blob/master/model/HashList.js#L43
from cyclonedx-node-module.
stevespringett
commented on September 26, 2024
1
v3.0.5 has been released which includes this new functionality. Thanks for the input and for providing the necessary pull request. Much appreciated.
from cyclonedx-node-module.
stevespringett
commented on September 26, 2024
@sophiewigmore Do you know how the hash values are calculated for npm packages?
Ideally, we would want to calculate the integrity for all or most the supported hash algorithms, not just SHA-256 or 384, whatever npm uses.
from cyclonedx-node-module.
sophiewigmore
commented on September 26, 2024
@stevespringett Hi 👋
NPM provides the values as sha512 or sha1 subresource integrity.
I understand that CycloneDX supports a whole array of supported hash algorithms, but what's the reason for converting hash algorithms that are natively provided by the language? Especially since both of sha1 and sha512 are supported algorithms.
To me, this seems like two separate issues. My issue is that I want the same functionality that currently exists for retrieving hashes to work for all node versions, by looking at the package-lock.json when necessary. If I understand correctly, the issue in #25 is around supporting the full set of supported algorithms. In my eyes, each one of these could be solved separately. Is that a reasonable conclusion, or am I missing something about how this works?
from cyclonedx-node-module.
sophiewigmore
commented on September 26, 2024
I see, that makes sense. Thank you for the context, I hadn't thought about the conversion needs
I am working on a Pull Request for the short term fix as we speak. It will definitely include changes to HashList. I will link to that PR when it's open!
from cyclonedx-node-module.
Related Issues (20)
- FF in license file throws error HOT 3
- Invalid or unexpected token in 3.4.1 HOT 2
- URL within ExternalReferences array can contain just a period if project is created by create-react-app
- No dependencies(dependency graph) in the generated bom HOT 1
- bump integration tests: use non-vulnerable components HOT 1
- [YARN] support yarn2/yarn3 HOT 1
- use CDX-JS lib for data models, serialization and everythig. HOT 2
- Question: Does it suffice to run npm install instead of ng build in order to generate the BOM for an Angular project? HOT 2
- chore: have check for license-text file-header
- split code in library and application part HOT 2
- [Yarn] First-use experience has some issues HOT 6
- Exception if #purl is not available HOT 5
- Conflicts between cyclonedx-node-module and cyclonedx-python commands HOT 2
- Is the last element in property "dependencies" meaning "direct dependencies"?
- There are no components in the bom HOT 6
- [PSA] ALTERNATIVES :exclamation: :mega: HOT 1
- Missing feature in Version 4 / cyclonedx-npm to inlcuse License text HOT 3
- "cyclonedx-bom: command not found" when installing [email protected] HOT 3
- SBOM can contain invalid URLs in externalReferences HOT 7
- yarn 3.6.1 lockfile issue HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-node-module.