Comments (3)
sophiewigmore
commented on September 26, 2024
Hi there!
I am also having a problem with hash support that I think is related to this issue.
When I use the cyclonedx-bom CLI tool against a simple Node.js app that contains node modules, the resulting BOM file does not contain any hash content for the node modules if the Node Engine version is v15.X.X or v16.X.X. I'm not sure if the mechanism for surfacing this information has changed in these versions, but collecting the hash metadata definitely does not work for those versions
Edit: It appears that in Node Engine v15, the NPM version inside changed which includes a new package-lock.json format. The package.json files of each node module also appear to not contain the hashes, but the top level package.json does.
from cyclonedx-node-module.
sophiewigmore
commented on September 26, 2024
Additionally, it looks like the hashes included come from the _shasum field inside of each node module's package.json. What is the rationale for using this field rather than the integrity field from the top level package-lock.json?
from cyclonedx-node-module.
jkowalleck
commented on September 26, 2024
this feature was implemented in the NPM flavour of this package:
https://github.com/CycloneDX/cyclonedx-node-npm/
from cyclonedx-node-module.
Related Issues (20)
- FF in license file throws error HOT 3
- Invalid or unexpected token in 3.4.1 HOT 2
- URL within ExternalReferences array can contain just a period if project is created by create-react-app
- No dependencies(dependency graph) in the generated bom HOT 1
- bump integration tests: use non-vulnerable components HOT 1
- [YARN] support yarn2/yarn3 HOT 1
- use CDX-JS lib for data models, serialization and everythig. HOT 2
- Question: Does it suffice to run npm install instead of ng build in order to generate the BOM for an Angular project? HOT 2
- chore: have check for license-text file-header
- split code in library and application part HOT 2
- [Yarn] First-use experience has some issues HOT 6
- Exception if #purl is not available HOT 5
- Conflicts between cyclonedx-node-module and cyclonedx-python commands HOT 2
- Is the last element in property "dependencies" meaning "direct dependencies"?
- There are no components in the bom HOT 6
- [PSA] ALTERNATIVES :exclamation: :mega: HOT 1
- Missing feature in Version 4 / cyclonedx-npm to inlcuse License text HOT 3
- "cyclonedx-bom: command not found" when installing [email protected] HOT 3
- SBOM can contain invalid URLs in externalReferences HOT 7
- yarn 3.6.1 lockfile issue HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-node-module.