Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Capture if a node module is private #1161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 24, 2022
Merged

Capture if a node module is private #1161

merged 3 commits into from
Aug 24, 2022

Conversation

@scothis
Copy link
Contributor

@scothis scothis commented Aug 16, 2022

The private field within a node module's package.json indicates when
true that the package cannot be published to a registry. This is a
strong indication that public CVE reported against a component of the
same name are likely do not affect this particular module.

This change introduce a Private bool to NpmPackageJSONMetadata that is
exposed in the Syft SBOM's metadata for an npm package artifact. It does
not directly consume the value in any way.

Resolves #1160

Signed-off-by: Scott Andrews [email protected]

@scothis
Capture if a node module is private
6d6078a 
The private field within a node module's package.json indicates when
true that the package cannot be published to a registry. This is a
strong indication that public CVE reported against a component of the
same name are likely do not affect this particular module.

This change introduce a Private bool to NpmPackageJSONMetadata that is
exposed in the Syft SBOM's metadata for an npm package artifact. It does
not directly consume the value in any way.

Signed-off-by: Scott Andrews <[email protected]>
@tgerla
Copy link
Contributor

tgerla commented Aug 22, 2022

Hi @scothis, thank you very much for your contribution! We'll review it as soon as we can and get back to you with any comments or questions.

@spiffcs
Copy link
Contributor

spiffcs commented Aug 24, 2022

Approved - adding private field to metadata LGTM!

@spiffcs spiffcs enabled auto-merge (squash) August 24, 2022 16:04
@spiffcs
Copy link
Contributor

spiffcs commented Aug 24, 2022

^ I'll update this test - looks like the license list has been updated behind the scenes.

spiffcs added 2 commits August 24, 2022 12:21
@spiffcs
Merge branch 'main' into package-private
01836fa 
* main:
  Update syft bootstrap tools to latest versions. (anchore#1171)
  Fix update-bootstrap-tools workflow (anchore#1170)
  workflow to create automated PRs to update bootstrap tools (anchore#1167)
  feat: add support for licenses in package-lock json v2 (anchore#1164)
  External sources configuration (anchore#1158)
  feat: add support for pnpm (anchore#1166)
  Prevent symlinks causing duplicate package-file relationships (anchore#1168)
  Associate node package licenses from node_modules (anchore#1152)
  Give the contributing guide a substantial rework (anchore#1155)

Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
small bug in test of unordered yaml map
8222d87 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
Copy link
Contributor

spiffcs commented Aug 24, 2022

silly yaml making maps almost indistinguishable from lists

@spiffcs spiffcs merged commit 5e93d1e into anchore:main Aug 24, 2022
@scothis scothis deleted the package-private branch August 24, 2022 17:33
spiffcs added a commit that referenced this pull request Aug 25, 2022
@spiffcs
Merge branch 'main' into 1095-convert-option-error
ca445f8 
* main:
  Update syft bootstrap tools to latest versions. (#1176)
  enhance development support on macOS ARM (#1163)
  Capture if a node module is private (#1161)
  Find version numbers from jars with different naming conventions (#1174)
  Update syft bootstrap tools to latest versions. (#1171)
  Fix update-bootstrap-tools workflow (#1170)
  workflow to create automated PRs to update bootstrap tools (#1167)
  feat: add support for licenses in package-lock json v2 (#1164)
  External sources configuration (#1158)
  feat: add support for pnpm (#1166)
  Prevent symlinks causing duplicate package-file relationships (#1168)
  Associate node package licenses from node_modules (#1152)
aiwantaozi pushed a commit to aiwantaozi/syft that referenced this pull request Oct 20, 2022
@scothis @aiwantaozi
Capture if a node module is private (anchore#1161)
ff1c1c3
spiffcs pushed a commit that referenced this pull request Oct 21, 2022
@scothis @spiffcs
Capture if a node module is private (#1161)
324eb09 
Signed-off-by: Christopher Phillips <[email protected]>
spiffcs pushed a commit that referenced this pull request Oct 21, 2022
@scothis @spiffcs
Capture if a node module is private (#1161)
ca6258f 
Signed-off-by: Christopher Phillips <[email protected]>
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@scothis
Capture if a node module is private (anchore#1161)
f87e92c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Capture package.json private field for npm modules

3 participants

@scothis @tgerla @spiffcs