cdxgen
cdxgen copied to clipboard
CycloneDX
Missing transitive dependencies - package.json
Hi,
We are using cdxgen for building our SBOM file. We are using --required-only flag to avoid optional and dev dependencies. Then we are consuming this SBOM with Dependency track. What we are noticing is that transitive dependencies of required dependencies are not evaluated for vulnerabilities in Dependency-Track. Dependency-Track takes components section of SBOM and does evaluation on those. In components section of SBOM there are no transitive dependencies. Let me show this with an example.
package.json:
"dependencies": {
"@azure/storage-blob": "12.14.0"
}
package-lock.json:
"node_modules/@azure/storage-blob": {
"version": "12.14.0",
"dependencies": {
"@azure/abort-controller": "^1.0.0",
"@azure/core-http": "^3.0.0",
"@azure/core-lro": "^2.2.0",
"@azure/core-paging": "^1.1.1",
"@azure/core-tracing": "1.0.0-preview.13",
"@azure/logger": "^1.0.0",
"events": "^3.0.0",
"tslib": "^2.2.0"
},
"engines": {
"node": ">=14.0.0"
}
}
"@azure/core-http": {
"version": "3.0.0",
"requires": {
"@azure/abort-controller": "^1.0.0",
"@azure/core-auth": "^1.3.0",
"@azure/core-tracing": "1.0.0-preview.13",
"@azure/core-util": "^1.1.1",
"@azure/logger": "^1.0.0",
"@types/node-fetch": "^2.5.0",
"@types/tunnel": "^0.0.3",
"form-data": "^4.0.0",
"node-fetch": "^2.6.7",
"process": "^0.11.10",
"tslib": "^2.2.0",
"tunnel": "^0.0.6",
"uuid": "^8.3.0",
"xml2js": "^0.4.19"
}
}
"xml2js": {
"version": "0.4.23",
"requires": {
"sax": ">=0.6.0",
"xmlbuilder": "~11.0.0"
}
}
@azure/storage-blob": "12.14.0" has transitive dependency @azure/core-http": "^3.0.0 which has "xml2js": "0.4.23"as vulnerable dependency.
If I run npm audit: xml2js <0.5.0 Severity: moderate xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
So if I use required only flag when using cdxgen only "@azure/storage-blob": "12.14.0" is taken into account as component and being evaluated in Dependency track, which of course is not ok.
If I remove --required-only then I aslo get xml2js as a vulnerable component with
"publisher": "",
"group": "",
"name": "xml2js",
"version": "0.4.23",
"description": "",
"scope": "optional"
, but also all dev and optional dependencies which creates a lot of noise and they are not used in production.
Am I missing something?
@blazgvajc did you try with --no-babel as explained in the readme?
https://github.com/CycloneDX/cdxgen#automatic-usage-detection
On a side note, I would recommend dep-scan since it would make life easy for javascript devs
https://github.com/AppThreat/dep-scan
Yes, I did but then I get also optional and dev depedencies. We have cdxgen setup in our pipelines and use it with Depedency Track and I would prefer if we can stay with cdxgen.
Yes, I tried all combinations.
If i use just --required-only I get BOM includes 30 components and 680 dependencies
If I use --required-only and --no-babel I get BOM includes 619 components and 680 dependencies
If I use just --no-babel I get BOM includes 658 components and 680 dependencies
@blazgvajc Thank you for the detailed explanation. I will take this as an enhancement. Essentially we need babel-based analysis first and then the full dependency tree based on those direct dependencies alone. Will use your example as a test case.
