cdxgen icon indicating copy to clipboard operation
cdxgen copied to clipboard
verified publisher icon CycloneDX

No way to capture top level dependencies from yarn projects

Open ajmalab opened this issue 2 years ago • 4 comments

Since the yarn lock file does not contain dependency information about the root project, the tool flattens all the transitive dependencies and represents them as direct dependencies of the root in the sBOM for yarn projects.

Issue not present in npm or pnpm as their lock files represent this relationship accurately.

Would propose to modify the logic to generate the direct relationships for the root project only from package.json and the rest from yarn.lock as it currently is.

ajmalab avatar May 05 '23 11:05 ajmalab

@ajmalab I exactly know what you're talking about. I tried to mirror what yarn list does. Will revisit and see if this could be improved.

https://github.com/CycloneDX/cdxgen/blob/master/index.js#L1896

prabhu avatar May 05 '23 11:05 prabhu

@prabhu any update on this? I tried to build the cdxgen for react project: https://github.com/facebook/react I noticed that it is adding all the dependencies as if it is coming from the root package.json. Mostly for mono repos it is very hard to find the exact root project where the dependency is present. It should identify all the dirs with package.json as separate components.

Command used: cdxgen -t js

foreverankit avatar Jul 04 '24 21:07 foreverankit

Added needs contributor label

prabhu avatar Jul 05 '24 08:07 prabhu

Is there anything that can be done with the SrcFile property in the meanwhile? Ideally, it must list all the lock files a given component was found.

prabhu avatar Jul 06 '24 05:07 prabhu