syft icon indicating copy to clipboard operation
syft copied to clipboard

Published 20 hours ago verified publisher icon anchore

Support NPM lock file version 2

Open kzantow opened this issue 2 years ago • 0 comments

@henrysachs noted lockFileVersion: 2 might include license information -- we should surface this (and also more correctly support v2 lock files):

Would it be possible to just take the license from the package-lock.json? lockfileversion 2 includes this field (not in yarn.lock or other lock files). I would also be interested to do it as kind of a first time contribution? But I can't estimate if thats a difficult issue. I also read that one day syft will do dynamic analysis so I'm not sure if it would be "worth it".

example:

    "node_modules/@angular-devkit/architect/node_modules/rxjs": {
      "version": "6.6.7",
      "resolved": "https://bahnhub.tech.rz.db.de:443/artifactory/api/npm/default-npm-3rdparty/rxjs/-/rxjs-6.6.7.tgz",
      "integrity": "sha1-kKwBisq/SRv2UEQjXVhjxNq4BMk=",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
        "tslib": "^1.9.0"
      },
      "engines": {
        "npm": ">=2.0.0"
      }
    },

Originally posted by @henrysachs in https://github.com/anchore/syft/issues/845#issuecomment-1206275750

kzantow avatar Aug 09 '22 16:08 kzantow