syft icon indicating copy to clipboard operation
syft copied to clipboard
verified publisher icon anchore

Syft outputs devDependencies for package-lock.json files

Open amascia opened this issue 2 years ago • 4 comments

What happened: When scanning a directory with the following files: package.json

{
    "name": "first_app",
    "version": "1.0.0",
    "description": "a first app",
    "main": "index.js",
    "scripts": {
      "test": "testing"
    },
    "author": "",
    "license": "ISC",
    "dependencies": {
    },
    "devDependencies": {
      "async": "^3.2.4"
    }
  }

package-lock.json

{
    "name": "first_app",
    "version": "1.0.0",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
      "": {
        "name": "first_app",
        "version": "1.0.0",
        "license": "ISC",
        "devDependencies": {
          "async": "^3.2.4"
        }
      },
      "node_modules/async": {
        "version": "3.2.4",
        "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
        "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
        "dev": true
      }
    }
  }

It outputs

 ✔ Indexed file system                                                                                                                                                                                            tests/data/js_dependencies
 ✔ Cataloged packages              [2 packages]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME       VERSION  TYPE
async      3.2.4    npm
first_app  1.0.0    npm

with the async devDependency.

What you expected to happen:

Syft do not output dev-dependencies as it's done when scanning a Pipfile.lock.

Steps to reproduce the issue:

Run syft on a directory containing the above file.

Anything else we need to know?:

Environment:

  • Output of syft version:
$ syft version
Application: syft
Version:    0.97.1
BuildDate:  2023-11-17T20:53:01Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/arm64
GoVersion:  go1.21.4
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
$ sw_vers
ProductName:		macOS
ProductVersion:		14.1.1
BuildVersion:		23B81

amascia avatar Nov 22 '23 10:11 amascia

Hey @amascia, we are taking a look and we believe you are probably right that we need to filter out the dev dependencies from these kinds of scans. Thanks for the detailed report and reproduction steps--much appreciated!

tgerla avatar Dec 14 '23 22:12 tgerla

Hey, I am able to provide Syft both the package.json and the lock file (whether it be package-lock.json or yarn.lock) so Syft has all the information it needs to be able to determine whether or not something is a development only dependency. I'm looking forward to this feature being implemented.

atl-mk avatar Feb 08 '24 20:02 atl-mk

+1. Would be a really useful feature. thanks!

harippriyas avatar Aug 05 '24 19:08 harippriyas

@tgerla Very useful feature; Desperately asking to support this, as when delivering regulatory governance data, development dependencies shouldn't be shared; Even the json output contains some information about scope, then team can run some alternative coding to filter off the devDependencies.

arkajnag23 avatar Aug 15 '24 19:08 arkajnag23