Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] In context of npm workspaces (monorepo), sbom generation for workspace does not work if workspace does not contain node_modules (even if empty) #1109

Closed
Donorlin opened this issue Sep 18, 2023 · 2 comments
Closed

[BUG] In context of npm workspaces (monorepo), sbom generation for workspace does not work if workspace does not contain node_modules (even if empty) #1109

Donorlin opened this issue Sep 18, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@Donorlin
Copy link

Describe the bug

Hi, i have monorepo repository that looks like this

/packages
   /packageA
      - package.json
   /packageB
      - package.json
   /packageC
      - package.json
-  package.json  // root, workspaces = ["packages/*"]

Packages A, B, C are independent, publishable npm packages, with their respective dependencies, name, version and so on..

I am running this to generate SBOM for packageA:

cyclonedx-npm packages/packageA/package.json --omit dev --mc-type library --output-reproducible --output-file packages/packageA/bom.json --short-PURLs

from the root. (same if i run it from packages/packageA)

But if packageA does not containt node_modules folder - EVEN IF EMPTY - command will fail and print:

LOG   | No evidence: no package lock file nor npm shrinkwrap file
LOG   | No evidence: no node_modules dir
INFO  | ? Did you forget to run `npm install` on your project accordingly ?

Error: missing evidence

This must be a bug. Because when i create empty node_modules folder in packages/packageA everything runs fine. SBOM is correctly generated with its content as expected for the packageA.

To Reproduce

NPM workspaces monorepo mentioned above. Since npm decouples dependencies to root node_modules, it is less common to have
node_modules in respective workspaces.
For this to not work, you must not have node_modules folder in packageA folder.

Run from root

cyclonedx-npm packages/packageA/package.json --omit dev --mc-type library --output-reproducible --output-file packages/packageA/bom.json --short-PURLs

or from packages/packageA

cyclonedx-npm --omit dev --mc-type library --output-reproducible --output-file bom.json --short-PURLs

Expected behavior

I expect SBOM to be correctly generated for package A, based on its dependencies. (it works, but node_modules must be present)

Environment

  • @cyclonedx/cyclonedx-npm version: 1.14.0
  • NPM version: 9.5.1
  • Node version: 18.16.1
  • OS: windows 10
@Donorlin Donorlin added the bug Something isn't working label Sep 18, 2023
@jkowalleck
Copy link
Member

jkowalleck commented Oct 16, 2023
edited
Loading

Not a bug, but a lack of feature.
Please write a proper feature request, to make clear what the scope is and how a use case might look like.

Thank you in advance. 👍

@jkowalleck
Copy link
Member

jkowalleck commented Nov 27, 2023
edited
Loading

feature request: #1126

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jkowalleck @Donorlin