Capture if a node module is private #1161
Merged
+344
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The private field within a node module's package.json indicates when true that the package cannot be published to a registry. This is a strong indication that public CVE reported against a component of the same name are likely do not affect this particular module. This change introduce a Private bool to NpmPackageJSONMetadata that is exposed in the Syft SBOM's metadata for an npm package artifact. It does not directly consume the value in any way. Signed-off-by: Scott Andrews <[email protected]>
|
Hi @scothis, thank you very much for your contribution! We'll review it as soon as we can and get back to you with any comments or questions. |
spiffcs
approved these changes
Aug 24, 2022
|
Approved - adding private field to metadata LGTM! |
|
^ I'll update this test - looks like the license list has been updated behind the scenes. |
* main: Update syft bootstrap tools to latest versions. (anchore#1171) Fix update-bootstrap-tools workflow (anchore#1170) workflow to create automated PRs to update bootstrap tools (anchore#1167) feat: add support for licenses in package-lock json v2 (anchore#1164) External sources configuration (anchore#1158) feat: add support for pnpm (anchore#1166) Prevent symlinks causing duplicate package-file relationships (anchore#1168) Associate node package licenses from node_modules (anchore#1152) Give the contributing guide a substantial rework (anchore#1155) Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
|
silly yaml making maps almost indistinguishable from lists |
spiffcs
added a commit
that referenced
this pull request
Aug 25, 2022
* main: Update syft bootstrap tools to latest versions. (#1176) enhance development support on macOS ARM (#1163) Capture if a node module is private (#1161) Find version numbers from jars with different naming conventions (#1174) Update syft bootstrap tools to latest versions. (#1171) Fix update-bootstrap-tools workflow (#1170) workflow to create automated PRs to update bootstrap tools (#1167) feat: add support for licenses in package-lock json v2 (#1164) External sources configuration (#1158) feat: add support for pnpm (#1166) Prevent symlinks causing duplicate package-file relationships (#1168) Associate node package licenses from node_modules (#1152)
cpendery
pushed a commit
to cpendery/syft
that referenced
this pull request
Sep 11, 2022
aiwantaozi
pushed a commit
to aiwantaozi/syft
that referenced
this pull request
Oct 20, 2022
spiffcs
pushed a commit
that referenced
this pull request
Oct 21, 2022
Signed-off-by: Christopher Phillips <[email protected]>
spiffcs
pushed a commit
that referenced
this pull request
Oct 21, 2022
Signed-off-by: Christopher Phillips <[email protected]>
GijsCalis
pushed a commit
to GijsCalis/syft
that referenced
this pull request
Feb 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The private field within a node module's package.json indicates when
true that the package cannot be published to a registry. This is a
strong indication that public CVE reported against a component of the
same name are likely do not affect this particular module.
This change introduce a Private bool to NpmPackageJSONMetadata that is
exposed in the Syft SBOM's metadata for an npm package artifact. It does
not directly consume the value in any way.
Resolves #1160
Signed-off-by: Scott Andrews [email protected]