Skip to content

feat: detect simplified repositories from package.json like structures #517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lal12 opened this issue Mar 1, 2023 · 3 comments · Fixed by #518
Closed

feat: detect simplified repositories from package.json like structures #517

lal12 opened this issue Mar 1, 2023 · 3 comments · Fixed by #518
Labels
enhancement New feature or request

Comments

@lal12
Copy link

lal12 commented Mar 1, 2023
edited
Loading

The package https://github.com/vercel/ms / https://www.npmjs.com/package/ms specifies "repository": "vercel/ms".
The npm website and cli utility interprets this as a relative url to github.

The SBOM includes the vcs_url as vercel/ms. So I wonder if https://github.com should be prepended in such cases? Maybe with an option to specify a default URL to prepend?
@jkowalleck jkowalleck added the question Further information is requested label Mar 2, 2023
@jkowalleck
Copy link
Member

jkowalleck commented Mar 2, 2023
edited
Loading

@lal12 you are right, there is missing a feature to do the needed repository transformations.

As the original request was a bug report in https://github.com/CycloneDX/cyclonedx-webpack-plugin/
I will implement an interim fix there ASAP.

justification / case / context

current implementation simply applies the "repository", and does not do the simplified-repository-rules that package managers know about.

For GitHub, GitHub gist, Bitbucket, or GitLab repositories you can use the same shortcut syntax you use for npm install:

{
  "repository": "npm/npm", // -> https://github.com/npm/npm
  "repository": "github:user/repo", // -> https://github.com/npm/npm
  "repository": "gist:3816096", // -> https://gist.github.com/3816096
  "repository": "gist:user/3816096", // -> https://gist.github.com/user/3816096
  "repository": "bitbucket:user/repo", // -> https://bitbucket.org/user/repo
  "repository": "gitlab:user/repo", // -> https://gitlab.com/user/repo
}

read https://github.com/npm/normalize-package-data

@jkowalleck jkowalleck transferred this issue from CycloneDX/cyclonedx-webpack-plugin Mar 2, 2023
@jkowalleck jkowalleck added enhancement New feature or request and removed question Further information is requested labels Mar 2, 2023
@jkowalleck jkowalleck changed the title use github as default for relative repository url feat: detect simplified repositories from package.json like structures Mar 2, 2023
@jkowalleck
Copy link
Member

jkowalleck commented Mar 2, 2023
edited
Loading

@lal12 are you willing to contribute the missing feature based on #517 (comment)?

if so, then please follow the guidelines: https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/CONTRIBUTING.md
current implementation can be found here:

cyclonedx-javascript-library/src/factories/fromNodePackageJson.node.ts

Lines 62 to 65 in 2488ec6

} else {
url = repository
comment = 'as detected from PackageJson property "repository"'
}

PS: there is not no actual need for action. I will implement a fix in the downstream implementations that do the needed normalization.
See #517 (comment)

@jkowalleck
Copy link
Member

The solution will not be to implement the needed normalization here,
but to enrich the documentations, and make downstream users aware, that they should to needed normalization.
Therefore, the docs will be enhanced, and a new release will make users aware of it.

@jkowalleck jkowalleck mentioned this issue Mar 2, 2023
Merged
This was referenced Mar 2, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: note to packageJson-like structure normalization CycloneDX/cyclonedx-javascript-library
2 participants
@jkowalleck @lal12