Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

javascript-cataloger: false positive - cross-spawn #3471

Open
robertkowalski opened this issue Nov 21, 2024 · 2 comments
Open

javascript-cataloger: false positive - cross-spawn #3471

robertkowalski opened this issue Nov 21, 2024 · 2 comments
Labels
bug Something isn't working good-first-issue Good for newcomers

Comments

@robertkowalski
Copy link

robertkowalski commented Nov 21, 2024

What happened:

We install the dependency cross-spawn as one of the dependencies of jest in version 7.0.6, however it seems the javascript cataloger can't parse our yarn.lock file, as it lists cross-spawn 7.0.3 which has a security issue and results in grype errors.

What you expected to happen:

yarn.lock is properly parsed. see our lockfile entry: https://github.com/robertkowalski/syft-minimal-example/blob/58974e0e983ec6a628770d1229a2c328d11c9394/yarn.lock#L859-L866

Steps to reproduce the issue:

$ git clone https://github.com/robertkowalski/syft-minimal-example.git
$ cd syft-minimal-example
$ docker build --tag cross-spawn .
$ syft cross-spawn -o syft-text
[...]

[cross-spawn]
 Version:	 7.0.3
 Type:		 npm
 Found by:	 javascript-package-cataloger

Anything else we need to know?:

Environment:

  • Output of syft version:
Application: syft
Version:    1.16.0
BuildDate:  2024-11-04T20:23:27Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/amd64
GoVersion:  go1.23.2
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar): OSX Sonoma 14.7
@robertkowalski robertkowalski added the bug Something isn't working label Nov 21, 2024
@willmurphyscode willmurphyscode moved this to Ready in OSS Nov 25, 2024
@willmurphyscode willmurphyscode added the good-first-issue Good for newcomers label Nov 25, 2024
@willmurphyscode
Copy link
Contributor

Thanks @robertkowalski for the excellent repro steps! That makes investigating these things so much easier.

I just tested on latest Syft, and I agree with what you're seeing (actually, we seem to find cross-spawn 7.0.3 and 7.0.6, which also doesn't seem right).

I've marked this as ready. Anyone is welcome to pick it up and work on it.

@robert-cronin
Copy link

I'd love to take this one on if no one has started yet!

My initial impression is that it seems the parsing of the yarn.lock file is taking the requested caret range (i.e. cross-spawn@^7.0.3) as the used version whereas the used version should come from the sub field labelled version (i.e. 7.0.6).

@willmurphyscode could you please direct me to the place where the parsing of the yarn.lock files occur? is this the correct file: https://github.com/anchore/syft/blob/ccbee94b876240284c25c8931c6233fc71a5b7fb/syft/pkg/cataloger/javascript/parse_yarn_lock.go?
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working good-first-issue Good for newcomers
Projects
Status: Ready
Development

No branches or pull requests

3 participants