We scanned nodejs git repository which has both package.json and package-lock.json, we observed packages under devdependencies are not listed in sbom.
Please help us in resolving the issue.
Regards,
Anvitha
In the Syft configuration, you will see an option to include dev dependencies for Javascript, which is disabled by default (you can see the configuration options using syft config):
javascript:
...
# include development-scoped dependencies (env: SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES)
include-dev-dependencies:
You can set this in a config file or from the command line using the environment variable noted in the config SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES=true. For example, you could run like:
SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES=true syft <image>
I think this should be what you’re looking for; let me know if you have any issues.
Thank you so much, it is working, May i know where can i find all the environment variables ?
As noted in my earlier message, you can use syft config to list the full set of configuration options for the version of syft you have, which includes the environment variables for each option. You can also see the latest version and read more about all our tools on our documentation site.
Hi @kzantow , Thank you. One more finding, could you please help me in understanding.
for one of the package in SBOM, im seeing multiple licenses, below is the package name, when i try to open the link mentioned in SBOM i have found consolidated license mentioned for different components , so syft is listing the licenses which are mentioned in the License file ? but if i search in google license for this particular package it says “Apache”, as syft listing multiple licenses, we are displaying all the licenses .https://proxy.golang.org/github.com/hashicorp/vic/@v/v1.5.1-0.20190403131502-bbfe86ec9443.zip#github.com/hashicorp/vic@v1.5.1-0.20190403131502-bbfe86ec9443/LICENSE
| GitHub - hashicorp/vic: vSphere Integrated Containers Engine is a container runtime for vSphere. · GitHub | v1.5.1-0.20190403131502-bbfe86ec9443 | library | AFL-2.1 Apache-2.0 Artistic-1.0 Artistic-2.0 BSD-2-Clause BSD-3-Clause BSD-3-Clause-Clear BSD-3-Clause-No-Nuclear-Warranty BSD-4-Clause BSD-4-Clause-UC BSD-Source-Code BSL-1.0 Beerware CC-BY-3.0 CC-BY-4.0 CC-BY-SA-2.0 CC-BY-SA-3.0 CC-BY-SA-4.0 CC0-1.0 FSFAP FSFULLR GFDL-1.1-only GFDL-1.2-only GFDL-1.3-only GFDL-1.3-no-invariants-or-later GPL-1.0-only GPL-1.0-or-later GPL-2.0-only GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later HPND HPND-sell-variant ISC LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later LPPL-1.3c MIT MPL-1.1 MPL-2.0 MS-PL NCSA OFL-1.1 OLDAP-2.8 OSL-1.1 OpenSSL RSA-MD Rdisc SSH-OpenSSH Spencer-94 TCL WTFPL Zlib blessing bzip2-1.0.6 curl GooglePatentsFile sha256:efed67ff325d7d475f8f2f9b2a80522e35150deca75337a7d960f50aa4e85fd2 |
|---|
Thanks in advance
If you look on Github, it is also unable to determine the license, in fact it can’t currently display the license tab. But the LICENSE file exists and a cursory look seems to contain all the licenses you noted. It looks like these are the licenses of all the dependencies, and it’s rightfully including them because it has vendored them and is distributing those dependencies directly, you should definitely pay attention to what’s in that LICENSE – some of those dependencies are GPL-licensed and include some other licenses I’m not familiar with.
It looks like Syft is doing the accurate thing here 
1 Like
Hi @kzantow , Thank you so much for the response, one more question, sorry for asking many questions.
We are not seeing many packages in sbom which are build with gradle, could you please help me if anything is missing in our folder structure.
./DateTime/build.gradle
./DateTime/gradle-mvn-push.gradle
./MaterialCalendarView/build.gradle
./apkversioninglibrary/build.gradle
./app/build.gradle
./app/projectDependencies.gradle
./appConfiguration/build.gradle
./cm/build.gradle
./commonlibrary/build.gradle
./dependencies.gradle
./keycloak/build.gradle
./knowledge_hub/build.gradle
./nexus/build.gradle
./retrofitlibrary1.1/build.gradle
./settings.gradle
./sitemanagement/build.gradle
./socialview-commons/build.gradle
./socialview-core/build.gradle
./sonar.gradle
./switchdatetime/build.gradle
./webapilib/build.gradle
./jacoco.gradle
./build.gradle
Thanks in advance, Anvitha
Syft is a static analysis tool – it does not execute 3rd party tools like Maven or NPM to get the exact same results as if you were to run those tools, which means the ability to parse .gradle files is limited because these are written in the Groovy programming language.
However, we have support for the lockfile format, which is not Groovy and is both easier to parse and contains resolved versions. Lockfiles have the added benefit of giving you reproducible builds; this would be one thing that could help improve the results.
1 Like