Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy marks all dependencies of subdirectories as 'dev dependency' for PNPM #7386

Closed
2 tasks done
DmitriyLewen opened this issue Aug 26, 2024 Discussed in #7381 · 0 comments · Fixed by #7387
Closed
2 tasks done

Trivy marks all dependencies of subdirectories as 'dev dependency' for PNPM #7386

DmitriyLewen opened this issue Aug 26, 2024 Discussed in #7381 · 0 comments · Fixed by #7387
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
v0.55.0

Comments

@DmitriyLewen
Copy link
Contributor

Discussed in #7381

Originally posted by SemProvoost August 25, 2024

Description

Bug Summary: Trivy is incorrectly identifying subdirectory packages, which is listed as a dependency in the package.json of a subdirectory, as a dev-dependency.

Steps to reproduce

(Adding steps to reproduce here to allow myself of using markdown)

Project structure

/ (root directory)
├── package.json
├── pnpm-lock.yaml
├── pnpm-workspace.yaml
└── subdir/
└── package.json

Root package.json content:

{
    "dependencies": {
        "await-sleep": "^0.0.1"
    }
}

Subdir package.json content:

{
    "dependencies": {
        "sleep-utils": "1.0.3"
    }
}

pnpm-workspace.yaml content:

packages:
  - "subdir/**"

pnpm-lock.yaml (as result of pnpm i on root)

lockfileVersion: '9.0'

settings:
  autoInstallPeers: true
  excludeLinksFromLockfile: false

importers:

  .:
    dependencies:
      await-sleep:
        specifier: ^0.0.1
        version: 0.0.1

  subdir:
    dependencies:
      sleep-utils:
        specifier: 1.0.3
        version: 1.0.3

packages:

  [email protected]:
    resolution: {integrity: sha512-H3X3eAxwGpeNIk/yvFOs8g7500Q1YvzrxjSC9TNgLGtjrMFxPwhDdcT34QNs2iGWpZ+5WKkMJdjDoYs+Sw+TaA==}

  [email protected]:
    resolution: {integrity: sha512-uJW7WDHISE1zJIdvoIewcdmis3pBvJhM30rni2gH7fHhV1NkTWLKw3J6CPRFdg3h+rFChFHzAgbkCKUErd4s8Q==}

snapshots:

  [email protected]: {}

  [email protected]: {}

Running Trivy

Running Trivy on the root of the project (trivy fs . -f json --include-dev-deps --list-all-pkgs) results in

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-08-25T14:59:48.762656+02:00",
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "pnpm-lock.yaml",
      "Class": "lang-pkgs",
      "Type": "pnpm",
      "Packages": [
        {
          "ID": "[email protected]",
          "Name": "await-sleep",
          "Identifier": {
            "PURL": "pkg:npm/[email protected]",
            "UID": "63283cc86327e55d"
          },
          "Version": "0.0.1",
          "Licenses": [
            "ISC"
          ],
          "Relationship": "direct",
          "Layer": {}
        },
        {
          "ID": "[email protected]",
          "Name": "sleep-utils",
          "Identifier": {
            "PURL": "pkg:npm/[email protected]",
            "UID": "c649275e081911ba"
          },
          "Version": "1.0.3",
          "Dev": true,
          "Licenses": [
            "MIT"
          ],
          "Indirect": true,
          "Relationship": "indirect",
          "Layer": {}
        }
      ]
    }
  ]
}

As you can see, the sleep-utils package is marked as "Dev": true, while it is no dev-dependency.

Desired Behavior

In my example, the sleep-utils package should not have been marked as dev-dependency

Actual Behavior

In my example, the sleep-utils package has incorrectly been marked as dev-dependency

Reproduction Steps

See 'Steps to reproduce' in the description as that field supports markdown. 😁

Target

None

Scanner

None

Output Format

JSON

Mode

None

Debug Output

Not relevant here 😁

Operating System

macOS Ventura 13.3.1

Version

0.54.1

Checklist
@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Aug 26, 2024
@DmitriyLewen DmitriyLewen self-assigned this Aug 26, 2024
@DmitriyLewen DmitriyLewen mentioned this issue Aug 26, 2024
Merged
6 tasks
@knqyf263 knqyf263 added this to the v0.55.0 milestone Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Trivy Roadmap
Archived in project
Milestone
v0.55.0
Development

Successfully merging a pull request may close this issue.

fix(nodejs): check all importers to detect dev deps from pnpm-lock.yaml file DmitriyLewen/trivy
2 participants
@knqyf263 @DmitriyLewen