Merge pull request #109 from siemens/hotfix_npm

npm dev findings
siemens · Jan 3, 2024 · 1672de3 · 1672de3
2 parents b6dbdc2 + 50e7ede
commit 1672de3
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 4 deletions.
diff --git a/CA.nuspec b/CA.nuspec
@@ -4,7 +4,7 @@
 <package >
   <metadata>
     <id>continuous-clearing</id>
-    <version>5.1.0</version>
+    <version>5.1.1</version>
     <authors>Siemens AG</authors>
     <owners>continuous-clearing contributors</owners>
     <projectUrl>https://github.com/siemens/continuous-clearing</projectUrl>

diff --git a/Dockerfile b/Dockerfile
@@ -13,13 +13,14 @@ RUN mkdir /opt/DebianImageClearing && \
     mkdir /app/out/PatchedFiles
 
 # Installing required packages
+# Installing syft:v0.90.0
 RUN apt-get update && \
     apt-get -y install --no-install-recommends nodejs npm && \
     apt-get -y install --no-install-recommends git && \
     apt-get -y install --no-install-recommends maven && \
     apt-get -y install --no-install-recommends curl && \
     apt-get -y install --no-install-recommends dpkg-dev && \   
-    curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /opt/DebianImageClearing && \
+    curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /opt/DebianImageClearing v0.90.0 && \
     rm -rf /var/lib/apt/lists/* && \
     rm -rf archive.tar.gz
 

diff --git a/src/LCT.Common/appSettings.json b/src/LCT.Common/appSettings.json
@@ -5,7 +5,7 @@
 // --------------------------------------------------------------------------------------------------------------------
 
 {
-  "CaVersion": "5.0.0",
+  "CaVersion": "5.1.1",
   "TimeOut": 200,
   "ProjectType": "<Insert ProjectType>",
   "SW360ProjectName": "<Insert SW360 Project Name>",

diff --git a/src/LCT.PackageIdentifier/NpmProcessor.cs b/src/LCT.PackageIdentifier/NpmProcessor.cs
@@ -40,6 +40,7 @@ public class NpmProcessor : CycloneDXBomParser, IParser
         private const string Bundled = "bundled";
         private const string Dependencies = "dependencies";
         private const string Dev = "dev";
+        private const string DevOptional = "devOptional";
         private const string Version = "version";
         private const string NotFoundInRepo = "Not Found in JFrogRepo";
         private const string Requires = "requires";
@@ -214,11 +215,16 @@ private void GetComponentsForBom(string filepath, CommonAppSettings appSettings,
 
                 var properties = JObject.Parse(Convert.ToString(prop.Value));
 
-                // dev components are not ignored and added as a part of SBOM    
+                // dev components are not ignored and added as a part of SBOM
+                // If package section has Dev or DevOptional as true , considering it as Dev Component
                 if (IsDevDependency(prop.Value[Dev], ref noOfDevDependent))
                 {
                     isdev.Value = "true";
                 }
+                else if (IsDevDependency(prop.Value[DevOptional], ref noOfDevDependent))
+                {
+                    isdev.Value = "true";
+                }
 
                 IEnumerable<JProperty> subDependencyComponentList = prop.Value[Dependencies]?.OfType<JProperty>();
                 if (subDependencyComponentList != null)