Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Resolve and display dependency trees

See original GitHub issue

[Feature Request]

dependency-track 3.4.0 cyclonedx-node-module 0.2.4 npm 5.4.2 node 8.6.0

The below is a post from the cyclonedx-node-module issues.

I have a web project using npm to load dependencies. I have the cyclonedx-node-module running on my build server generating a bom file for my project. I’m seeing a dependency in the list that was flagged as critical, and I didn’t recognize the package, so naturally I tried to find where it was being referenced.

See “macaddress” dependency in this image:

When I run a scan on my project folder I do not find a direct reference to the “macaddress” dependency in package.json, but I do find it in the package-lock.json file.

"macaddress": {
      "version": "0.2.8",
      "resolved": "https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz",
      "integrity": "sha1-WQTcU3w57G2+/q6QIycTX6hRHxI="
    },

I then found that there was a second reference under package-lock.json for “macaddress”

"uniqid": {
      "version": "4.1.1",
      "resolved": "https://registry.npmjs.org/uniqid/-/uniqid-4.1.1.tgz",
      "integrity": "sha1-iSIN32t1GuUrX3JISGNShZa7hME=",
      "requires": {
        "macaddress": "0.2.8"
      }
    },

Which appears to be the parent dependency pulling “macaddress” in. And that comes from…

 "postcss-filter-plugins": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/postcss-filter-plugins/-/postcss-filter-plugins-2.0.2.tgz",
      "integrity": "sha1-bYWGJTTXNaxCDkqFgG4fXUKG2Ew=",
      "requires": {
        "postcss": "5.2.18",
        "uniqid": "4.1.1"
      },
      "dependencies": {

And so on… Eventually, this builds out to a dependency tree like this:

css-loader (referenced in "dependencies" section of package.json)
|-cssnano
 |--postcss-filter-plugins
  |---uniqid
   |----macaddress

My question is how can we resolve this dependency tree in the cyclonedx-node-module bom generation? Either that or dependency-track itself should resolve this. I’m going to have people asking about critical vuln dependencies and I would love to figure out how the heck these are getting pulled in without doing the time-intensive dirty work. Seems like this should be possible.

Let me know if I need to elaborate further.

Thanks! Drew

Issue Analytics

State:
Created 5 years ago
Reactions:7
Comments:8 (7 by maintainers)

Top GitHub Comments

4reactions

stevespringettcommented, Feb 8, 2019

https://github.com/CycloneDX/specification/issues/14

3reactions

stevespringettcommented, Mar 10, 2021

Initial support for dependency graphs are complete. Future enhancements are planned.

Dependency Prototype

Top Results From Across the Web

Maven Dependency Tree - Resolving Conflicts - DigitalOcean

Maven Dependency Tree is very helpful in understanding the project dependencies and resolving any conflicts because of different versions of ...

Viewing and debugging dependencies - Gradle User Manual

Rendering the dependency tree is particularly useful if you'd like to identify which dependencies have been resolved at runtime. It also provides you...

dependency:tree - Apache Maven

Displays the dependency tree for this project. ... List, 2.0-alpha-5, The project's remote repositories to use for the resolution of project dependencies.

View the Gradle Dependency Tree - Tom Gregory

The tree shows the dependencies for different dependency configurations, and includes details of how conflicts are resolved. This helps you ...

java - How can you display the Maven dependency tree for the ...

The output via mvn -X will printout the information indirectly. Currently there is no other option to get the dependencies of a Maven-Plugin....