Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] unexpected package version expression causes crash #133

Open
jkowalleck opened this issue Jun 20, 2024 · 1 comment
Open

[BUG] unexpected package version expression causes crash #133

jkowalleck opened this issue Jun 20, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Jun 20, 2024
edited
Loading

Describe the bug

When attempting to generate the SBOM and a package.json contains for example "version": "1.0-dev" it now crashes in a function called Object.fixVersionField. This concerns me as I would not expect the SBOM generation to adjust version numbers and instead just take them verbatim.

To Reproduce

package.json

{
  "name": "jretret",
  "version": "1.0-dev",
  "packageManager": "yarn@4.3.0",
  "dependencies": {
    "is-sorted": "^1.0.5"
  }
}

Expected behavior

no crashes

Screenshots or output-paste

$ yarn dlx --quiet @cyclonedx/yarn-plugin-cyclonedx -vvv                                                                             

YARN_PLUGINS='/tmp/xfs-8c459013/dlx-363278/.yarn/unplugged/@cyclonedx-yarn-plugin-cyclonedx-npm-1.0.0-rc.7-922b640b2d/node_modules/@cyclonedx/yarn-plugin-cyclonedx/yarn-plugin-cyclonedx.cjs' yarn cyclonedx -vvv

DEBUG | YARN_VERSION: [ 4, 3, 0 ]
DEBUG | options: {"specVersion":"1.5","outputFormat":"JSON","outputFile":"-","production":false,"mcType":"application","shortPURLs":false,"outputReproducible":false,"verbosity":4,"projectDir":"/tmp/jretret"}
INFO  | gathering project & workspace ...
DEBUG | project: /tmp/jretret
DEBUG | workspace: /tmp/jretret
LOG   | gathering BOM data ...
Internal Error: Invalid version: "1.0-dev"
    at Object.fixVersionField (/tmp/xfs-8c459013/dlx-363278/.yarn/unplugged/@cyclonedx-yarn-plugin-cyclonedx-npm-1.0.0-rc.7-922b640b2d/node_modules/@cyclonedx/yarn-plugin-cyclonedx/yarn-plugin-cyclonedx.cjs:48:3853)
    at /tmp/xfs-8c459013/dlx-363278/.yarn/unplugged/@cyclonedx-yarn-plugin-cyclonedx-npm-1.0.0-rc.7-922b640b2d/node_modules/@cyclonedx/yarn-plugin-cyclonedx/yarn-plugin-cyclonedx.cjs:48:10076
    at Array.forEach (<anonymous>)
    at Jx (/tmp/xfs-8c459013/dlx-363278/.yarn/unplugged/@cyclonedx-yarn-plugin-cyclonedx-npm-1.0.0-rc.7-922b640b2d/node_modules/@cyclonedx/yarn-plugin-cyclonedx/yarn-plugin-cyclonedx.cjs:48:10041)
    at Xf.makeComponent (/tmp/xfs-8c459013/dlx-363278/.yarn/unplugged/@cyclonedx-yarn-plugin-cyclonedx-npm-1.0.0-rc.7-922b640b2d/node_modules/@cyclonedx/yarn-plugin-cyclonedx/yarn-plugin-cyclonedx.cjs:48:13143)
    at Xf.makeComponentFromWorkspace (/tmp/xfs-8c459013/dlx-363278/.yarn/unplugged/@cyclonedx-yarn-plugin-cyclonedx-npm-1.0.0-rc.7-922b640b2d/node_modules/@cyclonedx/yarn-plugin-cyclonedx/yarn-plugin-cyclonedx.cjs:48:12462)
    at Xf.buildFromWorkspace (/tmp/xfs-8c459013/dlx-363278/.yarn/unplugged/@cyclonedx-yarn-plugin-cyclonedx-npm-1.0.0-rc.7-922b640b2d/node_modules/@cyclonedx/yarn-plugin-cyclonedx/yarn-plugin-cyclonedx.cjs:48:11711)
    at async Is.execute (/tmp/xfs-8c459013/dlx-363278/.yarn/unplugged/@cyclonedx-yarn-plugin-cyclonedx-npm-1.0.0-rc.7-922b640b2d/node_modules/@cyclonedx/yarn-plugin-cyclonedx/yarn-plugin-cyclonedx.cjs:55:989)
    at async Is.validateAndExecute (.../.cache/node/corepack/v1/yarn/4.3.0/yarn.js:94:787)
    at async ls.run (/home/flow/.cache/node/corepack/v1/yarn/4.3.0/yarn.js:98:3250)

Environment

  • @cyclonedx/yarn-plugin-cyclonedx version: v1.0.0-rc.7+git.33febfe
  • yarn version: n/a
  • Node version: n/a
  • OS: n/a

Additional context

as i've learned, is an invalid version identifier according to npm/yarn standards (which appears to adhere to semver), and causes crashes everywhere.
So this is somehow expected.

But still, an option could be: in case a crash because of version happens, remove version and try again, and add back the version afterwards ...
Or find a way to ignore the version when running manifest normalization ...
@jkowalleck jkowalleck added the bug Something isn't working label Jun 20, 2024
@jkowalleck jkowalleck mentioned this issue Jun 20, 2024
Merged
10 tasks
@AugustusKling
Copy link
Contributor

I'd argue it's okay to refuse to generate an SBOM if any version number not confirming to semver is encountered. This is because https://docs.npmjs.com/cli/v10/configuring-npm/package-json#version explicitly says "version must be parseable by node-semver"

What it should not do is trying to fix version numbers in any way. In my opinion it's better to not receive an SBOM than to receive one that you cannot trust. What do you think about catching the error and aborting with a message explaining to the user which package had the invalid version number?

If you look in clean.js within https://www.npmjs.com/package/semver?activeTab=code which is used internally by cyclonedx-node-yarn, you see it strips whitespace, = characters and the character v from the version number. Hopefully, repositories such as NPM work the same way when ensuring package versions are unique.

@jkowalleck jkowalleck changed the title [BUG] [BUG] unexpected package version expression causes crash Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AugustusKling @jkowalleck