Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syft should not warn on known bad package.json #3470

Open
robbat2 opened this issue Nov 21, 2024 · 1 comment
Open

syft should not warn on known bad package.json #3470

robbat2 opened this issue Nov 21, 2024 · 1 comment
Labels
enhancement New feature or request needs-discussion

Comments

@robbat2
Copy link

robbat2 commented Nov 21, 2024

What would you like to be added:
syft should ignore explicitly malformed test file package.json

e.g. https://github.com/browserify/resolve/blob/main/test/resolver/malformed_package_json/package.json

Why is this needed:
Reduce false positive warnings in runs.

Other tooling already excludes the file: https://github.com/search?q=%22malformed_package_json%22&type=code

Additional context:

Syft runs presently throw these warnings for it:

#29 0.052 time="2024-11-21T05:23:08Z" level=info msg="starting syft scanner for buildkit v1.4.0"
#29 7.466 [0007]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unexpected EOF location=/app/node_modules/resolve/test/resolver/malformed_package_json/package.json
#29 37.18 [0037]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unexpected EOF location=/app/node_modules/eslint-plugin-react/node_modules/resolve/test/resolver/malformed_package_json/package.json
#29 37.27 [0037]  WARN unable to extract licenses from javascript package.json: unmarshal failed
#29 37.29 [0037]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unexpected EOF location=/app/node_modules/resolve/test/resolver/malformed_package_json/package.json
@robbat2 robbat2 added the enhancement New feature or request label Nov 21, 2024
@willmurphyscode
Copy link
Contributor

Hi @robbat2! Thanks for the issue.

Today I learned that malformed_package_json is a common name for a test fixture. Thanks!

What version of Syft are you using? Syft recently changed to treat unparseable files as known-unknowns (see #518) and no longer prints warnings here. I think if you upgrade Syft, you'll stop seeing the warnings, but the JSON output you get will list the malformed package JSON as known unknowns.

If you also wish to turn that off, or if you don't want to upgrade Syft right now, you can set Syft to ignore certain globs:
https://github.com/anchore/syft/wiki/configuration#list-of-configurable-values

Discussion: Should Syft exclude certain globs by default?

I've marked this as needs-discussion so we can discuss on our live stream whether there should be default excludes in Syft - right now Syft attempts to scan the entire image or directory by default, but it might make sense to exclude test fixtures from directory scans by default, for example, if we can figure out a good way that doesn't accidentally exclude too much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request needs-discussion
Projects
Status: No status
Development

No branches or pull requests

2 participants