Parsing Javascript files may extract incorrect (and very long) pkg name/version #723
Comments
|
@prabhu That would'n work for 2 reasons:
I was wondering on which specification you based your code to try to parse the package name and version? I didn't find any specification on how those comments should be written in JavaScript files (minified or not). |
|
@marob There are no specifications like you figured. So this will be identifying things based on some patterns so there is some visibility into the min files that are being stored or bundled. I am open to improving the logic. |
|
@marob, are you planning to send a pull request for this? |
|
@prabhu Maybe, but probably not in the near future. If you have time and an idea on how to improve the parsing, feel free to do it. |
Same. Let's keep this open and see if anyone else contributes. |
|
The size has been increased from 255 to 786 chars in Dependency Track 4.11.0 (DependencyTrack/dependency-track#3560) which should decrease BOM upload errors for cases where the purl length was > 255 but <= 786, but the issue is still here for length > 786. I still don't have any idea on how to better parse name and version from JS comments as there is no convention/spec. Should we truncate? At which size? How to balance the sizes of name and version if both are long? Anyway, as @prabhu asked here, it looks like there is no length limitation on purl specification, so we'll always have cases where a valid purl is longer than the arbitrary 786 chars limits defined in Dependency Track. |
|
There is a (currently open) issue on Dependency Track about the 786-chars limit: DependencyTrack/dependency-track#3876 |
What are the chances that a valid package name and version combined would exceed 786 characters? Depending on package manager, one could probably pin packages to a digest. Worst case... SHA-512 maybe? That's 128 characters just for the version. That still leaves ~600 characters for the name and some qualifiers maybe. This could probably be verified in a study of public packages, but my gut feeling tells me that if you're dealing with such lengths, chances are quite high that something is wrong. |
|
@nscuro I agree that PURL of more that 786 characters shouldn't exist. |
In my use case, I have a
projekktor-1.3.09.min.jsfile (N.B.: this project looks dead, its website links to dead site/advert spam) that starts with the following line (yes, the version doesn't match, but that's not the issue here):This first line is generated via Grunt.
When parsed through cdxgen
parseMinJsfunction,delimiteris identified as-because of the one at the end of the line (...License - http://...), which leads to a mis-identification of the name and version.In the end, cdxgen generates:
{ "group": "", "name": "projekktor-v1.2.37--jarisflash-|-http://www.projekktor.com-|-copyright-2010,-2011,-sascha-kluger,-spinning-airwhale-media,-http://www.spinningairwhale.com-|-gnu-general-public-license", "version": "http://www.projekktor.com/license/", "scope": "optional", "purl": "pkg:npm/projekktor-v1.2.37--jarisflash-%257C-http:%2F%2Fwww.projekktor.com-%257C-copyright-2010%252C-2011%252C-sascha-kluger%252C-spinning-airwhale-media%252C-http:%2F%2Fwww.spinningairwhale.com-%257C-gnu-general-public-license@http:%2F%2Fwww.projekktor.com%2Flicense%2F", "type": "library", "bom-ref": "pkg:npm/projekktor-v1.2.37--jarisflash-%7C-http://www.projekktor.com-%7C-copyright-2010%2C-2011%2C-sascha-kluger%2C-spinning-airwhale-media%2C-http://www.spinningairwhale.com-%7C-gnu-general-public-license@http://www.projekktor.com/license/", "evidence": {... }, "properties": [...] },This incorrect name/version leads to generating an error in Dependency Track when feeding it that SBOM because of the
purlexceeding 255 chars (which is the current size limit):The text was updated successfully, but these errors were encountered: