Description
We are using Expo & React Native to build apps. We've been generating and importing our SBOMs for some time and kept finding it strange that Dependency-Track never showed any issues with the dependencies. Turns out, about 95% of the pod in our SBOM are unknown to the likes of OSS Index. After investigating this a bit more, we found out that all these unknown pod are actually 'locally' defined pods in the node_modules directory.
Now, we would like to know if it would be possible to add a feature that can resolve these pods to the node module and use its data in the SBOM, so that we can actually have vulnerability info on these modules? From what we have found, a lot of information is already correct (seeing it is retrieved from the package.json), but unfortunately the most important things, the name and purl, are not.
We also found that not all podspecs are for local pods, some modules have a directory called 'third-party-podspecs', which contain pod-definitions for pods newer than those in the cocoapods specs repo. These should, preferably, still be resolved to actual pods.
So, what we found (and hope will help), is that the pods that should be resolved to modules all contain a reference to the package.json similar to this: package = JSON.parse(File.read(File.join(__dir__, '..', 'package.json'))).
Could this maybe be added?
Edit:
I just noticed that there will be a lot less node modules than there are Pods, seeing that some modules define tens of pods... Imho, these pods can all be resolved to the same module and therefore be de-duped in the final SBOM. This might also mean that some modules depend on themselves, so care should be taken with circular references...