Comments (1)
This looks fun! Leaving behind some information for anyone that might be interested in working on this.
lockfile
The bun lockfile is a binary format:
# $ xxd bun.lockb | head
00000000: 2321 2f75 7372 2f62 696e 2f65 6e76 2062 #!/usr/bin/env b
00000010: 756e 0a62 756e 2d6c 6f63 6b66 696c 652d un.bun-lockfile-
00000020: 666f 726d 6174 2d76 300a 0200 0000 c8ca format-v0.......
00000030: bf6e 1c9b 607b da75 2feb c98e 4d95 098f .n..`{.u/...M...
00000040: 498f 7478 0e53 a7ff cf9e f4b8 dd87 e085 I.tx.S..........
00000050: 0000 0000 0000 5900 0000 0000 0000 0800 ......Y.........
00000060: 0000 0000 0000 0800 0000 0000 0000 8000 ................
00000070: 0000 0000 0000 7558 0000 0000 0000 0000 ......uX........
00000080: 6275 6e2d 6578 0000 7a6f 6400 0000 0000 bun-ex..zod.....
00000090: 7669 7465 0000 0000 6673 6576 656e 7473 vite....fsevents
The code that parses this in zig can be found here. From the docs:
It uses linear arrays for all data. Packages are referenced by an auto-incrementing integer ID or a hash of the package name. Strings longer than 8 characters are de-duplicated. Prior to saving on disk, the lockfile is garbage-collected & made deterministic by walking the package tree and cloning the packages in dependency order.
executable
I'm not seeing any evidence of unencoded packaging information yet in a simple test:
$ cat package.json
1 {
2 "name": "alexgoodman",
3 "version": "1.23.445",
4 "module": "index.ts",
5 "type": "module",
6 "devDependencies": {
7 "@types/bun": "latest"
8 },
9 "peerDependencies": {
10 "typescript": "^5.0.0"
11 },
12 "dependencies": {
13 "cowsay": "^1.6.0",
14 "vite": "^5.2.10",
15 "zod": "^3.23.5"
16 }
17 }
$ bun build ./index.ts --compile --outfile myapp
[31ms] bundle 1 modules
[226ms] compile myapp
$ strings myapp| grep '1\.23\.445'
$ strings myapp| grep 'alexgoodman'
from syft.
Related Issues (20)
- Syft reports some fw* pckages, which are nowhere to find HOT 4
- Add support for dnf packages HOT 1
- Support Swift Package Manager Package.resolved schema version 3 HOT 2
- Catalog TiDB binary
- Redis not listed in the artifact lists of the bitnami/redis image HOT 2
- License not pickedup for binaries like java (openjdk), node (nodejs) HOT 4
- Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go HOT 2
- Pom parser not resolving all dependency versions
- SBOM is generated with empty name HOT 4
- components inside tar.gz / tgz not picked up HOT 2
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image HOT 4
- Clearly document the fact that CPE strings could be made up HOT 1
- Recognition of files in a folder works inconsistently between Linux distributions. HOT 1
- New version 1.3.0 leads to "too many open files" while scanning bigger images HOT 1
- Improve linting for `defer Close` type issues HOT 2
- Binary copied to image omitted from SBOM HOT 4
- Relationships / Dependencies are present in Syft json and SPDX json files but not in Cyclonedx json file format HOT 3
- Not all the packages are getting imported in Blackduck scanner HOT 5
- Scanning a git repository folder present in /tmp produce an empty sbom HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.