javascript-cataloger: false positive - cross-spawn

[robertkowalski]

What happened:

We install the dependency cross-spawn as one of the dependencies of jest in version 7.0.6, however it seems the javascript cataloger can't parse our yarn.lock file, as it lists cross-spawn 7.0.3 which has a security issue and results in grype errors.

What you expected to happen:

yarn.lock is properly parsed. see our lockfile entry: https://github.com/robertkowalski/syft-minimal-example/blob/58974e0e983ec6a628770d1229a2c328d11c9394/yarn.lock#L859-L866

Steps to reproduce the issue:

$ git clone https://github.com/robertkowalski/syft-minimal-example.git
$ cd syft-minimal-example
$ docker build --tag cross-spawn .
$ syft cross-spawn -o syft-text

[...]

[cross-spawn]
 Version:	 7.0.3
 Type:		 npm
 Found by:	 javascript-package-cataloger

Anything else we need to know?:

Environment:

• Output of syft version:

Application: syft
Version:    1.16.0
BuildDate:  2024-11-04T20:23:27Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/amd64
GoVersion:  go1.23.2
Compiler:   gc

• OS (e.g: cat /etc/os-release or similar): OSX Sonoma 14.7

[willmurphyscode]

Thanks @robertkowalski for the excellent repro steps! That makes investigating these things so much easier.

I just tested on latest Syft, and I agree with what you're seeing (actually, we seem to find cross-spawn 7.0.3 and 7.0.6, which also doesn't seem right).

I've marked this as ready. Anyone is welcome to pick it up and work on it.