[K9VULN-14431] Add Bun lockfile parser#144
Conversation
rjcoulter22
force-pushed
the
ryan.coulter/K9VULN-14431-bun-lock-parser
branch
from
ba85675 to
d20fa3d
Compare
|
🎯 Code Coverage (details) 🔗 Commit SHA: 59f650c | Docs | Datadog PR Page | Give us feedback! |
rjcoulter22
force-pushed
the
ryan.coulter/K9VULN-14431-bun-lock-parser
branch
from
d20fa3d to
12a0540
Compare
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 12a0540e11
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
rjcoulter22
force-pushed
the
ryan.coulter/K9VULN-14431-bun-lock-parser
branch
from
12a0540 to
08a92b9
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3edab337e3
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 59f650c9bf
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
2 participants
🚀 Motivation
SCA currently does not extract dependencies from
bun.lock, so Bun projects are missing SBOM coverage. This PR adds Bun lockfile support and preserves the manifest dependency specifiers needed to enrich direct dependencies frompackage.json.📚 Documentation
📝 Summary
Adds a
bun.lockextractor for JavaScript projects.Parser behavior:
bun.lockand the Bun package managernode_modulesPackage.json enrichment:
PackageJSONMatcherworkspacesdependency sections to preserve declared specifiers such as^4.17.21TargetVersionsso direct/dev dependencies receiveIsDirect, dependency groups, and manifest locations🧪 Testing
Cross-scanner verification:
Compared this branch against Trivy
0.70.0onkriasoft/react-starter-kit, a Bun monorepo with a 4,648-linebun.lock.name@versionpackagesname@version, every package emitted by Datadog is also emitted by Trivy (0Datadog-only canonical packages).(name, version).10Trivy-only canonical packages were local workspace packages such as@repo/api,@repo/web, and@repo/ui, which we intentionally skips instead of reporting as third-party npm components.🆘 Recovery
Notes for on-call - select only one: