feat: account yarn's applied "compat" patches in SBOM results #192
Description
Describe the bug feature
Yarn's builtin @yarnpkg/plugin-compat will automatically patch specific packages upon install. As far as I can see, this is not reflected in the created SBOM.
To Reproduce
# yarn add resolve
➤ YN0000: · Yarn 4.5.1
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + resolve@patch:resolve@npm%3A1.22.8#optional!builtin<compat/resolve>::version=1.22.8&hash=c3c19d, function-bind@npm:1.1.2, hasown@npm:2.0.2, is-core-module@npm:2.15.1, path-parse@npm:1.0.7, resolve@npm:1.22.8, supports-preserve-symlinks-flag@npm:1.0.0
➤ YN0000: └ Completed
[...]
~# yarn info --name-only
├─ resolve@patch:resolve@npm%3A1.22.8#optional!builtin<compat/resolve>::version=1.22.8&hash=c3c19d
[...]
# yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx
[...]
"components": [
{
"type": "library",
"name": "resolve",
"version": "1.22.8",
"bom-ref": "resolve@patch:resolve@npm%3A1.22.8#optional!builtin<compat/resolve>::version=1.22.8&hash=c3c19d",
"author": "James Halliday",
"description": "resolve like require.resolve() on behalf of files asynchronously and synchronously",
"purl": "pkg:npm/[email protected]?vcs_url=git%3A//github.com/browserify/resolve.git",
[...]
So the only trace of the patch you see in the SBOM is the bom-ref which should be opaque to BOM consumers, I guess.
Looking at the version and purl, you would assume that an unchanged resolve as available from NPM is in your system while in fact, this patch (readable version) was applied to it.
Expected behavior
To be honest, I'm unsure whether the information should be better provided using pedigree/patches, using something like 1.22.8&hash=c2c19d as version ... or if this would even justify to extend the purl specification...
Environment
Tested on:
- @cyclonedx/yarn-plugin-cyclonedx version: 1.0.2+git.4f6eb7e
- yarn version: 4.5.1
- Node version: 23.0.0
- OS:
docker pull node:23-bookworm