Fixes #795. Also removes some obvious cycles while constructing depen…

…dency list Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Jan 2, 2024 · e48c8a6 · e48c8a6
1 parent fcdcced
commit e48c8a6
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 31 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.10.2",
+  "version": "9.10.3",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <[email protected]>",

diff --git a/utils.js b/utils.js
@@ -666,6 +666,12 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
         purl: purlString,
         "bom-ref": decodeURIComponent(purlString)
       };
+      if (node.resolved) {
+        pkg.properties.push({
+          name: "ResolvedUrl",
+          value: node.resolved
+        });
+      }
     }
     const packageLicense = node.package.license;
     if (packageLicense) {
@@ -694,8 +700,9 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
             null
           ).toString()
         );
-
-        workspaceDependsOn.push(depWorkspacePurlString);
+        if (decodeURIComponent(purlString) !== depWorkspacePurlString) {
+          workspaceDependsOn.push(depWorkspacePurlString);
+        }
       }
     }
 
@@ -726,7 +733,9 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
             null
           ).toString()
         );
-        childrenDependsOn.push(depChildString);
+        if (decodeURIComponent(purlString) !== depChildString) {
+          childrenDependsOn.push(depChildString);
+        }
       }
     }
 
@@ -735,31 +744,35 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
     for (const edge of node.edgesOut.values()) {
       let targetVersion;
       let targetName;
-
+      let foundMatch = false;
       // if the edge doesn't have an integrity, it's likely a peer dependency
       // which isn't installed
-      let edgeToIntegrity = edge.to ? edge.to.integrity : null;
-      // let packageName = node.packageName;
-      // let edgeName = edge.name;
+      // Bug #795. At times, npm loses the integrity node completely and such packages are getting missed out
+      // To keep things safe, we include these packages.
+      let edgeToIntegrity = edge.to ? edge.to.integrity : undefined;
       if (!edgeToIntegrity) {
-        continue;
-      }
-
-      // the edges don't actually contain a version, so we need to search the root node
-      // children to find the correct version. we check the node children first, then
-      // we check the root node children
-      let foundMatch = false;
-      for (const child of node.children) {
-        if (child[1].integrity == edgeToIntegrity) {
-          targetName = child[0].replace(/node_modules\//g, "");
-          // The package name could be different from the targetName retrieved
-          // Eg: "string-width-cjs": "npm:string-width@^4.2.0",
-          if (child[1].packageName && child[1].packageName !== targetName) {
-            targetName = child[1].packageName;
-          }
-          targetVersion = child[1].version;
-          foundMatch = true;
-          break;
+        // This hack is required to fix the package name
+        targetName = node.name.replace(/-cjs$/, "");
+        targetVersion = node.version;
+        foundMatch = true;
+      } else {
+        // the edges don't actually contain a version, so we need to search the root node
+        // children to find the correct version. we check the node children first, then
+        // we check the root node children
+        for (const child of node.children) {
+          if (edgeToIntegrity) {
+            if (child[1].integrity == edgeToIntegrity) {
+              targetName = child[0].replace(/node_modules\//g, "");
+              // The package name could be different from the targetName retrieved
+              // Eg: "string-width-cjs": "npm:string-width@^4.2.0",
+              if (child[1].packageName && child[1].packageName !== targetName) {
+                targetName = child[1].packageName;
+              }
+              targetVersion = child[1].version;
+              foundMatch = true;
+              break;
+            }
+          }
         }
       }
       if (!foundMatch) {
@@ -792,8 +805,12 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
           null
         ).toString()
       );
-      pkgDependsOn.push(depPurlString);
-      if (edge.to == null) continue;
+      if (decodeURIComponent(purlString) !== depPurlString) {
+        pkgDependsOn.push(depPurlString);
+      }
+      if (edge.to == null) {
+        continue;
+      }
       const { pkgList: childPkgList, dependenciesList: childDependenciesList } =
         parseArboristNode(
           edge.to,

diff --git a/utils.test.js b/utils.test.js
@@ -1710,7 +1710,7 @@ test("parsePkgLock v2 workspace", async () => {
   );
   let pkgs = parsedList.pkgList;
   let deps = parsedList.dependenciesList;
-  expect(pkgs.length).toEqual(1032);
+  expect(pkgs.length).toEqual(1034);
   expect(pkgs[0].license).toEqual("MIT");
   let hasAppWorkspacePkg = pkgs.some(
     (obj) => obj["bom-ref"] === "pkg:npm/[email protected]"