diff --git a/utils.js b/utils.js index a0aa680f4..647ec4e8f 100644 --- a/utils.js +++ b/utils.js @@ -368,6 +368,7 @@ export const parsePkgJson = async (pkgJsonFile, simple = false) => { name, group, version: pkgData.version, + purl: purl, "bom-ref": decodeURIComponent(purl) }; if (!simple) { @@ -451,35 +452,32 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => { let pkg = {}; let purlString = ""; if (node == rootNode) { - purlString = decodeURIComponent( - new PackageURL( - "npm", - options.projectGroup || "", - options.projectName || node.packageName, - options.projectVersion || node.version, - null, - null - ).toString() - ); + purlString = new PackageURL( + "npm", + options.projectGroup || "", + options.projectName || node.packageName, + options.projectVersion || node.version, + null, + null + ).toString(); pkg = { author: node.package.author, group: options.projectGroup || "", name: options.projectName || node.packageName, version: options.projectVersion || node.version, type: "application", - "bom-ref": purlString + purl: purlString, + "bom-ref": decodeURIComponent(purlString) }; } else { - purlString = decodeURIComponent( - new PackageURL( - "npm", - "", - node.packageName, - node.version, - null, - null - ).toString() - ); + purlString = new PackageURL( + "npm", + "", + node.packageName, + node.version, + null, + null + ).toString(); const pkgLockFile = join( srcFilePath.replace("/", _sep), "package-lock.json" @@ -511,7 +509,8 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => { } }, type: parentRef ? "npm" : "application", - "bom-ref": purlString + purl: purlString, + "bom-ref": decodeURIComponent(purlString) }; } const packageLicense = node.package.license; @@ -556,7 +555,12 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => { const { pkgList: childPkgList, dependenciesList: childDependenciesList - } = parseArboristNode(childNode, rootNode, purlString, visited); + } = parseArboristNode( + childNode, + rootNode, + decodeURIComponent(purlString), + visited + ); pkgList = pkgList.concat(childPkgList); dependenciesList = dependenciesList.concat(childDependenciesList); @@ -631,13 +635,18 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => { pkgDependsOn.push(depPurlString); if (edge.to == null) continue; const { pkgList: childPkgList, dependenciesList: childDependenciesList } = - parseArboristNode(edge.to, rootNode, purlString, visited); + parseArboristNode( + edge.to, + rootNode, + decodeURIComponent(purlString), + visited + ); pkgList = pkgList.concat(childPkgList); dependenciesList = dependenciesList.concat(childDependenciesList); } dependenciesList.push({ - ref: purlString, + ref: decodeURIComponent(purlString), dependsOn: workspaceDependsOn .concat(childrenDependsOn) .concat(pkgDependsOn) diff --git a/utils.test.js b/utils.test.js index 1d3b10e04..e71b5e70d 100644 --- a/utils.test.js +++ b/utils.test.js @@ -1601,6 +1601,7 @@ test("parsePkgLock v2", async () => { expect(deps[1].license).toEqual("Apache-2.0"); expect(deps[0]).toEqual({ "bom-ref": "pkg:npm/shopify-theme-tailwindcss@2.2.1", + purl: "pkg:npm/shopify-theme-tailwindcss@2.2.1", author: "Wessel van Ree ", group: "", name: "shopify-theme-tailwindcss", @@ -1671,6 +1672,7 @@ test("parsePkgLock v3", async () => { ); expect(deps[0]).toEqual({ "bom-ref": "pkg:npm/cdxgen@latest", + purl: "pkg:npm/cdxgen@latest", group: "", author: "", license: "ISC",