update according to purl spec

Signed-off-by: Aryan Rajoria <aryanrajoria1003@gmail.com>
CycloneDX · Sep 14, 2024 · c27ba72 · c27ba72
1 parent 6a4cec7
commit c27ba72
Showing 1 changed file with 65 additions and 62 deletions.
diff --git a/utils.js b/utils.js
@@ -1781,65 +1781,65 @@ export async function parsePnpmLock(pnpmLock, parentComponent = null) {
       try {
 
       // In lock file version 9, direct dependencies is under importers
-        const rootDirectDeps =
-          lockfileVersion >= 9
-            ? yamlObj.importers["."]?.dependencies || {}
-            : yamlObj.dependencies || {};
-        const rootDevDeps =
-          lockfileVersion >= 9
-            ? yamlObj.importers["."]?.devDependencies || {}
-            : {};
-        const rootOptionalDeps =
-          lockfileVersion >= 9
-            ? yamlObj.importers["."]?.optionalDependencies || {}
-            : {};
-        const ddeplist = [];
-        // Find the root optional dependencies
-        for (const rdk of Object.keys(rootDevDeps)) {
-          let version = getVersionNumPnpm(rootDevDeps[rdk]);
-          const dpurl = new PackageURL(
-            "npm",
-            "",
-            rdk,
-            version,
-            null,
-            null,
-          ).toString();
-          possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
-        }
-        for (const rdk of Object.keys(rootOptionalDeps)) {
-          let version = getVersionNumPnpm(rootOptionalDeps[rdk]);
-          const dpurl = new PackageURL(
-            "npm",
-            "",
-            rdk,
-            version,
-            null,
-            null,
-          ).toString();
-          possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
-        }
-        for (const dk of Object.keys(rootDirectDeps)) {
-          let version = getVersionNumPnpm(rootDirectDeps[dk]); 
-          const dpurl = new PackageURL(
-            "npm",
-            "",
-            dk,
-            version,
-            null,
-            null,
-          ).toString();
-          ddeplist.push(decodeURIComponent(dpurl));
-          if (lockfileVersion >= 9) {
-            // These are direct dependencies so cannot be optional
-            possibleOptionalDeps[decodeURIComponent(dpurl)] = false;
-          }
+      const rootDirectDeps =
+        lockfileVersion >= 9
+          ? yamlObj.importers["."]?.dependencies || {}
+          : yamlObj.dependencies || {};
+      const rootDevDeps =
+        lockfileVersion >= 9
+          ? yamlObj.importers["."]?.devDependencies || {}
+          : {};
+      const rootOptionalDeps =
+        lockfileVersion >= 9
+          ? yamlObj.importers["."]?.optionalDependencies || {}
+          : {};
+      const ddeplist = [];
+      // Find the root optional dependencies
+      for (const rdk of Object.keys(rootDevDeps)) {
+        let version = getVersionNumPnpm(rootDevDeps[rdk]);
+        const dpurl = new PackageURL(
+          "npm",
+          "",
+          rdk,
+          version,
+          null,
+          null,
+        ).toString();
+        possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
+      }
+      for (const rdk of Object.keys(rootOptionalDeps)) {
+        let version = getVersionNumPnpm(rootOptionalDeps[rdk]);
+        const dpurl = new PackageURL(
+          "npm",
+          "",
+          rdk,
+          version,
+          null,
+          null,
+        ).toString();
+        possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
+      }
+      for (const dk of Object.keys(rootDirectDeps)) {
+        let version = getVersionNumPnpm(rootDirectDeps[dk]); 
+        const dpurl = new PackageURL(
+          "npm",
+          "",
+          dk,
+          version,
+          null,
+          null,
+        ).toString();
+        ddeplist.push(decodeURIComponent(dpurl));
+        if (lockfileVersion >= 9) {
+          // These are direct dependencies so cannot be optional
+          possibleOptionalDeps[decodeURIComponent(dpurl)] = false;
         }
+      }
 
-        dependenciesList.push({
-          ref: decodeURIComponent(ppurl),
-          dependsOn: ddeplist,
-        });
+      dependenciesList.push({
+        ref: decodeURIComponent(ppurl),
+        dependsOn: ddeplist,
+      });
 
       // pnpm-lock.yaml contains more than root dependencies in importers
       // TODO: verify if this is a good way to check.
@@ -1849,23 +1849,26 @@ export async function parsePnpmLock(pnpmLock, parentComponent = null) {
         const componentDeps = yamlObj['importers'][importedComponentName]['dependencies'] || {};
         const componentDevDeps = yamlObj['importers'][importedComponentName]['devDependencies'] || {};
         const optionalDeps = yamlObj['importers'][importedComponentName]['optionalDependencies'] || {};
-
+        
         let name = importedComponentName.split('/');
-        name = name[name.length -1];
+        let lastname = name[name.length -1];
+
+        let subpath = "name.filter(part => part !== '.' && part !== '..').join('/');
 
         // if name is '.' continue loop
-        if (name == '.'){
+        if (name == ""){
           continue;
         }
 
         // TODO: verify as we had seen before with rush there can be ../name in pnpm-lock-yaml
+        // subpath not added here 
         let compPurl = new PackageURL(
             "npm",
             parentComponent.group,
-            parentComponent.name + "/" + name,
+            parentComponent.name + "/" + lastname,
             parentComponent.version,
             null,
-            null,
+            subpath,
           ).toString();
         // Find the component optional dependencies
         let comDepList = [];