feat: npmjs related symbols and parsing (#1246)

fixes #1247

## Added
* `factories.FromNodePackageJson.makeExternalReferences` supports "dist"
field
  * New symbols under `utils.NpmJs`
    * `defaultRepoMatcher`
    * `parsePackageIntegrity`

----

TODO

- [x] implementation
- [x] tests

---------

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

HISTORY.md

@@ -6,6 +6,15 @@ All notable changes to this project will be documented in this file.
 
 <!-- add unreleased items here -->
 
+* Added
+  * `factories.FromNodePackageJson.makeExternalReferences()` supports "dist" field ([#1247] via [#1246]) 
+  * New symbols under `utils.NpmjsUtility` (via [#1246]) 
+    * `defaultRegistryMatcher`
+    * `parsePackageIntegrity`
+
+[#1246]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1246
+[#1247]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1247
+
 ## 8.1.0 -- 2025-06-04
 
 Support for _Node.js_ v24.

package.json

@@ -149,8 +149,8 @@
       "default": "./dist.node/types/index.js"
     },
     "./Utils": {
-      "types": "./dist.d/utils/index.d.ts",
-      "default": "./dist.node/utils/index.js"
+      "types": "./dist.d/utils/index.node.d.ts",
+      "default": "./dist.node/utils/index.node.js"
     },
     "./Validation": {
       "types": "./dist.d/validation/index.node.d.ts",

src/_helpers/packageJson.ts

@@ -62,4 +62,5 @@ export interface PackageJson {
     directory?: string
   }
   // ... to be continued
+  dist?: any // see https://github.com/CycloneDX/cyclonedx-node-npm/issues/1300
 }

src/factories/fromNodePackageJson.node.ts

@@ -29,12 +29,15 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 import type { PackageURL } from 'packageurl-js'
 import { PurlQualifierNames } from 'packageurl-js'
 
-import {tryCanonicalizeGitUrl} from "../_helpers/gitUrl"
+import { tryCanonicalizeGitUrl } from "../_helpers/gitUrl"
 import { isNotUndefined } from '../_helpers/notUndefined'
 import type { PackageJson } from '../_helpers/packageJson'
 import { ExternalReferenceType } from '../enums/externalReferenceType'
+import { HashAlgorithm } from "../enums/hashAlogorithm";
 import type { Component } from '../models/component'
 import { ExternalReference } from '../models/externalReference'
+import { HashDictionary } from '../models/hash'
+import { defaultRegistryMatcher, parsePackageIntegrity } from '../utils/npmjsUtility.node'
 import { PackageUrlFactory as PlainPackageUrlFactory } from './packageUrl'
 
 /**
@@ -47,6 +50,7 @@ export class ExternalReferenceFactory {
     try { refs.push(this.makeVcs(data)) } catch { /* pass */ }
     try { refs.push(this.makeHomepage(data)) } catch { /* pass */ }
     try { refs.push(this.makeIssueTracker(data)) } catch { /* pass */ }
+    try { refs.push(this.makeDist(data)) } catch { /* pass */ }
 
     return refs.filter(isNotUndefined)
   }
@@ -100,13 +104,32 @@ export class ExternalReferenceFactory {
       ? new ExternalReference(url, ExternalReferenceType.IssueTracker, { comment })
       : undefined
   }
-}
 
-/**
- * The default repository is `https://registry.npmjs.org`.
- * @see {@link https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#npm}
- */
-const npmDefaultRepositoryMatcher = /^https?:\/\/registry\.npmjs\.org(:?\/|$)/
+  makeDist(data: PackageJson): ExternalReference | undefined {
+    // "dist" might be used in bundled dependencies' manifests.
+    // docs: https://blog.npmjs.org/post/172999548390/new-pgp-machinery
+    /* eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- acknowledged */
+    const { tarball, integrity, shasum } = data.dist ?? {}
+    if (typeof tarball === 'string') {
+      const hashes = new HashDictionary()
+      let comment = 'as detected from PackageJson property "dist.tarball"'
+      if (typeof integrity === 'string') {
+        try {
+          // actually not the hash of the file, but more of an integrity-check -- lets use it anyway.
+          // see https://blog.npmjs.org/post/172999548390/new-pgp-machinery
+          hashes.set(...parsePackageIntegrity(integrity))
+          comment += ' and property "dist.integrity"'
+        } catch { /* pass */ }
+      }
+      if (typeof shasum === 'string' && shasum.length === 40) {
+        hashes.set(HashAlgorithm["SHA-1"], shasum)
+        comment += ' and property "dist.shasum"'
+      }
+      return new ExternalReference(tarball, ExternalReferenceType.Distribution, { hashes, comment })
+    }
+    return undefined
+  }
+}
 
 /**
  * Node-specific PackageUrlFactory.
@@ -134,13 +157,13 @@ export class PackageUrlFactory extends PlainPackageUrlFactory<'npm'> {
    * - "download_url" is stripped, if it is NPM's default registry ("registry.npmjs.org")
    * - "checksum" is stripped, unless a "download_url" or "vcs_url" is given.
    */
-  #finalizeQualifiers (purl: PackageURL): PackageURL {
+  #finalizeQualifiers(purl: PackageURL): PackageURL {
     const qualifiers = new Map(Object.entries(purl.qualifiers ?? {}))
 
     const downloadUrl = qualifiers.get(PurlQualifierNames.DownloadUrl)
     if (downloadUrl !== undefined) {
       qualifiers.delete(PurlQualifierNames.VcsUrl)
-      if (npmDefaultRepositoryMatcher.test(downloadUrl)) {
+      if (defaultRegistryMatcher.test(downloadUrl)) {
         qualifiers.delete(PurlQualifierNames.DownloadUrl)
       }
     }

src/index.common.ts

@@ -22,5 +22,4 @@ export * as Models from './models'
 export * as SPDX from './spdx'
 export * as Spec from './spec'
 export * as Types from './types'
-export * as Utils from './utils'
 // do not export the _helpers, they are for internal use only

src/index.node.ts

@@ -28,6 +28,7 @@ export * from './index.common'
 export * as Builders from './builders/index.node'
 export * as Factories from './factories/index.node'
 export * as Serialize from './serialize/index.node'
+export * as Utils from './utils/index.node'
 export * as Validation from './validation/index.node'
 
 /**

src/index.web.ts

@@ -23,6 +23,7 @@ export * from './index.common'
 
 export * as Factories from './factories/index.web'
 export * as Serialize from './serialize/index.web'
+export * as Utils from './utils/index.web'
 export * as Validation from './validation/index.web'
 
 // endregion web-specifics

src/utils/index.ts renamed to src/utils/index.common.ts

@@ -0,0 +1,26 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export * from './index.common'
+
+// region node-specifics
+
+export * as NpmjsUtility from './npmjsUtility.node'
+
+// endregion node-specifics

src/utils/index.node.ts

@@ -0,0 +1,26 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export * from './index.common'
+
+// region web-specifics
+
+// ... nothing yet
+
+// endregion web-specifics