enhance package.json finder

Signed-off-by: Tristan Bastian <[email protected]>

Author: reey

src/_helpers.ts

@@ -18,36 +18,56 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import { existsSync, readFileSync } from 'fs'
-import { dirname, isAbsolute, join } from 'path'
+import { dirname, isAbsolute, join, sep } from 'path'
 
 export interface PackageDescription {
   path: string
   packageJson: any
 }
 
 export function getPackageDescription (path: string): PackageDescription | undefined {
+  const isSubDirOfNodeModules = isSubDirectoryOfNodeModulesFolder(path)
+
   while (isAbsolute(path)) {
-    const packageJson = join(path, 'package.json')
-    if (existsSync(packageJson)) {
+    const pathToPackageJson = join(path, 'package.json')
+    if (existsSync(pathToPackageJson)) {
       try {
-        return {
-          path: packageJson,
-          packageJson: loadJsonFile(packageJson) ?? {}
+        const contentOfPackageJson = loadJsonFile(pathToPackageJson) ?? {}
+        // only look for valid candidate if we are in a node_modules subdirectory
+        if (!isSubDirOfNodeModules || isValidPackageJSON(contentOfPackageJson)) {
+          return {
+            path: pathToPackageJson,
+            packageJson: loadJsonFile(pathToPackageJson) ?? {}
+          }
         }
       } catch {
         return undefined
       }
     }
 
     const nextPath = dirname(path)
-    if (nextPath === path) {
+    if (nextPath === path || isNodeModulesFolder(nextPath)) {
       return undefined
     }
     path = nextPath
   }
   return undefined
 }
 
+function isNodeModulesFolder (path: string): boolean {
+  return path.endsWith(`${sep}node_modules`)
+}
+
+function isSubDirectoryOfNodeModulesFolder (path: string): boolean {
+  return path.includes(`${sep}node_modules${sep}`)
+}
+
+export function isValidPackageJSON (pkg: any): boolean {
+  // checking for the existence of name and version properties
+  // both are required for a valid package.json according to https://docs.npmjs.com/cli/v10/configuring-npm/package-json
+  return typeof pkg.name === 'string' && typeof pkg.version === 'string'
+}
+
 export function loadJsonFile (path: string): any {
   return JSON.parse(readFileSync(path, 'utf8'))
   // may be replaced by `require(f, { with: { type: "json" } })`

tests/integration/improvement-issue-1284/.gitignore

@@ -0,0 +1,9 @@
+*
+!/.gitignore
+!/.gitattributes
+!/README.md
+!/package.json
+!/package-lock.json
+!/webpack.config.js
+!/src
+!/src/*

tests/integration/improvement-issue-1284/README.md

@@ -0,0 +1,9 @@
+# Test: is copied file's package detected
+
+This setup is intended to create reproducible results (SBoM).  
+It might install outdated, unmaintained or vulnerable components, for showcasing purposes.
+
+Importing `libphonenumber-js/max` should not result in `libphonenumber-js/max` being added to the SBoM without any version.
+Instead `libphonenumber-js` should be added with the correct version.
+
+Importing `luxon` should result in `luxon` being added to the SBoM.