advanced-security · ljones140 · Jun 20, 2025 · Jun 19, 2025 · Jun 19, 2025 · Jun 19, 2025
@@ -68,3 +68,114 @@ describe("ComponentDetection.makePackageUrl", () => {
     expect(packageUrl).toBe("");
   });
 });
+
+describe("ComponentDetection.processComponentsToManifests", () => {
+  test("adds package as direct dependency when no top level referrers", () => {
+    const componentsFound = [
+      {
+        component: {
+          name: "test-package",
+          version: "1.0.0",
+          packageUrl: {
+            Scheme: "pkg",
+            Type: "npm",
+            Name: "test-package",
+            Version: "1.0.0"
+          },
+          id: "test-package 1.0.0 - npm"
+        },
+        isDevelopmentDependency: false,
+        topLevelReferrers: [], // Empty = direct dependency
+        locationsFoundAt: ["package.json"]
+      }
+    ];
+
+    const manifests = ComponentDetection.processComponentsToManifests(componentsFound);
+
+    expect(manifests).toHaveLength(1);
+    expect(manifests[0].name).toBe("package.json");
+    expect(manifests[0].directDependencies()).toHaveLength(1);
+    expect(manifests[0].indirectDependencies()).toHaveLength(0);
+    expect(manifests[0].countDependencies()).toBe(1);
+  });
+
+  test("adds package as indirect dependency when has top level referrers", () => {
+    const componentsFound = [
+      {
+        component: {
+          name: "test-package",
+          version: "1.0.0",
+          packageUrl: {
+            Scheme: "pkg",
+            Type: "npm",
+            Name: "test-package",
+            Version: "1.0.0"
+          },
+          id: "test-package 1.0.0 - npm"
+        },
+        isDevelopmentDependency: false,
+        topLevelReferrers: [
+          {
+            name: "parent-package",
+            version: "1.0.0",
+            packageUrl: {
+              Scheme: "pkg",
+              Type: "npm",
+              Name: "parent-package",
+              Version: "1.0.0"
+            }
+          }
+        ],
+        locationsFoundAt: ["package.json"]
+      }
+    ];
+
+    const manifests = ComponentDetection.processComponentsToManifests(componentsFound);
+
+    expect(manifests).toHaveLength(1);
+    expect(manifests[0].name).toBe("package.json");
+    expect(manifests[0].directDependencies()).toHaveLength(0);
+    expect(manifests[0].indirectDependencies()).toHaveLength(1);
+    expect(manifests[0].countDependencies()).toBe(1);
+  });
+
+  test("adds package as direct dependency when top level referrer is itself", () => {
+    const componentsFound = [
+      {
+        component: {
+          name: "test-package",
+          version: "1.0.0",
+          packageUrl: {
+            Scheme: "pkg",
+            Type: "npm",
+            Name: "test-package",
+            Version: "1.0.0"
+          },
+          id: "test-package 1.0.0 - npm"
+        },
+        isDevelopmentDependency: false,
+        topLevelReferrers: [
+          {
+            name: "test-package",
+            version: "1.0.0",
+            packageUrl: {
+              Scheme: "pkg",
+              Type: "npm",
+              Name: "test-package",
+              Version: "1.0.0"
+            }
+          }
+        ],
+        locationsFoundAt: ["package.json"]
+      }
+    ];
+
+    const manifests = ComponentDetection.processComponentsToManifests(componentsFound);
+
+    expect(manifests).toHaveLength(1);
+    expect(manifests[0].name).toBe("package.json");
+    expect(manifests[0].directDependencies()).toHaveLength(1);
+    expect(manifests[0].indirectDependencies()).toHaveLength(0);
+    expect(manifests[0].countDependencies()).toBe(1);
+  });
+});
@@ -68,14 +68,17 @@ export default class ComponentDetection {
 
   public static async getManifestsFromResults(): Promise<Manifest[] | undefined> {
     core.info("Getting manifests from results");
+    const results = await fs.readFileSync(this.outputPath, 'utf8');
+    var json: any = JSON.parse(results);
+    return this.processComponentsToManifests(json.componentsFound);
+  }
+
+  public static processComponentsToManifests(componentsFound: any[]): Manifest[] {
     // Parse the result file and add the packages to the package cache
     const packageCache = new PackageCache();
     const packages: Array<ComponentDetectionPackage> = [];
 
-    const results = await fs.readFileSync(this.outputPath, 'utf8');
-
-    var json: any = JSON.parse(results);
-    json.componentsFound.forEach(async (component: any) => {
+    componentsFound.forEach(async (component: any) => {
       // Skip components without packageUrl
       if (!component.component.packageUrl) {
         core.debug(`Skipping component detected without packageUrl: ${JSON.stringify({
@@ -113,6 +116,7 @@ export default class ComponentDetection {
         }
 
         const referrerUrl = ComponentDetection.makePackageUrl(referrer.packageUrl);
+        referrer.packageUrlString = referrerUrl
 
         // Skip if the generated packageUrl is empty
         if (!referrerUrl) {
@@ -135,20 +139,32 @@ export default class ComponentDetection {
     const manifests: Array<Manifest> = [];
 
     // Check the locationsFoundAt for every package and add each as a manifest
-    packages.forEach(async (pkg: ComponentDetectionPackage) => {
-      pkg.locationsFoundAt.forEach(async (location: any) => {
+    this.addPackagesToManifests(packages, manifests);
+
+    return manifests;
+  }
+
+  private static addPackagesToManifests(packages: Array<ComponentDetectionPackage>, manifests: Array<Manifest>): void {
+    packages.forEach((pkg: ComponentDetectionPackage) => {
+      pkg.locationsFoundAt.forEach((location: any) => {
         if (!manifests.find((manifest: Manifest) => manifest.name == location)) {
           const manifest = new Manifest(location, location);
           manifests.push(manifest);
         }
-        if (pkg.topLevelReferrers.length == 0) {
+
+        // Filter out self-references from topLevelReferrers
+        const nonSelfReferrers = pkg.topLevelReferrers.filter((referrer: any) => {
+          if (!referrer.packageUrlString) return false;
+          return referrer.packageUrlString !== pkg.packageUrlString;
+        });
+
+        if (nonSelfReferrers.length == 0) {
           manifests.find((manifest: Manifest) => manifest.name == location)?.addDirectDependency(pkg, ComponentDetection.getDependencyScope(pkg));
         } else {
           manifests.find((manifest: Manifest) => manifest.name == location)?.addIndirectDependency(pkg, ComponentDetection.getDependencyScope(pkg));
         }
       });
     });
-    return manifests;
   }
 
   private static getDependencyScope(pkg: ComponentDetectionPackage) {
@@ -236,10 +252,12 @@ export default class ComponentDetection {
 }
 
 class ComponentDetectionPackage extends Package {
+  public packageUrlString: string;
 
   constructor(packageUrl: string, public id: string, public isDevelopmentDependency: boolean, public topLevelReferrers: [],
     public locationsFoundAt: [], public containerDetailIds: [], public containerLayerIds: []) {
     super(packageUrl);
+    this.packageUrlString = packageUrl;
   }
 }