npm workspace improvements (#1659)

* Try harder to resolve the correct workspace package name from package-lock.json

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

Author: prabhu

lib/cli/index.js

@@ -2488,8 +2488,19 @@ export async function createNodejsBom(path, options) {
       if (mgrData) {
         mgr = mgrData.split("@")[0];
       }
+      // Try harder to identify the correct package manager
       if (supPkgMgrs.includes(mgr)) {
         pkgMgr = mgr;
+      } else if (pkgData?.engines?.yarn) {
+        pkgMgr = "yarn";
+      } else if (
+        isPackageManagerAllowed("yarn", ["npm", "pnpm", "rush"], options)
+      ) {
+        pkgMgr = "yarn";
+      } else if (
+        isPackageManagerAllowed("pnpm", ["npm", "yarn", "rush"], options)
+      ) {
+        pkgMgr = "pnpm";
       }
       let installCommand = "install";
       if (pkgMgr === "npm" && isSecureMode && pkgJsonLockFiles?.length > 0) {
@@ -2524,6 +2535,11 @@ export async function createNodejsBom(path, options) {
           installArgs.push("--package-lock");
         }
       }
+      if (pkgMgr !== "npm") {
+        thoughtLog(
+          `**PACKAGE MANAGER**: About to invoke '${pkgMgr}' with the arguments '${installArgs.join(" ")}' to generate the needed lock files.`,
+        );
+      }
       console.log(
         `Executing '${pkgMgr} ${installArgs.join(" ")}' in`,
         basePath,
@@ -2538,6 +2554,9 @@ export async function createNodejsBom(path, options) {
         console.error(
           `${pkgMgr} install has failed. Generated SBOM will be empty or with a lower precision.`,
         );
+        thoughtLog(
+          "It looks like the install command has failed. I'm considering some troubleshooting ideas.",
+        );
         if (DEBUG_MODE && result.stdout) {
           if (result.stdout.includes("EBADENGINE Unsupported engine")) {
             console.log(

lib/helpers/utils.js

@@ -1038,11 +1038,8 @@ export async function parsePkgJson(pkgJsonFile, simple = false) {
       const pkgData = JSON.parse(readFileSync(pkgJsonFile, "utf8"));
       const pkgIdentifier = parsePackageJsonName(pkgData.name);
       let name = pkgIdentifier.fullName || pkgData.name;
-      if (DEBUG_MODE && !name && !pkgJsonFile.includes("node_modules")) {
-        name = dirname(pkgJsonFile);
-        console.log(
-          `${pkgJsonFile} doesn't contain the package name. Consider using the 'npm init' command to create a valid package.json file for this project. Assuming the name as '${name}'.`,
-        );
+      if (!name && !pkgJsonFile.includes("node_modules")) {
+        name = basename(dirname(pkgJsonFile));
       }
       const group = pkgIdentifier.scope || "";
       const purl = new PackageURL(
@@ -1232,11 +1229,23 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
         "bom-ref": decodeURIComponent(purlString),
       };
       if (node.resolved) {
-        pkg.properties.push({
-          name: "ResolvedUrl",
-          value: node.resolved,
-        });
-        pkg.distribution = { url: node.resolved };
+        if (node.resolved.startsWith("file:")) {
+          pkg.properties.push({
+            name: "cdx:npm:resolvedPath",
+            value: node.realpath
+              ? relative(dirname(pkgLockFile), node.realpath)
+              : relative(
+                  dirname(pkgLockFile),
+                  resolve(node.resolved.replace("file:", "")),
+                ),
+          });
+        } else {
+          pkg.properties.push({
+            name: "ResolvedUrl",
+            value: node.resolved,
+          });
+          pkg.distribution = { url: node.resolved };
+        }
       }
       if (node.location) {
         pkg.properties.push({
@@ -1328,7 +1337,6 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       });
     }
     pkgList.push(pkg);
-
     // retrieve workspace node pkglists
     const workspaceDependsOn = [];
     if (node.fsChildren && node.fsChildren.size > 0) {
@@ -1346,7 +1354,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
         );
         pkgList = pkgList.concat(childPkgList);
         dependenciesList = dependenciesList.concat(childDependenciesList);
-        const depWorkspacePurlString = decodeURIComponent(
+        let depWorkspacePurlString = decodeURIComponent(
           new PackageURL(
             "npm",
             "",
@@ -1358,6 +1366,21 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
             .toString()
             .replace(/%2F/g, "/"),
         );
+        let purlStringFromPkgid;
+        if (workspaceNode.pkgid) {
+          purlStringFromPkgid = `pkg:npm/${workspaceNode.pkgid.replace(`${workspaceNode.name}@npm:`, "")}`;
+        }
+        if (
+          purlStringFromPkgid &&
+          purlStringFromPkgid !== depWorkspacePurlString
+        ) {
+          if (DEBUG_MODE) {
+            console.log(
+              `Internal warning: Got two different refs for this workspace node: ${depWorkspacePurlString} and ${purlStringFromPkgid}. Assuming the bom-ref as ${purlStringFromPkgid} based on pkgid.`,
+            );
+          }
+          depWorkspacePurlString = purlStringFromPkgid;
+        }
         if (decodeURIComponent(purlString) !== depWorkspacePurlString) {
           workspaceDependsOn.push(depWorkspacePurlString);
         }

lib/helpers/utils.test.js

@@ -96,6 +96,7 @@ import {
   toGemModuleNames,
   yarnLockToIdentMap,
 } from "./utils.js";
+import { validateRefs } from "./validator.js";
 
 test("SSRI test", () => {
   // gopkg.lock hash
@@ -3393,6 +3394,21 @@ test("parsePkgLock v3", async () => {
   expect(parsedList.dependenciesList.length).toEqual(161);
 });
 
+test("parsePkgLock theia", async () => {
+  const parsedList = await parsePkgLock(
+    "./test/data/package-json/theia/package-lock.json",
+    {},
+  );
+  expect(parsedList.pkgList.length).toEqual(2410);
+  expect(parsedList.dependenciesList.length).toEqual(2410);
+  expect(
+    validateRefs({
+      components: parsedList.pkgList,
+      dependencies: parsedList.dependenciesList,
+    }),
+  ).toBeTruthy();
+});
+
 test("parseBowerJson", async () => {
   const deps = await parseBowerJson("./test/data/bower.json");
   expect(deps.length).toEqual(1);

lib/managers/docker.js

@@ -639,8 +639,11 @@ export const getImage = async (fullImageName) => {
   }
   if (needsCliFallback()) {
     let dockerCmd = process.env.DOCKER_CMD || "docker";
-    if (!process.env.DOCKER_CMD && detectRancherDesktop()) {
-      dockerCmd = "nerdctl";
+    if (!process.env.DOCKER_CMD) {
+      detectColima() || detectRancherDesktop();
+      if (isNerdctl) {
+        dockerCmd = "nerdctl";
+      }
     }
     let result = spawnSync(dockerCmd, ["pull", fullImageName], {
       encoding: "utf-8",
@@ -1116,8 +1119,11 @@ export const exportImage = async (fullImageName, options) => {
   if (needsCliFallback()) {
     const imageTarFile = join(tempDir, "image.tar");
     let dockerCmd = process.env.DOCKER_CMD || "docker";
-    if (!process.env.DOCKER_CMD && detectRancherDesktop()) {
-      dockerCmd = "nerdctl";
+    if (!process.env.DOCKER_CMD) {
+      detectColima() || detectRancherDesktop();
+      if (isNerdctl) {
+        dockerCmd = "nerdctl";
+      }
     }
     console.log(
       `About to export image ${fullImageName} to ${imageTarFile} using ${dockerCmd} cli`,