feat: getdependencies javascript has an improved source code detection

t-graf · t-graf · commit 881149f426ff · 2025-11-25T13:56:59.000+01:00
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -12,6 +12,7 @@
   `qualifier-match` (consider PackageURL qualifiers). See `Readme_Mapping.md`.
 * fix: `bom show` now properly shows components without versions.
 * fix: `bom show` and `bom validate` read SBOMs in UTF-8 encoding.
+* `getdependencies javascript` has an improved source code detection.
 
 ## 2.9.1
 
diff --git a/capycli/dependencies/javascript.py b/capycli/dependencies/javascript.py
@@ -1,5 +1,5 @@
 # -------------------------------------------------------------------------------
-# Copyright (c) 2019-2024 Siemens
+# Copyright (c) 2019-2025 Siemens
 # All Rights Reserved.
 # Author: thomas.graf@siemens.com, sameer.panda@siemens.com
 #
@@ -214,11 +214,13 @@ def try_find_component_metadata(self, bomitem: Component, package_source: str) -
                 version)
             return bomitem
 
-        val = info.get("homepage", "")
-        if val:
+        homepage: str = info.get("homepage", "")
+        if homepage:
+            if homepage.endswith("#readme"):
+                homepage = homepage[:-7]
             ext_ref = ExternalReference(
                 type=ExternalReferenceType.WEBSITE,
-                url=XsUri(val))
+                url=XsUri(homepage))
             bomitem.external_references.add(ext_ref)
 
         repository = info.get("repository")
@@ -238,11 +240,18 @@ def try_find_component_metadata(self, bomitem: Component, package_source: str) -
             if not str(url).startswith("http"):
                 url = "https://" + url
             url = self.find_source_file(url, bomitem.name, version)
-            CycloneDxSupport.update_or_set_ext_ref(
-                bomitem,
-                ExternalReferenceType.DISTRIBUTION,
-                CaPyCliBom.SOURCE_URL_COMMENT,
-                url)
+            if url:
+                CycloneDxSupport.update_or_set_ext_ref(
+                    bomitem,
+                    ExternalReferenceType.DISTRIBUTION,
+                    CaPyCliBom.SOURCE_URL_COMMENT,
+                    url)
+            else:
+                print_yellow(
+                    "  No source archive found for component " +
+                    bomitem.name +
+                    ", " +
+                    version)
         bomitem.description = info.get("description", "")
         if not CycloneDxSupport.get_binary_file_hash(bomitem):
             ext_ref2 = CycloneDxSupport.get_ext_ref(
diff --git a/tests/test_get_dependencies_javascript.py b/tests/test_get_dependencies_javascript.py
@@ -1,5 +1,5 @@
 # -------------------------------------------------------------------------------
-# Copyright (c) 2022-2024 Siemens
+# Copyright (c) 2022-2025 Siemens
 # All Rights Reserved.
 # Author: gernot.hillier@siemens.com
 #
@@ -179,7 +179,7 @@ def test_try_find_metadata_simple(self) -> None:
         self.assertEqual("zone.js", enhanced.components[0].name)
         self.assertEqual("Zones for JavaScript", enhanced.components[0].description)
         val = str(CycloneDxSupport.get_ext_ref_source_url(sbom.components[0]))
-        self.assertEqual("", val)
+        self.assertEqual("github.com/angular/angular.git", val)
 
         self.delete_file("test_package_lock_1.json")
 
