diff --git a/package.json b/package.json index 7e9aa25..4588799 100644 --- a/package.json +++ b/package.json @@ -67,6 +67,7 @@ "@commitlint/cli": "19.2.2", "@commitlint/config-conventional": "19.2.2", "@types/node": "20.12.7", + "@types/normalize-package-data": "^2.4.4", "@typescript-eslint/eslint-plugin": "7.7.0", "@typescript-eslint/parser": "7.7.0", "@vitest/coverage-v8": "1.5.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 72f9f82..df076b3 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -24,6 +24,9 @@ importers: '@types/node': specifier: 20.12.7 version: 20.12.7 + '@types/normalize-package-data': + specifier: ^2.4.4 + version: 2.4.4 '@typescript-eslint/eslint-plugin': specifier: 7.7.0 version: 7.7.0(@typescript-eslint/parser@7.7.0(eslint@8.56.0)(typescript@5.4.5))(eslint@8.56.0)(typescript@5.4.5) @@ -3966,7 +3969,7 @@ snapshots: '@babel/helper-module-imports@7.22.15': dependencies: - '@babel/types': 7.23.3 + '@babel/types': 7.24.0 '@babel/helper-module-transforms@7.23.3(@babel/core@7.23.3)': dependencies: diff --git a/src/builder.ts b/src/builder.ts index 53e1032..cbba557 100644 --- a/src/builder.ts +++ b/src/builder.ts @@ -1,11 +1,12 @@ -import { dirname } from "node:path"; import { createRequire } from "node:module"; import { type Builders, type Models, type Factories } from "@cyclonedx/cyclonedx-library"; -import { getPackageJson } from "./helpers"; +import { getCorrespondingPackageFromModuleId } from "./helpers"; const require = createRequire(import.meta.url); +const knownTools = ["rollup-plugin-sbom", "vite", "rollup"]; + export function registerPackageUrlOnComponent( component: Models.Component | undefined, factory: Factories.FromNodePackageJson.PackageUrlFactory, @@ -17,24 +18,20 @@ export function registerPackageUrlOnComponent( } export async function registerTools(bom: Models.Bom, builder: Builders.FromNodePackageJson.ToolBuilder) { - // register rollup-plugin-sbom (for vite and rollup) - const pkg = await getPackageJson(dirname(require.resolve("rollup-plugin-sbom"))); - if (pkg) { - const tool = builder.makeTool(pkg); - tool && bom.metadata.tools.add(tool); - } - - // register vite if available - const vitePkg = await getPackageJson(dirname(require.resolve("vite"))); - if (vitePkg) { - const tool = builder.makeTool(vitePkg); - tool && bom.metadata.tools.add(tool); + async function registerTool(packageName: string) { + try { + const modulePath = require.resolve(packageName); + const pkgJson = await getCorrespondingPackageFromModuleId(modulePath); + if (pkgJson) { + const tool = builder.makeTool(pkgJson); + tool && bom.metadata.tools.add(tool); + } + } catch { + // do nothing + } } - // register rollup if available - const rollupPkg = await getPackageJson(dirname(require.resolve("rollup"))); - if (rollupPkg) { - const tool = builder.makeTool(rollupPkg); - tool && bom.metadata.tools.add(tool); + for (const pkgName of knownTools) { + await registerTool(pkgName); } } diff --git a/src/helpers.ts b/src/helpers.ts index 570ce2f..15bfbcf 100644 --- a/src/helpers.ts +++ b/src/helpers.ts @@ -34,22 +34,31 @@ export async function getPackageJson(dir: string): Promise { * getPackageRootFromModuleId(moduleId); // "/User/home/.pnpm/react-dom@18.2.0_react@18.2.0/node_modules/react-dom" * ``` */ -export function getCorrespondingPackageFromModuleId(moduleId: string, traversalLimit = 10) { - if (!moduleId.includes("node_modules")) { - return Promise.resolve(null); - } - +export async function getCorrespondingPackageFromModuleId( + modulePath: string, + traversalLimit = 10, +): Promise { if (traversalLimit === 0) { return Promise.resolve(null); } - const folder = dirname(moduleId); + // dirname() will do the equivalent of traversing up the + // directory tree one level when called on a path without + // a file. + const folder = dirname(modulePath); const potentialPackagePath = join(folder, "./package.json"); + + let pkgJson: Package | null = null; + if (existsSync(potentialPackagePath)) { - return getPackageJson(folder); + pkgJson = await getPackageJson(folder); + } + + if (pkgJson !== null) { + return pkgJson; } - return getCorrespondingPackageFromModuleId(join(folder, ".."), traversalLimit - 1); + return await getCorrespondingPackageFromModuleId(folder, traversalLimit - 1); } /** diff --git a/src/index.ts b/src/index.ts index 170ab97..ac837ed 100644 --- a/src/index.ts +++ b/src/index.ts @@ -95,9 +95,19 @@ export default function rollupPluginSbom(userOptions?: RollupPluginSbomOptions): * Register only the effectively imported third party modules from `node_modules` */ async moduleParsed(moduleInfo) { - const nodeModuleImportedIds = moduleInfo.importedIds.filter((entry) => entry.includes("node_modules")); + // filter out modules that exists in node_modules and + // also are not Rollup virtual modules (starting with \0) + const nodeModuleImportedIds = moduleInfo.importedIds.filter( + (entry) => entry.includes("node_modules") && !entry.startsWith("\0"), + ); + const potentialComponents = await Promise.all( - nodeModuleImportedIds.map(getCorrespondingPackageFromModuleId), + nodeModuleImportedIds.map((moduleId) => { + if (!moduleId.includes("node_modules")) { + return Promise.resolve(null); + } + return getCorrespondingPackageFromModuleId(moduleId); + }), ); // iterate over all imported unique modules and add them to the BOM