feat: [CMPA-603] Add npm support for SBOM component metadata being FF

package.json

@@ -121,8 +121,8 @@
     "snyk-gradle-plugin": "7.0.0",
     "snyk-module": "3.1.0",
     "snyk-mvn-plugin": "4.8.0",
-    "snyk-nodejs-lockfile-parser": "2.8.1",
-    "snyk-nodejs-plugin": "^2.0.1",
+    "snyk-nodejs-lockfile-parser": "2.9.0",
+    "snyk-nodejs-plugin": "^2.1.0",
     "snyk-nuget-plugin": "4.2.3",
     "snyk-php-plugin": "1.12.1",
     "snyk-policy": "^4.1.6",

src/lib/plugins/get-multi-plugin-result.ts

@@ -257,6 +257,7 @@ async function processWorkspacesProjects(
         dev: options.dev,
         exclude: options.exclude,
         showNpmScope: featureFlags.has(SHOW_NPM_SCOPE),
+        includeComponentMetadata: options['include-component-metadata'],
       },
       targetFiles,
     );

src/lib/plugins/get-single-plugin-result.ts

@@ -35,10 +35,12 @@ export async function getSinglePluginResult(
       ),
       // Internal/undocumented flag: surfaced to the plugin in camelCase here
       // rather than via the user-facing arg transform list, so it stays off the
-      // documented CLI surface. Single convergence point for single- and
-      // multi-project (all-projects/aggregate) scans. Only added when set so the
-      // default plugin-options shape is unchanged (the flag is gateway-driven
-      // and absent for the vast majority of scans).
+      // documented CLI surface. Convergence point for single-project scans and
+      // the non-workspace files of all-projects/aggregate scans; npm workspace
+      // projects are handled earlier in getMultiPluginResult and forward the
+      // flag themselves (component metadata is currently npm-only). Only added
+      // when set so the default plugin-options shape is unchanged (the flag is
+      // gateway-driven and absent for the vast majority of scans).
       ...(options['include-component-metadata'] !== undefined && {
         includeComponentMetadata: options['include-component-metadata'],
       }),

src/lib/plugins/nodejs-plugin/npm-lock-parser.ts

@@ -14,6 +14,8 @@ import {
 import { Options } from '../types';
 import { DepGraph } from '@snyk/dep-graph';
 
+const defaultIncludeComponentMetadata = false;
+
 export async function parse(
   root: string,
   targetFile: string,
@@ -75,6 +77,8 @@ export async function parse(
         pruneCycles: true,
         honorAliases: true,
         showNpmScope: options.showNpmScope,
+        includeComponentMetadata:
+          options.includeComponentMetadata || defaultIncludeComponentMetadata,
       },
     );
   }
@@ -89,6 +93,7 @@ export async function parse(
       strictOutOfSync,
       true,
       options.showNpmScope,
+      options.includeComponentMetadata || defaultIncludeComponentMetadata,
     );
   } finally {
     await spinner.clear<void>(resolveModuleSpinnerLabel)();

src/lib/plugins/nodejs-plugin/npm-workspaces-parser.ts

@@ -1,7 +1,7 @@
 import * as baseDebug from 'debug';
 import * as pathUtil from 'path';
-const sortBy = require('lodash.sortby');
-const groupBy = require('lodash.groupby');
+import * as sortBy from 'lodash.sortby';
+import * as groupBy from 'lodash.groupby';
 import * as micromatch from 'micromatch';
 
 const debug = baseDebug('snyk-npm-workspaces');
@@ -20,6 +20,7 @@ export async function processNpmWorkspaces(
     dev?: boolean;
     yarnWorkspaces?: boolean;
     showNpmScope?: boolean;
+    includeComponentMetadata?: boolean;
   },
   targetFiles: string[],
 ): Promise<MultiProjectResultCustom> {
@@ -103,6 +104,7 @@ export async function processNpmWorkspaces(
           includeOptionalDeps: false,
           pruneCycles: true,
           showNpmScope: settings.showNpmScope,
+          includeComponentMetadata: settings.includeComponentMetadata || false,
         },
       );
 

src/lib/plugins/types.ts

@@ -22,6 +22,7 @@ export interface Options {
   scanAllUnmanaged?: boolean;
   showNpmScope?: boolean;
   allProjects?: boolean;
+  includeComponentMetadata?: boolean;
 }
 
 export interface Plugin {

test/fixtures/npm-include-component-metadata/lock-v1/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "npm-component-metadata-v1",
+  "version": "1.0.0",
+  "dependencies": {
+    "lodash": "4.17.15"
+  }
+}

test/fixtures/npm-include-component-metadata/lock-v2/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "npm-component-metadata-v2",
+  "version": "1.0.0",
+  "dependencies": {
+    "lodash": "4.17.15"
+  }
+}

test/fixtures/npm-include-component-metadata/lock-v3/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "npm-component-metadata-v3",
+  "version": "1.0.0",
+  "dependencies": {
+    "lodash": "4.17.15"
+  }
+}

test/fixtures/npm-include-component-metadata/workspace/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "npm-workspace-component-metadata",
+  "version": "1.0.0",
+  "license": "MIT",
+  "private": true,
+  "workspaces": [
+    "packages/a",
+    "packages/b"
+  ]
+}

test/fixtures/npm-include-component-metadata/workspace/packages/a/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "a",
+  "version": "1.0.0",
+  "license": "ISC",
+  "dependencies": {
+    "ms": "2.1.3"
+  }
+}

test/fixtures/npm-include-component-metadata/workspace/packages/b/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "b",
+  "version": "1.0.0",
+  "license": "ISC",
+  "dependencies": {
+    "is-number": "7.0.0",
+    "a": "^1.0.0"
+  }
+}