@cyclonedx/cdxgen 10.0.3 → 10.0.5

package/README.md

@@ -175,8 +175,9 @@ Options:
                                es.                    [boolean] [default: false]
       --spec-version           CycloneDX Specification version to use. Defaults
                                to 1.5                             [default: 1.5]
-      --filter                 Filter components containing this word in purl.
-                                Multiple values allowed.                 [array]
+      --filter                 Filter components containing this word in purl or
+                                component.properties.value. Multiple values allo
+                               wed.                                      [array]
       --only                   Include components only containing this word in
                                 purl. Useful to generate BOM with first party co
                                mponents alone. Multiple values allowed.  [array]

package/analyzer.js

@@ -8,7 +8,6 @@ import { basename, resolve, isAbsolute, relative } from "node:path";
 const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
   ? process.env.ASTGEN_IGNORE_DIRS.split(",")
   : [
-      "node_modules",
       "venv",
       "docs",
       "test",
@@ -37,7 +36,7 @@ const IGNORE_FILE_PATTERN = new RegExp(
   "i"
 );
 
-const getAllFiles = (dir, extn, files, result, regex) => {
+const getAllFiles = (deep, dir, extn, files, result, regex) => {
   files = files || readdirSync(dir);
   result = result || [];
   regex = regex || new RegExp(`\\${extn}$`);
@@ -60,8 +59,20 @@ const getAllFiles = (dir, extn, files, result, regex) => {
       ) {
         continue;
       }
+      // We need to include node_modules in deep mode to track exports
+      // Ignore only for non-deep analysis
+      if (!deep && dirName === "node_modules") {
+        continue;
+      }
       try {
-        result = getAllFiles(file, extn, readdirSync(file), result, regex);
+        result = getAllFiles(
+          deep,
+          file,
+          extn,
+          readdirSync(file),
+          result,
+          regex
+        );
       } catch (error) {
         continue;
       }
@@ -101,7 +112,14 @@ const babelParserOptions = {
  * Filter only references to (t|jsx?) or (less|scss) files for now.
  * Opt to use our relative paths.
  */
-const setFileRef = (allImports, src, file, pathnode, specifiers = []) => {
+const setFileRef = (
+  allImports,
+  allExports,
+  src,
+  file,
+  pathnode,
+  specifiers = []
+) => {
   const pathway = pathnode.value || pathnode.name;
   const sourceLoc = pathnode.loc?.start;
   if (!pathway) {
@@ -115,9 +133,13 @@ const setFileRef = (allImports, src, file, pathnode, specifiers = []) => {
   const importedModules = specifiers
     .map((s) => s.imported?.name)
     .filter((v) => v !== undefined);
+  const exportedModules = specifiers
+    .map((s) => s.exported?.name)
+    .filter((v) => v !== undefined);
   const occurrence = {
     importedAs: pathway,
     importedModules,
+    exportedModules,
     isExternal: true,
     fileName: fileRelativeLoc,
     lineNumber: sourceLoc && sourceLoc.line ? sourceLoc.line : undefined,
@@ -132,10 +154,13 @@ const setFileRef = (allImports, src, file, pathnode, specifiers = []) => {
       moduleFullPath = relative(src, moduleFullPath);
       wasAbsolute = true;
     }
-    occurrence.isExternal = false;
+    if (!moduleFullPath.startsWith("node_modules/")) {
+      occurrence.isExternal = false;
+    }
   }
   allImports[moduleFullPath] = allImports[moduleFullPath] || new Set();
   allImports[moduleFullPath].add(occurrence);
+
   // Handle module package name
   // Eg: zone.js/dist/zone will be referred to as zone.js in package.json
   if (!wasAbsolute && moduleFullPath.includes("/")) {
@@ -143,6 +168,16 @@ const setFileRef = (allImports, src, file, pathnode, specifiers = []) => {
     allImports[modPkg] = allImports[modPkg] || new Set();
     allImports[modPkg].add(occurrence);
   }
+  if (exportedModules && exportedModules.length) {
+    moduleFullPath = moduleFullPath
+      .replace("node_modules/", "")
+      .replace("dist/", "")
+      .replace(/\.(js|ts|cjs|mjs)$/g, "")
+      .replace("src/", "");
+    allExports[moduleFullPath] = allExports[moduleFullPath] || new Set();
+    occurrence.exportedModules = exportedModules;
+    allExports[moduleFullPath].add(occurrence);
+  }
 };
 
 const vueCleaningRegex = /<\/*script.*>|<style[\s\S]*style>|<\/*br>/gi;
@@ -178,13 +213,14 @@ const fileToParseableCode = (file) => {
  * Check AST tree for any (j|tsx?) files and set a file
  * references for any import, require or dynamic import files.
  */
-const parseFileASTTree = (src, file, allImports) => {
+const parseFileASTTree = (src, file, allImports, allExports) => {
   const ast = parse(fileToParseableCode(file), babelParserOptions);
   traverse.default(ast, {
     ImportDeclaration: (path) => {
       if (path && path.node) {
         setFileRef(
           allImports,
+          allExports,
           src,
           file,
           path.node.source,
@@ -200,24 +236,25 @@ const parseFileASTTree = (src, file, allImports) => {
         path.node.name === "require" &&
         path.parent.type === "CallExpression"
       ) {
-        setFileRef(allImports, src, file, path.parent.arguments[0]);
+        setFileRef(allImports, allExports, src, file, path.parent.arguments[0]);
       }
     },
     // Use for dynamic imports like routes.jsx
     CallExpression: (path) => {
       if (path && path.node && path.node.callee.type === "Import") {
-        setFileRef(allImports, src, file, path.node.arguments[0]);
+        setFileRef(allImports, allExports, src, file, path.node.arguments[0]);
       }
     },
     // Use for export barrells
     ExportAllDeclaration: (path) => {
-      setFileRef(allImports, src, file, path.node.source);
+      setFileRef(allImports, allExports, src, file, path.node.source);
     },
     ExportNamedDeclaration: (path) => {
       // ensure there is a path export
       if (path && path.node && path.node.source) {
         setFileRef(
           allImports,
+          allExports,
           src,
           file,
           path.node.source,
@@ -231,36 +268,37 @@ const parseFileASTTree = (src, file, allImports) => {
 /**
  * Return paths to all (j|tsx?) files.
  */
-const getAllSrcJSAndTSFiles = (src) =>
+const getAllSrcJSAndTSFiles = (src, deep) =>
   Promise.all([
-    getAllFiles(src, ".js"),
-    getAllFiles(src, ".jsx"),
-    getAllFiles(src, ".cjs"),
-    getAllFiles(src, ".mjs"),
-    getAllFiles(src, ".ts"),
-    getAllFiles(src, ".tsx"),
-    getAllFiles(src, ".vue"),
-    getAllFiles(src, ".svelte")
+    getAllFiles(deep, src, ".js"),
+    getAllFiles(deep, src, ".jsx"),
+    getAllFiles(deep, src, ".cjs"),
+    getAllFiles(deep, src, ".mjs"),
+    getAllFiles(deep, src, ".ts"),
+    getAllFiles(deep, src, ".tsx"),
+    getAllFiles(deep, src, ".vue"),
+    getAllFiles(deep, src, ".svelte")
   ]);
 
 /**
- * Where Node CLI runs from.
+ * Find all imports and exports
  */
-export const findJSImports = async (src) => {
+export const findJSImportsExports = async (src, deep) => {
   const allImports = {};
+  const allExports = {};
   const errFiles = [];
   try {
-    const promiseMap = await getAllSrcJSAndTSFiles(src);
+    const promiseMap = await getAllSrcJSAndTSFiles(src, deep);
     const srcFiles = promiseMap.flatMap((d) => d);
     for (const file of srcFiles) {
       try {
-        parseFileASTTree(src, file, allImports);
+        parseFileASTTree(src, file, allImports, allExports);
       } catch (err) {
         errFiles.push(file);
       }
     }
-    return allImports;
+    return { allImports, allExports };
   } catch (err) {
-    return allImports;
+    return { allImports, allExports };
   }
 };

package/bin/cdxgen.js

@@ -193,7 +193,7 @@ const args = yargs(hideBin(process.argv))
   })
   .option("filter", {
     description:
-      "Filter components containing this word in purl. Multiple values allowed."
+      "Filter components containing this word in purl or component.properties.value. Multiple values allowed."
   })
   .option("only", {
     description:

package/docker.js

@@ -426,7 +426,14 @@ export const parseImageName = (fullImageName) => {
     return nameObj;
   }
   // ensure it's lowercased
-  fullImageName = fullImageName.toLowerCase();
+  fullImageName = fullImageName.toLowerCase().trim();
+
+  // Extract platform
+  if (fullImageName.startsWith("--platform=")) {
+    const tmpName = fullImageName.replace("--platform=", "").split(" ");
+    nameObj.platform = tmpName[0];
+    fullImageName = tmpName[1];
+  }
 
   // Extract registry name
   if (
@@ -1183,3 +1190,31 @@ export const getCredsFromHelper = (exeSuffix, serverAddress) => {
   }
   return undefined;
 };
+
+export const addSkippedSrcFiles = (skippedImageSrcs, components) => {
+  for (const skippedImage of skippedImageSrcs) {
+    for (const co of components) {
+      let srcFileValues = [];
+      let srcImageValue;
+      co.properties.forEach(function (property) {
+        if (property.name === "oci:SrcImage") {
+          srcImageValue = property.value;
+        }
+
+        if (property.name === "SrcFile") {
+          srcFileValues.push(property.value);
+        }
+      });
+
+      if (
+        srcImageValue === skippedImage.image &&
+        !srcFileValues.includes(skippedImage.src)
+      ) {
+        co.properties = co.properties.concat({
+          name: "SrcFile",
+          value: skippedImage.src
+        });
+      }
+    }
+  }
+};

package/docker.test.js

@@ -4,9 +4,10 @@ import {
   getImage,
   removeImage,
   exportImage,
-  isWin
+  isWin,
+  addSkippedSrcFiles
 } from "./docker.js";
-import { expect, test } from "@jest/globals";
+import { expect, test, describe, beforeEach } from "@jest/globals";
 
 test("docker connection", async () => {
   if (!(isWin && process.env.CI === "true")) {
@@ -84,6 +85,19 @@ test("parseImageName tests", () => {
     group: "docker/library",
     name: "eclipse-temurin"
   });
+  expect(
+    parseImageName(
+      "--platform=linux/amd64 foocorp.jfrog.io/docker/library/eclipse-temurin:latest"
+    )
+  ).toEqual({
+    registry: "foocorp.jfrog.io",
+    repo: "docker/library/eclipse-temurin",
+    tag: "latest",
+    digest: "",
+    platform: "linux/amd64",
+    group: "docker/library",
+    name: "eclipse-temurin"
+  });
   expect(
     parseImageName(
       "quay.io/shiftleft/scan-java@sha256:5d008306a7c5d09ba0161a3408fa3839dc2c9dd991ffb68adecc1040399fe9e1"
@@ -117,3 +131,72 @@ test("docker getImage", async () => {
   const imageData = await exportImage("hello-world:latest");
   expect(imageData);
 }, 120000);
+
+describe("addSkippedSrcFiles tests", () => {
+  let testComponents;
+
+  beforeEach(() => {
+    testComponents = [
+      {
+        name: "node",
+        version: "20",
+        component: "node:20",
+        purl: "pkg:oci/node@20?tag=20",
+        type: "container",
+        "bom-ref": "pkg:oci/node@20?tag=20",
+        properties: [
+          {
+            name: "SrcFile",
+            value: "/some/project/Dockerfile"
+          },
+          {
+            name: "oci:SrcImage",
+            value: "node:20"
+          }
+        ]
+      }
+    ];
+  });
+
+  test("no matching additional src files", () => {
+    addSkippedSrcFiles(
+      [
+        {
+          image: "node:18",
+          src: "/some/project/bitbucket-pipeline.yml"
+        }
+      ],
+      testComponents
+    );
+
+    expect(testComponents[0].properties).toHaveLength(2);
+  });
+
+  test("adds additional src files", () => {
+    addSkippedSrcFiles(
+      [
+        {
+          image: "node:20",
+          src: "/some/project/bitbucket-pipeline.yml"
+        }
+      ],
+      testComponents
+    );
+
+    expect(testComponents[0].properties).toHaveLength(3);
+  });
+
+  test("skips if same src file", () => {
+    addSkippedSrcFiles(
+      [
+        {
+          image: "node:20",
+          src: "/some/project/Dockerfile"
+        }
+      ],
+      testComponents
+    );
+
+    expect(testComponents[0].properties).toHaveLength(2);
+  });
+}, 120000);

package/index.js

@@ -133,13 +133,14 @@ const selfPJson = JSON.parse(
   readFileSync(join(dirName, "package.json"), "utf-8")
 );
 const _version = selfPJson.version;
-import { findJSImports } from "./analyzer.js";
+import { findJSImportsExports } from "./analyzer.js";
 import { gte, lte } from "semver";
 import {
   getPkgPathList,
   parseImageName,
   exportArchive,
-  exportImage
+  exportImage,
+  addSkippedSrcFiles
 } from "./docker.js";
 import {
   getGoBuildInfo,
@@ -1795,6 +1796,7 @@ export const createNodejsBom = async (path, options) => {
     }
   }
   let allImports = {};
+  let allExports = {};
   if (
     !["docker", "oci", "container", "os"].includes(options.projectType) &&
     !options.noBabel
@@ -1804,7 +1806,9 @@ export const createNodejsBom = async (path, options) => {
         `Performing babel-based package usage analysis with source code at ${path}`
       );
     }
-    allImports = await findJSImports(path);
+    const retData = await findJSImportsExports(path, options.deep);
+    allImports = retData.allImports;
+    allExports = retData.allExports;
   }
   const yarnLockFiles = getAllFiles(
     path,
@@ -1976,7 +1980,12 @@ export const createNodejsBom = async (path, options) => {
     if (existsSync(swFile)) {
       let pkgList = await parseNodeShrinkwrap(swFile);
       if (allImports && Object.keys(allImports).length) {
-        pkgList = addEvidenceForImports(pkgList, allImports);
+        pkgList = await addEvidenceForImports(
+          pkgList,
+          allImports,
+          allExports,
+          options.deep
+        );
       }
       return buildBomNSData(options, pkgList, "npm", {
         allImports,
@@ -1986,10 +1995,16 @@ export const createNodejsBom = async (path, options) => {
     } else if (existsSync(pnpmLock)) {
       let pkgList = await parsePnpmLock(pnpmLock);
       if (allImports && Object.keys(allImports).length) {
-        pkgList = addEvidenceForImports(pkgList, allImports);
+        pkgList = await addEvidenceForImports(
+          pkgList,
+          allImports,
+          allExports,
+          options.deep
+        );
       }
       return buildBomNSData(options, pkgList, "npm", {
         allImports,
+        allExports,
         src: path,
         filename: "pnpm-lock.yaml"
       });
@@ -2140,7 +2155,12 @@ export const createNodejsBom = async (path, options) => {
   // We need to set this to force our version to be used rather than the directory name based one.
   options.parentComponent = parentComponent;
   if (allImports && Object.keys(allImports).length) {
-    pkgList = addEvidenceForImports(pkgList, allImports);
+    pkgList = await addEvidenceForImports(
+      pkgList,
+      allImports,
+      allExports,
+      options.deep
+    );
   }
   return buildBomNSData(options, pkgList, "npm", {
     src: path,
@@ -3640,6 +3660,7 @@ export const createContainerSpecLikeBom = async (path, options) => {
   let parentComponent = {};
   let dependencies = [];
   const doneimages = [];
+  const skippedImageSrcs = [];
   const doneservices = [];
   const origProjectType = options.projectType;
   let dcFiles = getAllFiles(
@@ -3772,6 +3793,9 @@ export const createContainerSpecLikeBom = async (path, options) => {
               if (DEBUG_MODE) {
                 console.log("Skipping", img.image);
               }
+
+              skippedImageSrcs.push({ image: img.image, src: f });
+
               continue;
             }
             if (DEBUG_MODE) {
@@ -3790,7 +3814,8 @@ export const createContainerSpecLikeBom = async (path, options) => {
               type: "container"
             };
             if (imageObj.registry) {
-              pkg["qualifiers"]["repository_url"] = img.image;
+              pkg["qualifiers"]["repository_url"] =
+                `${imageObj.registry}/${imageObj.repo}`;
             }
             if (imageObj.platform) {
               pkg["qualifiers"]["platform"] = imageObj.platform;
@@ -3826,6 +3851,9 @@ export const createContainerSpecLikeBom = async (path, options) => {
         } // for img
       }
     } // for
+
+    // Add additional SrcFile property to skipped image components
+    addSkippedSrcFiles(skippedImageSrcs, components);
   } // if
   // Parse openapi files
   if (oapiFiles.length) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.0.3",
+  "version": "10.0.5",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/postgen.js

@@ -27,7 +27,10 @@ export const filterBom = (bomJson, options) => {
       }
       let purlfiltered = false;
       for (const filterstr of options.only) {
-        if (filterstr.length && !comp.purl.toLowerCase().includes(filterstr)) {
+        if (
+          filterstr.length &&
+          !comp.purl.toLowerCase().includes(filterstr.toLowerCase())
+        ) {
           filtered = true;
           purlfiltered = true;
           continue;
@@ -42,11 +45,29 @@ export const filterBom = (bomJson, options) => {
       }
       let purlfiltered = false;
       for (const filterstr of options.filter) {
-        if (filterstr.length && comp.purl.toLowerCase().includes(filterstr)) {
+        // Check the purl
+        if (
+          filterstr.length &&
+          comp.purl.toLowerCase().includes(filterstr.toLowerCase())
+        ) {
           filtered = true;
           purlfiltered = true;
           continue;
         }
+        // Look for any properties value matching the string
+        const properties = comp.properties || [];
+        for (const aprop of properties) {
+          if (
+            filterstr.length &&
+            aprop &&
+            aprop.value &&
+            aprop.value.toLowerCase().includes(filterstr.toLowerCase())
+          ) {
+            filtered = true;
+            purlfiltered = true;
+            continue;
+          }
+        }
       }
       if (!purlfiltered) {
         newPkgMap[comp["bom-ref"]] = comp;

package/postgen.test.js

@@ -41,14 +41,14 @@ test("filter bom tests2", () => {
       throw new Error(`${comp.purl} is unexpected`);
     }
   }
-  expect(newBom.components.length).toEqual(177);
+  expect(newBom.components.length).toEqual(158);
   newBom = filterBom(bomJson, { filter: ["apache", "json"] });
   for (const comp of newBom.components) {
     if (comp.purl.includes("apache") || comp.purl.includes("json")) {
       throw new Error(`${comp.purl} is unexpected`);
     }
   }
-  expect(newBom.components.length).toEqual(172);
+  expect(newBom.components.length).toEqual(135);
   expect(newBom.compositions).toBeUndefined();
   newBom = filterBom(bomJson, {
     only: ["org.springframework"],
@@ -60,7 +60,7 @@ test("filter bom tests2", () => {
       throw new Error(`${comp.purl} is unexpected`);
     }
   }
-  expect(newBom.components.length).toEqual(37);
+  expect(newBom.components.length).toEqual(29);
   expect(newBom.compositions).toEqual([
     {
       aggregate: "incomplete_first_party_only",

package/utils.js

@@ -559,13 +559,29 @@ export const parsePkgJson = async (pkgJsonFile, simple = false) => {
         null,
         null
       ).toString();
+      const author = pkgData.author;
+      const authorString =
+        author instanceof Object
+          ? `${author.name}${author.email ? ` <${author.email}>` : ""}${
+              author.url ? ` (${author.url})` : ""
+            }`
+          : author;
       const apkg = {
         name,
         group,
         version: pkgData.version,
+        description: pkgData.description,
         purl: purl,
-        "bom-ref": decodeURIComponent(purl)
+        "bom-ref": decodeURIComponent(purl),
+        author: authorString,
+        license: pkgData.license
       };
+      if (pkgData.homepage) {
+        apkg.homepage = { url: pkgData.homepage };
+      }
+      if (pkgData.repository && pkgData.repository.url) {
+        apkg.repository = { url: pkgData.repository.url };
+      }
       if (!simple) {
         apkg.properties = [
           {
@@ -720,6 +736,12 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
           value: node.resolved
         });
       }
+      if (node.location) {
+        pkg.properties.push({
+          name: "LocalNodeModulesPath",
+          value: node.location
+        });
+      }
     }
     const packageLicense = node.package.license;
     if (packageLicense) {
@@ -8135,9 +8157,16 @@ export const parsePackageJsonName = (name) => {
  *
  * @param {array} pkgList List of package
  * @param {object} allImports Import statements object with package name as key and an object with file and location details
+ * @param {object} allExports Exported modules if available from node_modules
  */
-export const addEvidenceForImports = (pkgList, allImports) => {
+export const addEvidenceForImports = async (
+  pkgList,
+  allImports,
+  allExports,
+  deep
+) => {
   const impPkgs = Object.keys(allImports);
+  const exportedPkgs = Object.keys(allExports);
   for (const pkg of pkgList) {
     if (impPkgs && impPkgs.length) {
       // Assume that all packages are optional until we see an evidence
@@ -8158,6 +8187,47 @@ export const addEvidenceForImports = (pkgList, allImports) => {
           find_pkg.startsWith(alias) &&
           (find_pkg.length === alias.length || find_pkg[alias.length] === "/")
       );
+      const all_exports = exportedPkgs.filter((find_pkg) =>
+        find_pkg.startsWith(alias)
+      );
+      if (all_exports && all_exports.length) {
+        let exportedModules = new Set(all_exports);
+        pkg.properties = pkg.properties || [];
+        for (const subevidence of all_exports) {
+          const evidences = allExports[subevidence];
+          for (const evidence of evidences) {
+            if (evidence && Object.keys(evidence).length) {
+              if (evidence.exportedModules.length > 1) {
+                for (const aexpsubm of evidence.exportedModules) {
+                  // Be selective on the submodule names
+                  if (
+                    !evidence.importedAs
+                      .toLowerCase()
+                      .includes(aexpsubm.toLowerCase()) &&
+                    !alias.endsWith(aexpsubm)
+                  ) {
+                    // Store both the short and long form of the exported sub modules
+                    if (aexpsubm.length > 3) {
+                      exportedModules.add(aexpsubm);
+                    }
+                    exportedModules.add(
+                      `${evidence.importedAs.replace("./", "")}/${aexpsubm}`
+                    );
+                  }
+                }
+              }
+            }
+          }
+        }
+        exportedModules = Array.from(exportedModules);
+        if (exportedModules.length) {
+          pkg.properties.push({
+            name: "ExportedModules",
+            value: exportedModules.join(",")
+          });
+        }
+      }
+      // Identify all the imported modules of a component
       if (impPkgs.includes(alias) || all_includes.length) {
         let importedModules = new Set();
         pkg.scope = "required";
@@ -8178,7 +8248,9 @@ export const addEvidenceForImports = (pkgList, allImports) => {
                   continue;
                 }
                 // Store both the short and long form of the imported sub modules
-                importedModules.add(importedSm);
+                if (importedSm.length > 3) {
+                  importedModules.add(importedSm);
+                }
                 importedModules.add(`${evidence.importedAs}/${importedSm}`);
               }
             }
@@ -8194,8 +8266,35 @@ export const addEvidenceForImports = (pkgList, allImports) => {
         }
         break;
       }
-    }
-  }
+      // Capture metadata such as description from local node_modules in deep mode
+      if (deep && !pkg.description && pkg.properties) {
+        let localNodeModulesPath = undefined;
+        for (const aprop of pkg.properties) {
+          if (aprop.name === "LocalNodeModulesPath") {
+            localNodeModulesPath = resolve(join(aprop.value, "package.json"));
+            break;
+          }
+        }
+        if (localNodeModulesPath && existsSync(localNodeModulesPath)) {
+          const lnmPkgList = await parsePkgJson(localNodeModulesPath, true);
+          if (lnmPkgList && lnmPkgList.length === 1) {
+            const lnmMetadata = lnmPkgList[0];
+            if (lnmMetadata && Object.keys(lnmMetadata).length) {
+              pkg.description = lnmMetadata.description;
+              pkg.author = lnmMetadata.author;
+              pkg.license = lnmMetadata.license;
+              pkg.homepage = lnmMetadata.homepage;
+              pkg.repository = lnmMetadata.repository;
+            }
+          }
+        }
+      }
+    } // for alias
+    // Trim the properties
+    pkg.properties = pkg.properties.filter(
+      (p) => p.name !== "LocalNodeModulesPath"
+    );
+  } // for pkg
   return pkgList;
 };
 

package/utils.test.js

@@ -38,6 +38,7 @@ import {
   parsePom,
   getMvnMetadata,
   getLicenses,
+  parsePkgJson,
   parsePkgLock,
   parseBowerJson,
   parseNodeShrinkwrap,
@@ -1719,6 +1720,11 @@ test("get licenses", () => {
   ]);
 });
 
+test("parsePkgJson", async () => {
+  const pkgList = await parsePkgJson("./package.json", true);
+  expect(pkgList.length).toEqual(1);
+});
+
 test("parsePkgLock v1", async () => {
   const parsedList = await parsePkgLock(
     "./test/data/package-json/v1/package-lock.json"