Fix #4753: Prevent Git URLs from being misidentified as NPM aliases in package.json dependencies

Author: pantha704

src/packagedcode/npm.py

@@ -380,10 +380,10 @@ def update_dependencies_by_purl(
                     if '_' in metadata:
                         requirement, _extra = metadata.split('_')
 
-                if ':' in requirement and '@' in requirement:
+                if isinstance(requirement, str) and requirement.startswith('npm:') and '@' in requirement:
                     # dependencies with requirements like this are aliases and should be reported
                     aliased_package, _, constraint = requirement.rpartition('@')
-                    _, _, aliased_package_name = aliased_package.rpartition(':')
+                    _, _, aliased_package_name = aliased_package.partition('npm:')
                     sdns, _ , sdname = aliased_package_name.rpartition('/')
                     dep_purl = PackageURL(
                         type=cls.default_package_type,
@@ -1848,10 +1848,10 @@ def deps_mapper(deps, package, field_name, is_direct=True):
         if not name:
             continue
 
-        if ':' in requirement and '@' in requirement:
+        if isinstance(requirement, str) and requirement.startswith('npm:') and '@' in requirement:
             # dependencies with requirements like this are aliases and should be reported
             aliased_package, _, requirement = requirement.rpartition('@')
-            _, _, aliased_package_name = aliased_package.rpartition(':')
+            _, _, aliased_package_name = aliased_package.partition('npm:')
             ns, _ , name = aliased_package_name.rpartition('/')
 
         purl = PackageURL(type='npm', namespace=ns, name=name).to_string()

tests/packagedcode/data/npm/git_urls/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "example",
+  "version": "1.0.0",
+  "dependencies": {
+    "private-lib": "git+ssh://[email protected]:org/repo.git#v1.0.0"
+  },
+  "devDependencies": {
+    "my-alias": "npm:original-package@^1.2.3"
+  }
+}

tests/packagedcode/data/npm/git_urls/package.json.expected

@@ -0,0 +1,69 @@
+[
+  {
+    "type": "npm",
+    "namespace": null,
+    "name": "example",
+    "version": "1.0.0",
+    "qualifiers": {},
+    "subpath": null,
+    "primary_language": "JavaScript",
+    "description": null,
+    "release_date": null,
+    "parties": [],
+    "keywords": [],
+    "homepage_url": null,
+    "download_url": "https://registry.npmjs.org/example/-/example-1.0.0.tgz",
+    "size": null,
+    "sha1": null,
+    "md5": null,
+    "sha256": null,
+    "sha512": null,
+    "bug_tracking_url": null,
+    "code_view_url": null,
+    "vcs_url": null,
+    "copyright": null,
+    "holder": null,
+    "declared_license_expression": null,
+    "declared_license_expression_spdx": null,
+    "license_detections": [],
+    "other_license_expression": null,
+    "other_license_expression_spdx": null,
+    "other_license_detections": [],
+    "extracted_license_statement": null,
+    "notice_text": null,
+    "source_packages": [],
+    "file_references": [],
+    "is_private": false,
+    "is_virtual": false,
+    "extra_data": {},
+    "dependencies": [
+      {
+        "purl": "pkg:npm/private-lib",
+        "extracted_requirement": "git+ssh://[email protected]:org/repo.git#v1.0.0",
+        "scope": "dependencies",
+        "is_runtime": true,
+        "is_optional": false,
+        "is_pinned": false,
+        "is_direct": true,
+        "resolved_package": {},
+        "extra_data": {}
+      },
+      {
+        "purl": "pkg:npm/original-package",
+        "extracted_requirement": "^1.2.3",
+        "scope": "devDependencies",
+        "is_runtime": false,
+        "is_optional": true,
+        "is_pinned": false,
+        "is_direct": true,
+        "resolved_package": {},
+        "extra_data": {}
+      }
+    ],
+    "repository_homepage_url": "https://www.npmjs.com/package/example",
+    "repository_download_url": "https://registry.npmjs.org/example/-/example-1.0.0.tgz",
+    "api_data_url": "https://registry.npmjs.org/example/1.0.0",
+    "datasource_id": "npm_package_json",
+    "purl": "pkg:npm/[email protected]"
+  }
+]

tests/packagedcode/test_npm.py

@@ -108,6 +108,12 @@ def test_parse_bundleddeps(self):
         packages = npm.NpmPackageJsonHandler.parse(test_file)
         self.check_packages_data(packages, expected_loc, regen=REGEN_TEST_FIXTURES)
 
+    def test_parse_git_urls(self):
+        test_file = self.get_test_loc('npm/git_urls/package.json')
+        expected_loc = self.get_test_loc('npm/git_urls/package.json.expected')
+        packages = npm.NpmPackageJsonHandler.parse(test_file)
+        self.check_packages_data(packages, expected_loc, regen=REGEN_TEST_FIXTURES)
+
     def test_parse_faulty_npm(self):
         test_file = self.get_test_loc('npm/casepath/package.json')
         expected_loc = self.get_test_loc('npm/casepath/package.json.expected')