[BUG] missing properties for "private", "development" and "bundled" dependnecies

[jkowalleck]

Describe the bug

With #1307, dependencies that are for development only might not be marked in the resulting SBOM properly.

need to revisit the tests and see the current results

To Reproduce

test setups came via #1329

Expected behavior

• dev dependnecies are marked as such via properties, according to https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/npm.md
• bundled dependencies are marked as such via properties, according to https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/npm.md

Screenshots or output-paste

If applicable, add screenshots or past the output to help explain your problem.
If possible, show which CLI command was run, which parameters were used, and run with CLI switch -vvv for more debug information.

Environment

• @cyclonedx/cyclonedx-npm version:
• NPM version:
• Node version:
• OS:

Additional context

Add any other context about the problem here.

Contribution

• I am willing to provide a fix
• I will wait until somebody else fixes it

[jkowalleck]

working on this

[jkowalleck]

cdx:npm:package:bundled not as intended

• ✔️ works for lock-only:

  cyclonedx-node-npm/tests/_data/sbom_dummy-results/package-lock-only/with-prepared.snap.json

  Lines 767 to 768 in 039a851

  	"name": "cdx:npm:package:bundled",
  	"value": "true"

• ❌ works NOT for other cases

[jkowalleck]

cdx:npm:package:private not as intended:

• ✔️ works for lock-only:

  cyclonedx-node-npm/tests/_data/sbom_dummy-results/package-lock-only/with-prepared.snap.json

  Lines 92 to 93 in 039a851

  	"name": "cdx:npm:package:private",
  	"value": "true"

• ❌ works NOT for other cases

[jkowalleck]

cdx:npm:package:development not working as intended for all cases:

• ✔️ works for lock-only:

  cyclonedx-node-npm/tests/_data/sbom_dummy-results/package-lock-only/with-prepared.snap.json

  Lines 407 to 408 in 039a851

  	"name": "cdx:npm:package:development",
  	"value": "true"

• ❌ works NOT for other cases

[jkowalleck]

review done, not all cases work as intended - see

• [BUG] missing properties for "private", "development" and "bundled" dependnecies #1330 (comment)
• [BUG] missing properties for "private", "development" and "bundled" dependnecies #1330 (comment)
• [BUG] missing properties for "private", "development" and "bundled" dependnecies #1330 (comment)

[jkowalleck]

did some tests on tests/_data/dummy_projects/with-prepared/

npm ls --json --all --long
res

{
  // ...
  "uuid": {
      "version": "8.3.2",
      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
      "overridden": false,
      "name": "uuid",
      "description": "RFC4122 (v1, v4, and v5) UUIDs",
      "commitlint": {
        "extends": [
          "@commitlint/config-conventional"
        ]
      },
      "keywords": [
        "uuid",
        "guid",
        "rfc4122"
      ],
      "license": "MIT",
      "bin": {
        "uuid": "dist/bin/uuid"
      },
      "sideEffects": false,
      "main": "./dist/index.js",
      "exports": {
        ".": {
          "node": {
            "module": "./dist/esm-node/index.js",
            "require": "./dist/index.js",
            "import": "./wrapper.mjs"
          },
          "default": "./dist/esm-browser/index.js"
        },
        "./package.json": "./package.json"
      },
      "module": "./dist/esm-node/index.js",
      "browser": {
        "./dist/md5.js": "./dist/md5-browser.js",
        "./dist/rng.js": "./dist/rng-browser.js",
        "./dist/sha1.js": "./dist/sha1-browser.js",
        "./dist/esm-node/index.js": "./dist/esm-browser/index.js"
      },
      "files": [
        "CHANGELOG.md",
        "CONTRIBUTING.md",
        "LICENSE.md",
        "README.md",
        "dist",
        "wrapper.mjs"
      ],
      "devDependencies": {
          // ...
      },
      "optionalDevDependencies": {
        "@wdio/browserstack-service": "6.4.0",
        "@wdio/cli": "6.4.0",
        "@wdio/jasmine-framework": "6.4.0",
        "@wdio/local-runner": "6.4.0",
        "@wdio/spec-reporter": "6.4.0",
        "@wdio/static-server-service": "6.4.0",
        "@wdio/sync": "6.4.0"
      },
      "scripts": {
      },
      "repository": {
        "type": "git",
        "url": "https://github.com/uuidjs/uuid.git"
      },
      "husky": {
        "hooks": {
          "commit-msg": "commitlint -E HUSKY_GIT_PARAMS",
          "pre-commit": "lint-staged"
        }
      },
      "lint-staged": {
        "*.{js,jsx,json,md}": [
          "prettier --write"
        ],
        "*.{js,jsx}": [
          "eslint --fix"
        ]
      },
      "standard-version": {
        "scripts": {
          "postchangelog": "prettier --write CHANGELOG.md"
        }
      },
      "_id": "uuid@8.3.2",
      "extraneous": false,
      "path": "/home/flow/Documents/Coding/node/cyclonedx-node-npm/tests/_data/dummy_projects/with-prepared/node_modules/uuid",
      "_dependencies": {},
      "peerDependencies": {}
    }
  // ...
}

npm ls --json --all --long --package-lock-only
res:

{
  // ...
  "uuid": {
      "version": "8.3.2",
      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
      "overridden": false,
      "name": "uuid",
      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
      "devOptional": true,
      "bin": {
        "uuid": "dist/bin/uuid"
      },
      "_id": "uuid@8.3.2",
      "extraneous": false,
      "path": "/home/flow/Documents/Coding/node/cyclonedx-node-npm/tests/_data/dummy_projects/with-prepared/node_modules/uuid",
      "_dependencies": {},
      "devDependencies": {},
      "peerDependencies": {}
    }
  // ...
}

[jkowalleck]

based on #1330 (comment)
it became clear: the flags dev, devOptional, optional, are no longer available in the output of npm-ls unless the CLI switch --package-lock-only is present.

[jkowalleck]

🔍
based on #1330 (comment)
a fix could be to call npm-ls always with --package-lock-only switch.
🔎

[jkowalleck]

caused npm/cli#8485