Merge pull request #1680 from blackducksoftware/dev/dterry/IDETECT-4965-npm-cli-alias

add support for aliases in the npm cli detector

Author: dterrybd

detectable/src/main/java/com/blackduck/integration/detectable/detectables/npm/NpmAliasParser.java

@@ -0,0 +1,73 @@
+package com.blackduck.integration.detectable.detectables.npm;
+
+/**
+ * Utility class for parsing npm package aliases.
+ * Npm aliases allow packages to be installed under a different name using the format:
+ * "alias-name": "npm:actual-package@version"
+ */
+public class NpmAliasParser {
+
+    private static final String NPM_ALIAS_PREFIX = "npm:";
+
+    /**
+     * Parses an npm alias string to extract the actual package name.
+     * Npm aliases have the format: "npm:package@version" or "npm:@scope/package@version"
+     *
+     * For scoped packages (starting with @), there are two @ symbols:
+     *   - First @ is part of the scope name
+     *   - Second @ (after the /) separates the package name from the version
+     *
+     * @param aliasValue The full alias string (e.g., "npm:package@^1.0.0" or "npm:@scope/package@^7.0.0")
+     * @return Array with [0] = package name, [1] = version specifier, or null if not an alias
+     */
+    public static String[] parseNpmAlias(String aliasValue) {
+        if (aliasValue == null || !aliasValue.startsWith(NPM_ALIAS_PREFIX)) {
+            return null;
+        }
+
+        String normalizedPackage = aliasValue.substring(4); // Remove "npm:" prefix
+        int versionAtIndex = -1;
+
+        // For scoped packages (e.g., @scope/package@^7.0.0), find the @ after the /
+        // For non-scoped packages (e.g., package@^1.0.0), find the first @
+        if (normalizedPackage.startsWith("@")) {
+            int slashIndex = normalizedPackage.indexOf('/');
+            if (slashIndex > 0) {
+                versionAtIndex = normalizedPackage.indexOf('@', slashIndex + 1);
+            }
+        } else {
+            versionAtIndex = normalizedPackage.indexOf('@');
+        }
+
+        if (versionAtIndex > 0) {
+            return new String[] {
+                normalizedPackage.substring(0, versionAtIndex),
+                normalizedPackage.substring(versionAtIndex + 1)
+            };
+        } else {
+            // No version specified (e.g., "npm:package" or "npm:@scope/package")
+            return new String[] { normalizedPackage, normalizedPackage };
+        }
+    }
+
+    /**
+     * Checks if a dependency value string is an npm alias.
+     *
+     * @param value The dependency value from package.json
+     * @return true if the value is an npm alias (starts with "npm:")
+     */
+    public static boolean isNpmAlias(String value) {
+        return value != null && value.startsWith(NPM_ALIAS_PREFIX);
+    }
+
+    /**
+     * Extracts just the package name from an npm alias.
+     *
+     * @param aliasValue The full alias string
+     * @return The actual package name, or null if not an alias
+     */
+    public static String extractPackageName(String aliasValue) {
+        String[] parsed = parseNpmAlias(aliasValue);
+        return parsed != null ? parsed[0] : null;
+    }
+}

detectable/src/main/java/com/blackduck/integration/detectable/detectables/npm/cli/parse/NpmCliParser.java

@@ -1,10 +1,13 @@
 package com.blackduck.integration.detectable.detectables.npm.cli.parse;
 
+import java.util.HashMap;
+import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 
+import org.apache.commons.collections4.MultiValuedMap;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -17,6 +20,7 @@
 import com.blackduck.integration.bdio.model.externalid.ExternalIdFactory;
 import com.blackduck.integration.detectable.detectable.codelocation.CodeLocation;
 import com.blackduck.integration.detectable.detectable.util.EnumListFilter;
+import com.blackduck.integration.detectable.detectables.npm.NpmAliasParser;
 import com.blackduck.integration.detectable.detectables.npm.NpmDependencyType;
 import com.blackduck.integration.detectable.detectables.npm.lockfile.result.NpmPackagerResult;
 import com.blackduck.integration.detectable.detectables.npm.packagejson.CombinedPackageJson;
@@ -65,7 +69,10 @@ public NpmPackagerResult convertNpmJsonFileToCodeLocation(String npmLsOutput, Co
             projectVersion = projectVersionElement.getAsString();
         }
 
-        populateChildren(graph, null, npmJson.getAsJsonObject(JSON_DEPENDENCIES), true, combinedPackageJson);
+        // Build alias mapping once from package.json
+        Map<String, String> aliasMapping = buildAliasMapping(combinedPackageJson);
+
+        populateChildren(graph, null, npmJson.getAsJsonObject(JSON_DEPENDENCIES), true, combinedPackageJson, aliasMapping);
 
         ExternalId externalId = externalIdFactory.createNameVersionExternalId(Forge.NPMJS, projectName, projectVersion);
 
@@ -75,7 +82,46 @@ public NpmPackagerResult convertNpmJsonFileToCodeLocation(String npmLsOutput, Co
 
     }
 
-    private void populateChildren(DependencyGraph graph, Dependency parentDependency, JsonObject parentNodeChildren, boolean isRootDependency, CombinedPackageJson combinedPackageJson) {
+    /**
+     * Builds a mapping of alias names to actual package names from CombinedPackageJson.
+     * Scans all dependency maps (dependencies, devDependencies, peerDependencies, optionalDependencies)
+     * looking for entries with "npm:" prefix.
+     *
+     * @param combinedPackageJson The package.json data
+     * @return Map of alias name -> actual package name
+     */
+    private Map<String, String> buildAliasMapping(CombinedPackageJson combinedPackageJson) {
+        Map<String, String> aliasMapping = new HashMap<>();
+
+        // Check all dependency types for aliases
+        scanDependenciesForAliases(combinedPackageJson.getDependencies(), aliasMapping);
+        scanDependenciesForAliases(combinedPackageJson.getDevDependencies(), aliasMapping);
+        scanDependenciesForAliases(combinedPackageJson.getPeerDependencies(), aliasMapping);
+        scanDependenciesForAliases(combinedPackageJson.getOptionalDependencies(), aliasMapping);
+
+        return aliasMapping;
+    }
+
+    private void scanDependenciesForAliases(MultiValuedMap<String, String> dependencies, Map<String, String> aliasMapping) {
+        if (dependencies == null) {
+            return;
+        }
+
+        for (Map.Entry<String, String> entry : dependencies.entries()) {
+            String aliasName = entry.getKey();
+            String versionSpec = entry.getValue();
+
+            if (NpmAliasParser.isNpmAlias(versionSpec)) {
+                String actualPackageName = NpmAliasParser.extractPackageName(versionSpec);
+                if (actualPackageName != null) {
+                    aliasMapping.put(aliasName, actualPackageName);
+                    logger.debug("Found npm alias: {} -> {}", aliasName, actualPackageName);
+                }
+            }
+        }
+    }
+
+    private void populateChildren(DependencyGraph graph, Dependency parentDependency, JsonObject parentNodeChildren, boolean isRootDependency, CombinedPackageJson combinedPackageJson, Map<String, String> aliasMapping) {
         if (parentNodeChildren == null) {
             return;
         }
@@ -97,28 +143,32 @@ private void populateChildren(DependencyGraph graph, Dependency parentDependency
                     && combinedPackageJson.getOptionalDependencies().containsKey(elementEntry.getKey()));
                 return !excludingBecauseDev && !excludingBecausePeer && !excludingBecauseOptional;
             })
-            .forEach(elementEntry -> processChild(elementEntry, graph, parentDependency, isRootDependency, combinedPackageJson));
+            .forEach(elementEntry -> processChild(elementEntry, graph, parentDependency, isRootDependency, combinedPackageJson, aliasMapping));
     }
 
     private void processChild(
         Entry<String, JsonElement> elementEntry,
         DependencyGraph graph,
         Dependency parentDependency,
         boolean isRootDependency,
-        CombinedPackageJson combinedPackageJson
+        CombinedPackageJson combinedPackageJson,
+        Map<String, String> aliasMapping
     ) {
         JsonObject element = elementEntry.getValue().getAsJsonObject();
         String name = elementEntry.getKey();
+
+        // Check if this is an alias and resolve to actual package name
+        String actualName = aliasMapping.getOrDefault(name, name);
         String version = Optional.ofNullable(element.getAsJsonPrimitive(JSON_VERSION))
             .filter(JsonPrimitive::isString)
             .map(JsonPrimitive::getAsString)
             .orElse(null);
 
         JsonObject children = element.getAsJsonObject(JSON_DEPENDENCIES);
 
-        if (name != null && version != null) {
-            ExternalId externalId = externalIdFactory.createNameVersionExternalId(Forge.NPMJS, name, version);
-            Dependency child = new Dependency(name, version, externalId);
+        if (actualName != null && version != null) {
+            ExternalId externalId = externalIdFactory.createNameVersionExternalId(Forge.NPMJS, actualName, version);
+            Dependency child = new Dependency(actualName, version, externalId);
 
             // Any workspace dependency is considered a direct dependency
             boolean directWorkspaceDependency = false;
@@ -137,15 +187,15 @@ private void processChild(
                         combinedPackageJson.getRelativeWorkspaces().stream().anyMatch(workspace -> workspace.equals(convertedPossibleWorkspaceDependency));
             }
 
-            populateChildren(graph, child, children, directWorkspaceDependency, combinedPackageJson);
+            populateChildren(graph, child, children, directWorkspaceDependency, combinedPackageJson, aliasMapping);
 
             if (isRootDependency || directWorkspaceDependency) {
                 graph.addChildToRoot(child);
             } else {
                 graph.addParentWithChild(parentDependency, child);
             }
         } else {
-            logger.trace(String.format("Excluding Json Element missing name or version: { name: %s, version: %s }", name, version));
+            logger.trace(String.format("Excluding Json Element missing name or version: { name: %s, version: %s }", actualName, version));
         }
     }
 }

detectable/src/main/java/com/blackduck/integration/detectable/detectables/npm/packagejson/PackageJsonExtractor.java

@@ -21,6 +21,7 @@
 import com.blackduck.integration.detectable.detectable.codelocation.CodeLocation;
 import com.blackduck.integration.detectable.detectable.util.EnumListFilter;
 import com.blackduck.integration.detectable.detectable.util.SemVerComparator;
+import com.blackduck.integration.detectable.detectables.npm.NpmAliasParser;
 import com.blackduck.integration.detectable.detectables.npm.NpmDependencyType;
 import com.blackduck.integration.detectable.extraction.Extraction;
 import com.google.gson.Gson;
@@ -82,8 +83,8 @@ private List<Dependency> transformDependencies(MultiValuedMap<String, String> de
 
     private Dependency entryToDependency(String key, String value) {
         // Handle npm aliases: "alias-name": "npm:actual-package@version"
-        if (value.startsWith("npm:")) {
-            String[] parsed = parseNpmAlias(value);
+        String[] parsed = NpmAliasParser.parseNpmAlias(value);
+        if (parsed != null) {
             key = parsed[0];
             value = parsed[1];
         }
@@ -93,43 +94,6 @@ private Dependency entryToDependency(String key, String value) {
         return new Dependency(externalId);
     }
 
-    /**
-     * Parses an npm alias string to extract the actual package name and version specifier.
-     *
-     * Npm aliases have the format: "npm:package@version" or "npm:@scope/package@version"
-     * For scoped packages (starting with @), there are two @ symbols:
-     *   - First @ is part of the scope name
-     *   - Second @ (after the /) separates the package name from the version
-     *
-     * @param aliasValue The full alias string (e.g., "npm:package@^1.0.0" or "npm:@scope/package@^7.0.0")
-     * @return Array with [0] = package name, [1] = version specifier
-     */
-    private String[] parseNpmAlias(String aliasValue) {
-        String normalizedPackage = aliasValue.substring(4); // Remove "npm:" prefix
-        int versionAtIndex = -1;
-
-        // For scoped packages (e.g., @scope/package@^7.0.0), find the @ after the /
-        // For non-scoped packages (e.g., package@^1.0.0), find the first @
-        if (normalizedPackage.startsWith("@")) {
-            int slashIndex = normalizedPackage.indexOf('/');
-            if (slashIndex > 0) {
-                versionAtIndex = normalizedPackage.indexOf('@', slashIndex + 1);
-            }
-        } else {
-            versionAtIndex = normalizedPackage.indexOf('@');
-        }
-
-        if (versionAtIndex > 0) {
-            return new String[] {
-                normalizedPackage.substring(0, versionAtIndex),
-                normalizedPackage.substring(versionAtIndex + 1)
-            };
-        } else {
-            // No version specified (e.g., "npm:package" or "npm:@scope/package")
-            return new String[] { normalizedPackage, normalizedPackage };
-        }
-    }
-
     public String extractLowestVersion(String value) {
         SemVerComparator semVerComparator = new SemVerComparator();
 

detectable/src/test/java/com/blackduck/integration/detectable/detectables/npm/NpmAliasParserTest.java

@@ -0,0 +1,100 @@
+package com.blackduck.integration.detectable.detectables.npm;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import org.junit.jupiter.api.Test;
+
+class NpmAliasParserTest {
+
+    @Test
+    void testParseNonScopedAlias() {
+        String aliasValue = "npm:actualpackage@^1.0.0";
+        String[] result = NpmAliasParser.parseNpmAlias(aliasValue);
+
+        assertArrayEquals(new String[] { "actualpackage", "^1.0.0" }, result);
+    }
+
+    @Test
+    void testParseScopedAlias() {
+        String aliasValue = "npm:@scope/package@^2.0.0";
+        String[] result = NpmAliasParser.parseNpmAlias(aliasValue);
+
+        assertArrayEquals(new String[] { "@scope/package", "^2.0.0" }, result);
+    }
+
+    @Test
+    void testParseAliasWithoutVersion() {
+        String aliasValue = "npm:package";
+        String[] result = NpmAliasParser.parseNpmAlias(aliasValue);
+
+        assertArrayEquals(new String[] { "package", "package" }, result);
+    }
+
+    @Test
+    void testParseScopedAliasWithoutVersion() {
+        String aliasValue = "npm:@scope/package";
+        String[] result = NpmAliasParser.parseNpmAlias(aliasValue);
+
+        assertArrayEquals(new String[] { "@scope/package", "@scope/package" }, result);
+    }
+
+    @Test
+    void testParseNonAlias() {
+        String regularValue = "^1.0.0";
+        String[] result = NpmAliasParser.parseNpmAlias(regularValue);
+
+        assertNull(result);
+    }
+
+    @Test
+    void testParseNullValue() {
+        String[] result = NpmAliasParser.parseNpmAlias(null);
+
+        assertNull(result);
+    }
+
+    @Test
+    void testIsNpmAlias() {
+        assertTrue(NpmAliasParser.isNpmAlias("npm:package@^1.0.0"));
+        assertTrue(NpmAliasParser.isNpmAlias("npm:@scope/package@^2.0.0"));
+        assertTrue(NpmAliasParser.isNpmAlias("npm:package"));
+    }
+
+    @Test
+    void testIsNotNpmAlias() {
+        assertFalse(NpmAliasParser.isNpmAlias("^1.0.0"));
+        assertFalse(NpmAliasParser.isNpmAlias("package"));
+        assertFalse(NpmAliasParser.isNpmAlias(null));
+        assertFalse(NpmAliasParser.isNpmAlias(""));
+    }
+
+    @Test
+    void testExtractPackageName() {
+        assertEquals("actualpackage", NpmAliasParser.extractPackageName("npm:actualpackage@^1.0.0"));
+        assertEquals("@scope/package", NpmAliasParser.extractPackageName("npm:@scope/package@^2.0.0"));
+        assertEquals("package", NpmAliasParser.extractPackageName("npm:package"));
+    }
+
+    @Test
+    void testExtractPackageNameFromNonAlias() {
+        assertNull(NpmAliasParser.extractPackageName("^1.0.0"));
+        assertNull(NpmAliasParser.extractPackageName(null));
+    }
+
+    @Test
+    void testParseComplexVersionSpecifiers() {
+        // Test with various version specifiers
+        String[] result1 = NpmAliasParser.parseNpmAlias("npm:package@~1.2.3");
+        assertArrayEquals(new String[] { "package", "~1.2.3" }, result1);
+
+        String[] result2 = NpmAliasParser.parseNpmAlias("npm:package@>=1.0.0");
+        assertArrayEquals(new String[] { "package", ">=1.0.0" }, result2);
+
+        String[] result3 = NpmAliasParser.parseNpmAlias("npm:@scope/package@1.2.3-beta.1");
+        assertArrayEquals(new String[] { "@scope/package", "1.2.3-beta.1" }, result3);
+    }
+}