({ npm, nodes, packageType })
| 20 | const REF_TYPE_PURL = 'purl' |
| 21 | |
| 22 | const spdxOutput = ({ npm, nodes, packageType }) => { |
| 23 | const rootNode = nodes.find(node => node.isRoot) |
| 24 | const childNodes = nodes.filter(node => !node.isRoot && !node.isLink) |
| 25 | const rootID = rootNode.pkgid |
| 26 | const uuid = crypto.randomUUID() |
| 27 | const ns = `http://spdx.org/spdxdocs/${npa(rootID).escapedName}-${rootNode.version}-${uuid}` |
| 28 | |
| 29 | // Create list of child nodes w/ unique IDs |
| 30 | const childNodeMap = new Map() |
| 31 | for (const item of childNodes) { |
| 32 | const id = toSpdxID(item) |
| 33 | if (!childNodeMap.has(id)) { |
| 34 | childNodeMap.set(id, item) |
| 35 | } |
| 36 | } |
| 37 | const uniqueChildNodes = Array.from(childNodeMap.values()) |
| 38 | |
| 39 | const relationships = [] |
| 40 | const seen = new Set() |
| 41 | for (let node of nodes) { |
| 42 | if (node.isLink) { |
| 43 | node = node.target |
| 44 | } |
| 45 | |
| 46 | if (seen.has(node)) { |
| 47 | continue |
| 48 | } |
| 49 | seen.add(node) |
| 50 | |
| 51 | // A node can have multiple outgoing edges resolving to the same |
| 52 | // `name@version` of the same edge type (e.g. via npm aliases), which |
| 53 | // would produce identical relationship triples. Dedupe per source node. |
| 54 | const seenRels = new Set() |
| 55 | const rels = [...node.edgesOut.values()] |
| 56 | // Filter out edges that are linking to nodes not in the list |
| 57 | .filter(edge => nodes.find(n => n === edge.to)) |
| 58 | .map(edge => toSpdxRelationship(node, edge)) |
| 59 | .filter(rel => rel) |
| 60 | .filter(rel => { |
| 61 | const key = `${rel.spdxElementId}|${rel.relatedSpdxElement}|${rel.relationshipType}` |
| 62 | if (seenRels.has(key)) { |
| 63 | return false |
| 64 | } |
| 65 | seenRels.add(key) |
| 66 | return true |
| 67 | }) |
| 68 | |
| 69 | relationships.push(...rels) |
| 70 | } |
| 71 | |
| 72 | const extraRelationships = nodes.filter(node => node.extraneous) |
| 73 | .map(node => toSpdxRelationship(rootNode, { to: node, type: 'optional' })) |
| 74 | |
| 75 | relationships.push(...extraRelationships) |
| 76 | |
| 77 | const bom = { |
| 78 | spdxVersion: SPDX_SCHEMA_VERSION, |
| 79 | dataLicense: SPDX_DATA_LICENSE, |
no test coverage detected
searching dependent graphs…