MCPcopy Index your code
hub / github.com/nodejs/node / spdxOutput

Function spdxOutput

deps/npm/lib/utils/sbom-spdx.js:22–102  ·  view source on GitHub ↗
({ npm, nodes, packageType })

Source from the content-addressed store, hash-verified

20const REF_TYPE_PURL = 'purl'
21
22const spdxOutput = ({ npm, nodes, packageType }) => {
23 const rootNode = nodes.find(node => node.isRoot)
24 const childNodes = nodes.filter(node => !node.isRoot && !node.isLink)
25 const rootID = rootNode.pkgid
26 const uuid = crypto.randomUUID()
27 const ns = `http://spdx.org/spdxdocs/${npa(rootID).escapedName}-${rootNode.version}-${uuid}`
28
29 // Create list of child nodes w/ unique IDs
30 const childNodeMap = new Map()
31 for (const item of childNodes) {
32 const id = toSpdxID(item)
33 if (!childNodeMap.has(id)) {
34 childNodeMap.set(id, item)
35 }
36 }
37 const uniqueChildNodes = Array.from(childNodeMap.values())
38
39 const relationships = []
40 const seen = new Set()
41 for (let node of nodes) {
42 if (node.isLink) {
43 node = node.target
44 }
45
46 if (seen.has(node)) {
47 continue
48 }
49 seen.add(node)
50
51 // A node can have multiple outgoing edges resolving to the same
52 // `name@version` of the same edge type (e.g. via npm aliases), which
53 // would produce identical relationship triples. Dedupe per source node.
54 const seenRels = new Set()
55 const rels = [...node.edgesOut.values()]
56 // Filter out edges that are linking to nodes not in the list
57 .filter(edge => nodes.find(n => n === edge.to))
58 .map(edge => toSpdxRelationship(node, edge))
59 .filter(rel => rel)
60 .filter(rel => {
61 const key = `${rel.spdxElementId}|${rel.relatedSpdxElement}|${rel.relationshipType}`
62 if (seenRels.has(key)) {
63 return false
64 }
65 seenRels.add(key)
66 return true
67 })
68
69 relationships.push(...rels)
70 }
71
72 const extraRelationships = nodes.filter(node => node.extraneous)
73 .map(node => toSpdxRelationship(rootNode, { to: node, type: 'optional' }))
74
75 relationships.push(...extraRelationships)
76
77 const bom = {
78 spdxVersion: SPDX_SCHEMA_VERSION,
79 dataLicense: SPDX_DATA_LICENSE,

Callers 2

#buildResponseMethod · 0.85
sbom-spdx.jsFile · 0.85

Calls 12

toSpdxIDFunction · 0.85
toSpdxRelationshipFunction · 0.85
toSpdxItemFunction · 0.85
findMethod · 0.65
filterMethod · 0.65
hasMethod · 0.65
addMethod · 0.65
mapMethod · 0.65
setMethod · 0.45
fromMethod · 0.45
valuesMethod · 0.45
pushMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…