feat(packagejson): move logic to find files from Trivy

pkg/nodejs/packagejson/parse.go

@@ -3,6 +3,7 @@ package packagejson
 import (
 	"encoding/json"
 	"io"
+	"strings"
 
 	"github.com/aquasecurity/go-dep-parser/pkg/types"
 	"github.com/aquasecurity/go-dep-parser/pkg/utils"
@@ -71,6 +72,27 @@ func parseLicense(val interface{}) types.Licenses {
 			license = l.(string)
 		}
 	}
-	// NPM uses SPDX licenses and expressions - https://docs.npmjs.com/cli/v10/configuring-npm/package-json#license
-	return types.LicensesFromString(license, types.NameLicenseType)
+
+	// If the license is missing, it may be stored in the `LICENSE` file.
+	if license == "" {
+		return types.LicensesFromString("LICENSE", types.LicenseTypeFile)
+	}
+
+	// The license field can refer to a file:
+	// https://docs.npmjs.com/cli/v9/configuring-npm/package-json#license
+	var licenseFileName string
+	if strings.HasPrefix(license, "LicenseRef-") {
+		// LicenseRef-<filename>
+		licenseFileName = strings.Split(license, "-")[1]
+	} else if strings.HasPrefix(license, "SEE LICENSE IN ") {
+		// SEE LICENSE IN <filename>
+		parts := strings.Split(license, " ")
+		licenseFileName = parts[len(parts)-1]
+	}
+
+	if licenseFileName != "" {
+		return types.LicensesFromString(licenseFileName, types.LicenseTypeFile)
+	}
+
+	return types.LicensesFromString(license, types.LicenseTypeName)
 }

pkg/nodejs/packagejson/parse_test.go

@@ -2,7 +2,6 @@ package packagejson_test
 
 import (
 	"os"
-	"path"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -34,7 +33,7 @@ func TestParse(t *testing.T) {
 					Version: "5.0.2",
 					Licenses: types.Licenses{
 						{
-							Type:  types.NameLicenseType,
+							Type:  types.LicenseTypeName,
 							Value: "MIT",
 						},
 					},
@@ -65,7 +64,7 @@ func TestParse(t *testing.T) {
 					Version: "4.1.2",
 					Licenses: types.Licenses{
 						{
-							Type:  types.NameLicenseType,
+							Type:  types.LicenseTypeName,
 							Value: "ISC",
 						},
 					},
@@ -84,6 +83,46 @@ func TestParse(t *testing.T) {
 				Library: types.Library{
 					ID:   "",
 					Name: "angular",
+					Licenses: types.Licenses{
+						{
+							Type:  types.LicenseTypeFile,
+							Value: "LICENSE",
+						},
+					},
+				},
+			},
+		},
+		{
+			name:      "happy path - licenseRef is used",
+			inputFile: "testdata/license-ref.json",
+			want: packagejson.Package{
+				Library: types.Library{
+					ID:      "[email protected]",
+					Name:    "package-b",
+					Version: "0.0.1",
+					Licenses: types.Licenses{
+						{
+							Type:  types.LicenseTypeFile,
+							Value: "LICENSE.txt",
+						},
+					},
+				},
+			},
+		},
+		{
+			name:      "happy path - 'SEE LICENSE IN` is used",
+			inputFile: "testdata/see-license.json",
+			want: packagejson.Package{
+				Library: types.Library{
+					ID:      "[email protected]",
+					Name:    "package-c",
+					Version: "0.0.1",
+					Licenses: types.Licenses{
+						{
+							Type:  types.LicenseTypeFile,
+							Value: "LICENSE.md",
+						},
+					},
 				},
 			},
 		},
@@ -104,7 +143,7 @@ func TestParse(t *testing.T) {
 				Library: types.Library{
 					Licenses: types.Licenses{
 						{
-							Type:  types.NameLicenseType,
+							Type:  types.LicenseTypeName,
 							Value: "MIT",
 						},
 					},
@@ -114,7 +153,7 @@ func TestParse(t *testing.T) {
 	}
 
 	for _, v := range vectors {
-		t.Run(path.Base(v.name), func(t *testing.T) {
+		t.Run(v.name, func(t *testing.T) {
 			f, err := os.Open(v.inputFile)
 			require.NoError(t, err)
 			defer f.Close()

pkg/nodejs/packagejson/testdata/license-ref.json

@@ -0,0 +1,5 @@
+{
+  "name": "package-b",
+  "version": "0.0.1",
+  "license": "LicenseRef-LICENSE.txt"
+}

pkg/nodejs/packagejson/testdata/see-license.json

@@ -0,0 +1,5 @@
+{
+  "name": "package-c",
+  "version": "0.0.1",
+  "license": "SEE LICENSE IN LICENSE.md"
+}