Support curation npm tree calc by package-lock only

go.mod

@@ -95,4 +95,6 @@ require (
 
 // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38
 
+replace github.com/jfrog/build-info-go => github.com/asafambar/build-info-go v1.8.9-0.20230912212926-cf07082371c0
+
 // replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27

go.sum

@@ -60,6 +60,8 @@ github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/asafambar/build-info-go v1.8.9-0.20230912212926-cf07082371c0 h1:9zBIe6NHZ8pedSPyRAtQrzC856bztt7M9ndWFZnRNBg=
+github.com/asafambar/build-info-go v1.8.9-0.20230912212926-cf07082371c0/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
 github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
@@ -194,8 +196,6 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jedib0t/go-pretty/v6 v6.4.7 h1:lwiTJr1DEkAgzljsUsORmWsVn5MQjt1BPJdPCtJ6KXE=
 github.com/jedib0t/go-pretty/v6 v6.4.7/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs=
-github.com/jfrog/build-info-go v1.9.10 h1:uXnDLVxpqxoAMpXcki00QaBB+M2BoGMMpHODPkmmYOY=
-github.com/jfrog/build-info-go v1.9.10/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg=
 github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
 github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
 github.com/jfrog/jfrog-client-go v1.32.1 h1:RQmuPSLsF5222vZJzwkgHSZMMJF83ExS7SwIvh4P+H8=

xray/commands/audit/sca/npm/npm.go

@@ -5,6 +5,7 @@ import (
 	buildinfo "github.com/jfrog/build-info-go/entities"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/sca"
+	xrayutils "github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 	xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
 	"golang.org/x/exp/slices"
@@ -15,7 +16,7 @@ const (
 	ignoreScriptsFlag        = "--ignore-scripts"
 )
 
-func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) {
+func BuildDependencyTree(params *xrayutils.AuditBasicParams) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) {
 	currentDir, err := coreutils.GetWorkingDirectory()
 	if err != nil {
 		return
@@ -28,10 +29,18 @@ func BuildDependencyTree(npmArgs []string) (dependencyTrees []*xrayUtils.GraphNo
 	if err != nil {
 		return
 	}
-	npmArgs = addIgnoreScriptsFlag(npmArgs)
-
+	treeDepsParam := biutils.NpmTreeDepListParam{
+		Args: addIgnoreScriptsFlag([]string{}),
+	}
+	if params != nil {
+		treeDepsParam = biutils.NpmTreeDepListParam{
+			Args:                 addIgnoreScriptsFlag(params.Args()),
+			IgnoreNodeModules:    params.NpmIgnoreNodeModules(),
+			OverWritePackageLock: params.NpmOverwritePackageLock(),
+		}
+	}
 	// Calculate npm dependencies
-	dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), npmArgs, log.Logger)
+	dependenciesMap, err := biutils.CalculateDependenciesMap(npmExecutablePath, currentDir, packageInfo.BuildInfoModuleId(), treeDepsParam, log.Logger)
 	if err != nil {
 		log.Info("Used npm version:", npmVersion.GetVersion())
 		return

xray/commands/audit/sca/npm/npm_test.go

@@ -115,6 +115,6 @@ func TestIgnoreScripts(t *testing.T) {
 
 	// The package.json file contain a postinstall script running an "exit 1" command.
 	// Without the "--ignore-scripts" flag, the test will fail.
-	_, _, err := BuildDependencyTree([]string{})
+	_, _, err := BuildDependencyTree(nil)
 	assert.NoError(t, err)
 }

xray/commands/audit/scarunner.go

@@ -142,7 +142,7 @@ func GetTechDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Te
 	case coreutils.Maven, coreutils.Gradle:
 		fullDependencyTrees, uniqueDeps, err = java.BuildDependencyTree(params, tech)
 	case coreutils.Npm:
-		fullDependencyTrees, uniqueDeps, err = npm.BuildDependencyTree(params.Args())
+		fullDependencyTrees, uniqueDeps, err = npm.BuildDependencyTree(params)
 	case coreutils.Yarn:
 		fullDependencyTrees, uniqueDeps, err = yarn.BuildDependencyTree()
 	case coreutils.Go:

xray/utils/auditbasicparams.go

@@ -18,6 +18,8 @@ type AuditBasicParams struct {
 	args                    []string
 	depsRepo                string
 	ignoreConfigFile        bool
+	npmIgnoreNodeModules    bool
+	npmOverWritePackageLock bool
 }
 
 func (abp *AuditBasicParams) DirectDependencies() []string {
@@ -60,6 +62,14 @@ func (abp *AuditBasicParams) UseWrapper() bool {
 	return abp.useWrapper
 }
 
+func (abp *AuditBasicParams) NpmIgnoreNodeModules() bool {
+	return abp.npmIgnoreNodeModules
+}
+
+func (abp *AuditBasicParams) NpmOverwritePackageLock() bool {
+	return abp.npmOverWritePackageLock
+}
+
 func (abp *AuditBasicParams) SetUseWrapper(useWrapper bool) *AuditBasicParams {
 	abp.useWrapper = useWrapper
 	return abp
@@ -131,3 +141,13 @@ func (abp *AuditBasicParams) SetIgnoreConfigFile(ignoreConfigFile bool) *AuditBa
 	abp.ignoreConfigFile = ignoreConfigFile
 	return abp
 }
+
+func (abp *AuditBasicParams) SetNpmIgnoreNodeModules(ignoreNpmNodeModules bool) *AuditBasicParams {
+	abp.npmIgnoreNodeModules = ignoreNpmNodeModules
+	return abp
+}
+
+func (abp *AuditBasicParams) SetNpmOverwritePackageLock(overwritePackageLock bool) *AuditBasicParams {
+	abp.npmOverWritePackageLock = overwritePackageLock
+	return abp
+}