[BUG] Generated bom fails to include package luxon

[tomsontom]

Describe the bug

If luxon is used in the application. The plugin fails include it in the output.

To Reproduce

Setup

git clone https://github.com/CycloneDX/cyclonedx-webpack-plugin.git
cd cyclonedx-webpack-plugin
npm install
cd tests/integration/webpack5-angular13
npm install --save luxon
npm install --save-dev @types/luxon

Use luxon

Change app.component.ts to look like this:

import { Component } from '@angular/core';
import { DateTime } from 'luxon'; 

console.log(DateTime.now());

@Component({
  selector: 'app-root',
  templateUrl: './app.component.html',
  styleUrls: ['./app.component.css']
})
export class AppComponent {
  title = '@cyclonedx-weboack-plugin-tests/example-webpack5-angular13';
}

Run build

npm run build

Expected behavior

I would expect that dist/.bom/bom.json to contain luxon

Screenshots or output-paste

luxon not contained

Environment

• @cyclonedx/webpack-plugin version: current main-branch
• webpack version: 5.76.1
• Node version: 18.16.0
• OS: mac osx

Additional context

The reason luxon is not contained in the output is that "node_modules/luxon/src" contains a filed named "package.json" with the following content

{
  "type": "module",
  "version": "3.4.4"
}

See https://github.com/moment/luxon/blob/3125686af82d9a25c7267a1cf1eb838a3d41144f/src/package.json#L1 and so cyclone is unable to find a name and skips luxon in the output.

A possible fix would be to make

cyclonedx-webpack-plugin/src/_helpers.ts

Line 28 in ac87cd7

export function getPackageDescription (path: string): PackageDescription | undefined {

smarter and check if there's a name and version and search on if none is in the loaded package.json

[jkowalleck]

see

• Missing "luxon" in BOM file #778
• [BUG]: package normalization might cause crashes #745

[jkowalleck]

A possible fix would be to make [getPackageDescription] smarter and check if there's a name and version and search on if none is in the loaded package.json

nope. not intended for now. see #778 (comment)

A fix would be, if "luxon" added a (proper) name to the package they defined in luxon/src/package.json

[jkowalleck]

💁
the example from the provided To Reproduce section caused the following SBOM files:
bom.from-example.zip

[jkowalleck]

possible solution: if component has no name, then add it anyway with a name like component at [relative path to package.json].

[jkowalleck]

@tomsontom could you pullrequest/help shape a setup for regression tests?
something similar to https://github.com/CycloneDX/cyclonedx-webpack-plugin/tree/master/tests/integration/regression-issue745

[tomsontom]

I'll take a look next week

[jkowalleck]

should be fixed by #1284