Merge pull request #199 from sw360/193-keyerror-version-when-processing-package-lockjson-with-npm-workspaces

Keyerror version when processing package lockjson with npm workspaces

Author: tngraf

ChangeLog.md

@@ -8,6 +8,7 @@
 ## NEXT
 
 * `bom show` now also shows the group, if it exists.
+* Improve dependency detection in `getdependencies javascript`.
 * Fix issue in `project prerequisites` when reading an empty project.
 
 ## 2.10.0

capycli/dependencies/javascript.py

@@ -105,8 +105,9 @@ def get_dependency_lockversion3(self, data: Dict[str, Any], sbom: Bom) -> Bom:
                 if "dev" in dep:
                     isdev = dep["dev"]
 
+                version = dep.get("version", "")
                 if isdev:
-                    # LOG.debug("Ignoring dev dependency: " + key + "," + dep["version"])
+                    print_yellow("Ignoring dev dependency: " + key + "," + dep["version"])
                     continue
 
                 modified_key = ""
@@ -115,11 +116,14 @@ def get_dependency_lockversion3(self, data: Dict[str, Any], sbom: Bom) -> Bom:
                 else:
                     modified_key = key
 
-                LOG.debug("Checking dependency: " + modified_key + "," + dep["version"])
-                purl = PackageURL("npm", "", modified_key, dep["version"], "", "")
+                if dep.get("link", ""):
+                    print_yellow("Ignoring linked dependency: " + modified_key + "," + version)
+                    continue
+                LOG.debug("Checking dependency: " + modified_key + "," + version)
+                purl = PackageURL("npm", "", modified_key, version, "", "")
                 cxcomp = Component(
                     name=modified_key.strip(),
-                    version=dep["version"].strip(),
+                    version=version.strip(),
                     purl=purl,
                     bom_ref=purl.to_string())