🐛 read package.json from root path (#6181)

chris-rock · Bajusz15 · web-flow · commit 335f974365de · 2025-11-19T10:45:19.000+01:00
* 🐛 also read root path of the node package, this allows us to work with unresolved packages as well

* add tests

---------

Co-authored-by: Máté Bajusz &lt;mate@mondoo.com&gt;
diff --git a/providers/os/resources/npm.go b/providers/os/resources/npm.go
@@ -73,13 +73,39 @@ func collectNpmPackagesInPaths(runtime *plugin.Runtime, fs afero.Fs, paths []str
 	var transitivePackageList []*languages.Package
 	evidenceFiles := []string{}
 
+	handler := func(nodeModulesPath string) {
+		// Not found is an expected error and we handle that properly
+		bom, err := collectNpmPackages(runtime, fs, nodeModulesPath)
+		if err != nil {
+			return
+		}
+
+		root := bom.Root()
+		if root != nil {
+			directPackageList = append(directPackageList, root)
+		}
+		transitive := bom.Transitive()
+		if transitive != nil {
+			transitivePackageList = append(transitivePackageList, transitive...)
+		}
+	}
+
 	log.Debug().Msg("searching for npm packages in default locations")
 	err := fsutil.WalkGlob(fs, paths, func(fs afero.Fs, walkPath string) error {
 		afs := &afero.Afero{Fs: fs}
 
+		// check root directory
+		handler(walkPath)
+
+		// if we have a lock file, we do not need to check for node_modules directory
+		if hasLockfile(runtime, fs, walkPath) {
+			return nil
+		}
+
 		// we walk through the directories and check if there is a node_modules directory
 		log.Debug().Str("path", walkPath).Msg("found npm package")
 		nodeModulesPath := filepath.Join(walkPath, "node_modules")
+
 		files, err := afs.ReadDir(nodeModulesPath)
 		if err != nil {
 			// we ignore the error, it is expected that there is no node_modules directory
@@ -94,21 +120,7 @@ func collectNpmPackagesInPaths(runtime *plugin.Runtime, fs afero.Fs, paths []str
 			}
 
 			log.Debug().Str("path", p).Msg("checking for package-lock.json or package.json file")
-
-			// Not found is an expected error and we handle that properly
-			bom, err := collectNpmPackages(runtime, fs, filepath.Join(nodeModulesPath, p))
-			if err != nil {
-				continue
-			}
-
-			root := bom.Root()
-			if root != nil {
-				directPackageList = append(directPackageList, root)
-			}
-			transitive := bom.Transitive()
-			if transitive != nil {
-				transitivePackageList = append(transitivePackageList, transitive...)
-			}
+			handler(filepath.Join(nodeModulesPath, p))
 		}
 		return nil
 	})
@@ -118,6 +130,34 @@ func collectNpmPackagesInPaths(runtime *plugin.Runtime, fs afero.Fs, paths []str
 	return directPackageList, transitivePackageList, evidenceFiles, nil
 }
 
+// hasLockfile checks for the lock files
+func hasLockfile(runtime *plugin.Runtime, fs afero.Fs, path string) bool {
+	// specific path was provided
+	afs := &afero.Afero{Fs: fs}
+	isDir, err := afs.IsDir(path)
+	if err != nil {
+		return false
+	}
+
+	searchPaths := []string{}
+	if isDir {
+		// check if there is a package-lock.json or package.json file
+		searchPaths = append(searchPaths, filepath.Join(path, "/package-lock.json"))
+	} else if strings.HasSuffix(path, "package-lock.json") {
+		searchPaths = append(searchPaths, path)
+	}
+
+	// filter out non-existing files using the new slice package
+	filteredSearchPath := []string{}
+	for i := range searchPaths {
+		exists, _ := afs.Exists(searchPaths[i])
+		if exists {
+			filteredSearchPath = append(filteredSearchPath, searchPaths[i])
+		}
+	}
+	return len(filteredSearchPath) > 0
+}
+
 func collectNpmPackages(runtime *plugin.Runtime, fs afero.Fs, path string) (languages.Bom, error) {
 	// specific path was provided
 	afs := &afero.Afero{Fs: fs}
diff --git a/providers/os/resources/npm_test.go b/providers/os/resources/npm_test.go
@@ -14,6 +14,7 @@ import (
 	"go.mondoo.com/cnquery/v12/providers-sdk/v1/inventory"
 	"go.mondoo.com/cnquery/v12/providers-sdk/v1/plugin"
 	"go.mondoo.com/cnquery/v12/providers/os/connection/fs"
+	"go.mondoo.com/cnquery/v12/providers/os/resources/languages"
 	"go.mondoo.com/cnquery/v12/types"
 	"go.mondoo.com/cnquery/v12/utils/syncx"
 )
@@ -96,3 +97,223 @@ func (p *providerCallbacks) GetRecording(req *plugin.DataReq) (*plugin.ResourceD
 func (p *providerCallbacks) Collect(req *plugin.DataRes) error {
 	return nil
 }
+
+func TestCollectNpmPackagesInPaths(t *testing.T) {
+	tests := []struct {
+		name     string
+		setup    func(*testing.T, afero.Fs) string
+		validate func(*testing.T, []*languages.Package, []*languages.Package, []string)
+	}{
+		{
+			name: "root package.json, no lock file, no node_modules",
+			setup: func(t *testing.T, mockFS afero.Fs) string {
+				// Create a test project directory with package.json at root (no lock file, no node_modules)
+				testProjectPath := "/app"
+				err := mockFS.MkdirAll(testProjectPath, 0o755)
+				require.NoError(t, err)
+
+				// Create a simple package.json at root
+				rootPackageJSON := `{
+					"name": "test-app",
+					"version": "1.0.0",
+					"dependencies": {
+						"lodash": "^4.17.21"
+					}
+				}`
+				err = afero.WriteFile(mockFS, filepath.Join(testProjectPath, "package.json"), []byte(rootPackageJSON), 0o644)
+				require.NoError(t, err)
+				return testProjectPath
+			},
+			validate: func(t *testing.T, direct, transitive []*languages.Package, evidenceFiles []string) {
+				require.Empty(t, evidenceFiles)
+				require.Greater(t, len(direct), 0, "should find at least the root package")
+
+				foundRoot := false
+				for _, pkg := range direct {
+					if pkg.Name == "test-app" {
+						foundRoot = true
+						require.Equal(t, "1.0.0", pkg.Version)
+						break
+					}
+				}
+				require.True(t, foundRoot, "should find root package 'test-app'")
+			},
+		},
+		{
+			name: "with lock file",
+			setup: func(t *testing.T, mockFS afero.Fs) string {
+				// Create a test project with package-lock.json at root
+				testProjectPath := "/app"
+				err := mockFS.MkdirAll(testProjectPath, 0o755)
+				require.NoError(t, err)
+
+				// Create package.json at root
+				rootPackageJSON := `{
+					"name": "test-app",
+					"version": "1.0.0"
+				}`
+				err = afero.WriteFile(mockFS, filepath.Join(testProjectPath, "package.json"), []byte(rootPackageJSON), 0o644)
+				require.NoError(t, err)
+
+				// Create package-lock.json at root (this should cause node_modules to be skipped)
+				packageLockJSON := `{
+					"name": "test-app",
+					"version": "1.0.0",
+					"lockfileVersion": 2
+				}`
+				err = afero.WriteFile(mockFS, filepath.Join(testProjectPath, "package-lock.json"), []byte(packageLockJSON), 0o644)
+				require.NoError(t, err)
+
+				// Create node_modules directory with a package (should be skipped due to lock file)
+				err = mockFS.MkdirAll(filepath.Join(testProjectPath, "node_modules", "some-package"), 0o755)
+				require.NoError(t, err)
+				nodeModulesPackageJSON := `{
+					"name": "some-package",
+					"version": "2.0.0"
+				}`
+				err = afero.WriteFile(mockFS, filepath.Join(testProjectPath, "node_modules", "some-package", "package.json"), []byte(nodeModulesPackageJSON), 0o644)
+				require.NoError(t, err)
+				return testProjectPath
+			},
+			validate: func(t *testing.T, direct, transitive []*languages.Package, evidenceFiles []string) {
+				require.Empty(t, evidenceFiles)
+				require.Greater(t, len(direct), 0, "should find at least the root package")
+
+				// Should NOT find the node_modules package (because lock file exists)
+				foundNodeModulesPackage := false
+				for _, pkg := range direct {
+					if pkg.Name == "some-package" {
+						foundNodeModulesPackage = true
+						break
+					}
+				}
+				require.False(t, foundNodeModulesPackage, "should not find node_modules package when lock file exists")
+			},
+		},
+		{
+			name: "root and node_modules, no lock file",
+			setup: func(t *testing.T, mockFS afero.Fs) string {
+				// Create a test project with both root package.json and node_modules
+				testProjectPath := "/app"
+				err := mockFS.MkdirAll(testProjectPath, 0o755)
+				require.NoError(t, err)
+
+				// Create package.json at root (no lock file)
+				rootPackageJSON := `{
+					"name": "test-app",
+					"version": "1.0.0"
+				}`
+				err = afero.WriteFile(mockFS, filepath.Join(testProjectPath, "package.json"), []byte(rootPackageJSON), 0o644)
+				require.NoError(t, err)
+
+				// Create node_modules directory with a package (should be checked since no lock file)
+				err = mockFS.MkdirAll(filepath.Join(testProjectPath, "node_modules", "lodash"), 0o755)
+				require.NoError(t, err)
+
+				// Read test data for a real package
+				yoPkg, err := os.ReadFile(filepath.Join("packages", "testdata", "yo_package.json"))
+				require.NoError(t, err)
+				err = afero.WriteFile(mockFS, filepath.Join(testProjectPath, "node_modules", "lodash", "package.json"), yoPkg, 0o644)
+				require.NoError(t, err)
+				return testProjectPath
+			},
+			validate: func(t *testing.T, direct, transitive []*languages.Package, evidenceFiles []string) {
+				require.Empty(t, evidenceFiles)
+				// Should find packages from both root and node_modules
+				require.Greater(t, len(direct)+len(transitive), 0, "should find packages from root and/or node_modules")
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockFS := afero.NewMemMapFs()
+			testProjectPath := tt.setup(t, mockFS)
+
+			conn, err := fs.NewFileSystemConnectionWithFs(0, &inventory.Config{}, &inventory.Asset{}, "", nil, mockFS)
+			require.NoError(t, err)
+
+			r := &plugin.Runtime{
+				Resources:  &syncx.Map[plugin.Resource]{},
+				Connection: conn,
+				Callback:   &providerCallbacks{},
+			}
+
+			direct, transitive, evidenceFiles, err := collectNpmPackagesInPaths(r, conn.FileSystem(), []string{testProjectPath})
+			require.NoError(t, err)
+
+			tt.validate(t, direct, transitive, evidenceFiles)
+		})
+	}
+}
+
+// TestCollectNpmPackagesInPaths_filtering tests the filtering logic for non-existent paths
+func TestCollectNpmPackagesInPaths_skipsNoneExistentPaths(t *testing.T) {
+	mockFS := afero.NewMemMapFs()
+
+	// Create a valid path with package.json
+	validPath := "/app1"
+	err := mockFS.MkdirAll(validPath, 0o755)
+	require.NoError(t, err)
+
+	rootPackageJSON := `{
+		"name": "test-app-1",
+		"version": "1.0.0"
+	}`
+	err = afero.WriteFile(mockFS, filepath.Join(validPath, "package.json"), []byte(rootPackageJSON), 0o644)
+	require.NoError(t, err)
+
+	// Create another valid path with package.json
+	validPath2 := "/app2"
+	err = mockFS.MkdirAll(validPath2, 0o755)
+	require.NoError(t, err)
+
+	rootPackageJSON2 := `{
+		"name": "test-app-2",
+		"version": "2.0.0"
+	}`
+	err = afero.WriteFile(mockFS, filepath.Join(validPath2, "package.json"), []byte(rootPackageJSON2), 0o644)
+	require.NoError(t, err)
+
+	conn, err := fs.NewFileSystemConnectionWithFs(0, &inventory.Config{}, &inventory.Asset{}, "", nil, mockFS)
+	require.NoError(t, err)
+
+	r := &plugin.Runtime{
+		Resources:  &syncx.Map[plugin.Resource]{},
+		Connection: conn,
+		Callback:   &providerCallbacks{},
+	}
+
+	// Test with multiple paths: some exist, some don't
+	// This tests the filtering logic in collectNpmPackages and hasLockfile
+	paths := []string{
+		validPath,            // exists
+		"/nonexistent/path1", // doesn't exist
+		validPath2,           // exists
+		"/nonexistent/path2", // doesn't exist
+		"/another/missing",   // doesn't exist
+	}
+
+	direct, _, evidenceFiles, err := collectNpmPackagesInPaths(r, conn.FileSystem(), paths)
+	require.NoError(t, err)
+	require.Empty(t, evidenceFiles)
+
+	// Should find packages from existing paths only
+	require.Greater(t, len(direct), 0, "should find packages from existing paths")
+
+	// Verify we found both valid packages
+	foundApp1 := false
+	foundApp2 := false
+	for _, pkg := range direct {
+		if pkg.Name == "test-app-1" {
+			foundApp1 = true
+			require.Equal(t, "1.0.0", pkg.Version)
+		}
+		if pkg.Name == "test-app-2" {
+			foundApp2 = true
+			require.Equal(t, "2.0.0", pkg.Version)
+		}
+	}
+	require.True(t, foundApp1, "should find test-app-1 from valid path")
+	require.True(t, foundApp2, "should find test-app-2 from valid path")
+}
