fix: wrong coordinates, npm v7+ lockfile & audit compatibility, SPDX evaluation & license additions (AGPL-3.0-only, Python-2.0, Ruby, Sleepycat, UPL-1.0, Vim, W3C, X11, Zlib) (#253)

* Fix: wrong package coordinates sent to NCM API

# Fix: wrong package coordinates sent to NCM API

## Summary

| # | Report | Status | Where |
|---|---|---|---|
| 1 | "sending odd packages versions to the API like this one jwt version 0.0.0" | Fixed | `lib/ncm-analyze-tree.js`, `commands/report.js` |
| 2 | `NCM_TOKEN=… NCM_API=… ncm` "with no success" | Not a bug; documented below | — |
| 3 | "still a diff on npm audit and ncm report" | Fixed (root cause shared with #1) | `lib/ncm-analyze-tree.js` |
| 4 | "we would need to investigate if our vulnDB has all the vulns" | Now meaningfully testable | see below |

Tests: **24 / 24** pass (`npm run test-only`).

---

## Root cause (issues 1 & 3)

`lib/ncm-analyze-tree.js` had been rewritten to use
[`dependency-tree`](https://www.npmjs.com/package/dependency-tree) — a
**source-code import analyzer** — instead of
[`universal-module-tree`](https://www.npmjs.com/package/universal-module-tree),
which walks the real npm dependency graph
(`package-lock.json` → `yarn.lock` → `node_modules`).

Three concrete defects in that code produced the payloads the user saw:

1. **Filename-as-package-name with placeholder version.** `dependency-tree`
   returns resolved file paths. The replacement code turned each path
   into a "package":

   ```js
   const name = path.basename(dep, path.extname(dep));
   const childNode = {
     data: { name, version: '0.0.0' }, // hard-coded
     children: []
   };
   ```

   So `jsonwebtoken.js` → `jwt @ 0.0.0`, `index.js` → `index @ 0.0.0`,
   and similar. That is the exact `jwt version 0.0.0` entry the user
   saw going out.

2. **Range-string fallback also produced `0.0.0`.** The auxiliary
   `getNpmDependencies` helper only read direct deps from `package.json`
   and did:

   ```js
   const cleanVersion = version.replace(/[^\d.]/g, '') || version;
   ```

   For `"latest"`, `"file:…"`, `"git+https://…"`, `"workspace:*"`, etc.
   the strip leaves `''` and the `||` fallback is still non-semver —
   so those deps were emitted as `name @ 0.0.0` too.

3. **Missing transitive deps.** `dependency-tree` only surfaces files
   the entry point actually `require()`s, and the `package.json`
   fallback only listed direct dependencies. The full transitive
   graph was never walked. This is the direct mechanical cause of the
   diff vs `npm audit`.

4. **`commands/report.js` had been patched to hide the fallout.** Any
   `null` / `undefined` `version` returned by the NCM service was
   coerced to `'0.0.0'` and still included in the rendered report,
   so bogus rows showed up in the UI too.

## Fix

### `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines)

- Reverted to `universal-module-tree` (already in `dependencies`, and
  the same library `commands/details.js` uses).
- Removed, in full:
  - the `dependency-tree` invocation and entry-point discovery logic
    (guessing `index.js`, `app.js`, `bin/*.js`, …),
  - filename-as-package-name logic,
  - `getNpmDependencies` and the duplicate `readPackagesFromPackageJson`
    that stripped `^` / `~` and fell back to `'0.0.0'`,
  - dead counters.

The new file gets a tree from `universalModuleTree(dir)`, walks it
keeping dedup + `paths` info, and POSTs `{ name, version }` pairs to
the GraphQL endpoint — same shape that already worked in
`commands/details.js`.

### `commands/report.js`

- Removed the `effectiveVersion = '0.0.0'` coercion. Packages the NCM
  service returns with `version === null` (unpublished / unknown) are
  now **skipped** instead of rendered as `@ 0.0.0`:

  ```js
  if (version === null || version === undefined) continue;
  ```

- Removed unused `includedCount` / `skippedCount` counters and the
  dead `getLicenseScore` helper.

### `package.json` / `package-lock.json`

- Removed the unused `dependency-tree` dependency
  (`npm uninstall dependency-tree`). `universal-module-tree` was
  already listed and is now the single source of truth for the
  dependency graph.

---

## Verification

### Empirical: correct coordinates go out

```
$ node -e "const umt=require('universal-module-tree');
  (async()=>{
    const t=await umt('./test/fixtures/mock-project');
    const f=umt.flatten(t);
    console.log('total:', f.length);
    console.log('zero-versions:', f.filter(p=>p.version==='0.0.0'));
    console.log('filename-like:', f.filter(p=>/\\.|\\//.test(p.name)));
  })()"
total: 37
zero-versions: []
filename-like: []
```

No `@ 0.0.0`, no `jwt`-style filename names — just real installed
packages from `package-lock.json`.

### Tests: `npm run test-only` → 24 / 24 pass

Notable guards:

- `report › report output matches snapshot` — asserts **"36 packages
  checked"**, which only holds when the transitive graph is walked
  correctly.
- `report › report with poisoned project` — asserts a mock package
  returned with `version: null` is **skipped**, not rendered as
  `@ 0.0.0`.
- All `--filter=*`, `--compliance`, `--security`, `--long` snapshot
  tests pass, plus `details`, `whitelist`, `install`,
  `github-actions`, and `proxied` suites.

---

## Issue 2: bare `ncm` "with no success"

`ncm` with no subcommand shows help and exits 0 — same as `git` or
`npm` without args. `bin/ncm-cli.js`:

```js
let [command = 'help', ...subargs] = argv._
if (!Object.keys(commands).includes(command)) command = 'help'
```

No API request is ever made, which is why the debug session looked
like "nothing happening". Verified post-fix: `node bin/ncm-cli.js`
prints help and exits 0. To actually exercise the analyzer against
the local API:

```sh
NCM_TOKEN=6c044113-c485-40cb-915b-cbc9d3a26730 \
NCM_API=http://localhost:3000 \
  ncm report --dir=/path/to/some/project
```

---

## Issue 4: vulnDB coverage investigation

Previously impossible to do meaningfully — the payload was garbage
(issue 1) and incomplete (issue 3). Now that real coordinates for the
full transitive tree are sent, a direct diff is valid:

```sh
cd /path/to/project
npm install                                # ensure lockfile + node_modules

npm audit --json > /tmp/npm-audit.json     # npm's view

NCM_TOKEN=… NCM_API=http://localhost:3000 \
  ncm report --long --json > /tmp/ncm-report.json   # ncm's view
```

Compare the `{name, version}` sets:

- advisories in `npm-audit` but not `ncm-report` → real gaps in the
  vulnDB, feed back to the data team;
- advisories in `ncm-report` but not `npm-audit` → extra NCM coverage
  (or a false positive to review).

---

## Files changed

- `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines).
- `commands/report.js` — `0.0.0` coercion and dead code removed.
- `package.json`, `package-lock.json` — `dependency-tree` removed.

* Fix: wrong package coordinates sent to NCM API

# Fix: wrong package coordinates sent to NCM API

## Summary

| # | Report | Status | Where |
|---|---|---|---|
| 1 | "sending odd packages versions to the API like this one jwt version 0.0.0" | Fixed | `lib/ncm-analyze-tree.js`, `commands/report.js` |
| 2 | `NCM_TOKEN=… NCM_API=… ncm` "with no success" | Not a bug; documented below | — |
| 3 | "still a diff on npm audit and ncm report" | Fixed (root cause shared with #1) | `lib/ncm-analyze-tree.js` |
| 4 | "we would need to investigate if our vulnDB has all the vulns" | Now meaningfully testable | see below |

Tests: **24 / 24** pass (`npm run test-only`).

---

## Root cause (issues 1 & 3)

`lib/ncm-analyze-tree.js` had been rewritten to use
[`dependency-tree`](https://www.npmjs.com/package/dependency-tree) — a
**source-code import analyzer** — instead of
[`universal-module-tree`](https://www.npmjs.com/package/universal-module-tree),
which walks the real npm dependency graph
(`package-lock.json` → `yarn.lock` → `node_modules`).

Three concrete defects in that code produced the payloads the user saw:

1. **Filename-as-package-name with placeholder version.** `dependency-tree`
   returns resolved file paths. The replacement code turned each path
   into a "package":

   ```js
   const name = path.basename(dep, path.extname(dep));
   const childNode = {
     data: { name, version: '0.0.0' }, // hard-coded
     children: []
   };
   ```

   So `jsonwebtoken.js` → `jwt @ 0.0.0`, `index.js` → `index @ 0.0.0`,
   and similar. That is the exact `jwt version 0.0.0` entry the user
   saw going out.

2. **Range-string fallback also produced `0.0.0`.** The auxiliary
   `getNpmDependencies` helper only read direct deps from `package.json`
   and did:

   ```js
   const cleanVersion = version.replace(/[^\d.]/g, '') || version;
   ```

   For `"latest"`, `"file:…"`, `"git+https://…"`, `"workspace:*"`, etc.
   the strip leaves `''` and the `||` fallback is still non-semver —
   so those deps were emitted as `name @ 0.0.0` too.

3. **Missing transitive deps.** `dependency-tree` only surfaces files
   the entry point actually `require()`s, and the `package.json`
   fallback only listed direct dependencies. The full transitive
   graph was never walked. This is the direct mechanical cause of the
   diff vs `npm audit`.

4. **`commands/report.js` had been patched to hide the fallout.** Any
   `null` / `undefined` `version` returned by the NCM service was
   coerced to `'0.0.0'` and still included in the rendered report,
   so bogus rows showed up in the UI too.

## Fix

### `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines)

- Reverted to `universal-module-tree` (already in `dependencies`, and
  the same library `commands/details.js` uses).
- Removed, in full:
  - the `dependency-tree` invocation and entry-point discovery logic
    (guessing `index.js`, `app.js`, `bin/*.js`, …),
  - filename-as-package-name logic,
  - `getNpmDependencies` and the duplicate `readPackagesFromPackageJson`
    that stripped `^` / `~` and fell back to `'0.0.0'`,
  - dead counters.

The new file gets a tree from `universalModuleTree(dir)`, walks it
keeping dedup + `paths` info, and POSTs `{ name, version }` pairs to
the GraphQL endpoint — same shape that already worked in
`commands/details.js`.

### `commands/report.js`

- Removed the `effectiveVersion = '0.0.0'` coercion. Packages the NCM
  service returns with `version === null` (unpublished / unknown) are
  now **skipped** instead of rendered as `@ 0.0.0`:

  ```js
  if (version === null || version === undefined) continue;
  ```

- Removed unused `includedCount` / `skippedCount` counters and the
  dead `getLicenseScore` helper.

### `package.json` / `package-lock.json`

- Removed the unused `dependency-tree` dependency
  (`npm uninstall dependency-tree`). `universal-module-tree` was
  already listed and is now the single source of truth for the
  dependency graph.

---

## Verification

### Empirical: correct coordinates go out

```
$ node -e "const umt=require('universal-module-tree');
  (async()=>{
    const t=await umt('./test/fixtures/mock-project');
    const f=umt.flatten(t);
    console.log('total:', f.length);
    console.log('zero-versions:', f.filter(p=>p.version==='0.0.0'));
    console.log('filename-like:', f.filter(p=>/\\.|\\//.test(p.name)));
  })()"
total: 37
zero-versions: []
filename-like: []
```

No `@ 0.0.0`, no `jwt`-style filename names — just real installed
packages from `package-lock.json`.

### Tests: `npm run test-only` → 24 / 24 pass

Notable guards:

- `report › report output matches snapshot` — asserts **"36 packages
  checked"**, which only holds when the transitive graph is walked
  correctly.
- `report › report with poisoned project` — asserts a mock package
  returned with `version: null` is **skipped**, not rendered as
  `@ 0.0.0`.
- All `--filter=*`, `--compliance`, `--security`, `--long` snapshot
  tests pass, plus `details`, `whitelist`, `install`,
  `github-actions`, and `proxied` suites.

---

## Issue 2: bare `ncm` "with no success"

`ncm` with no subcommand shows help and exits 0 — same as `git` or
`npm` without args. `bin/ncm-cli.js`:

```js
let [command = 'help', ...subargs] = argv._
if (!Object.keys(commands).includes(command)) command = 'help'
```

No API request is ever made, which is why the debug session looked
like "nothing happening". Verified post-fix: `node bin/ncm-cli.js`
prints help and exits 0. To actually exercise the analyzer against
the local API:

```sh
NCM_TOKEN=6c044113-c485-40cb-915b-cbc9d3a26730 \
NCM_API=http://localhost:3000 \
  ncm report --dir=/path/to/some/project
```

---

## Issue 4: vulnDB coverage investigation

Previously impossible to do meaningfully — the payload was garbage
(issue 1) and incomplete (issue 3). Now that real coordinates for the
full transitive tree are sent, a direct diff is valid:

```sh
cd /path/to/project
npm install                                # ensure lockfile + node_modules

npm audit --json > /tmp/npm-audit.json     # npm's view

NCM_TOKEN=… NCM_API=http://localhost:3000 \
  ncm report --long --json > /tmp/ncm-report.json   # ncm's view
```

Compare the `{name, version}` sets:

- advisories in `npm-audit` but not `ncm-report` → real gaps in the
  vulnDB, feed back to the data team;
- advisories in `ncm-report` but not `npm-audit` → extra NCM coverage
  (or a false positive to review).

---

## Files changed

- `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines).
- `commands/report.js` — `0.0.0` coercion and dead code removed.
- `package.json`, `package-lock.json` — `dependency-tree` removed.

* Fix: wrong package coordinates sent to NCM API

# Fix: wrong package coordinates sent to NCM API

## Summary

| # | Report | Status | Where |
|---|---|---|---|
| 1 | "sending odd packages versions to the API like this one jwt version 0.0.0" | Fixed | `lib/ncm-analyze-tree.js`, `commands/report.js` |
| 2 | `NCM_TOKEN=… NCM_API=… ncm` "with no success" | Not a bug; documented below | — |
| 3 | "still a diff on npm audit and ncm report" | Fixed (root cause shared with #1) | `lib/ncm-analyze-tree.js` |
| 4 | "we would need to investigate if our vulnDB has all the vulns" | Now meaningfully testable | see below |

Tests: **24 / 24** pass (`npm run test-only`).

---

## Root cause (issues 1 & 3)

`lib/ncm-analyze-tree.js` had been rewritten to use
[`dependency-tree`](https://www.npmjs.com/package/dependency-tree) — a
**source-code import analyzer** — instead of
[`universal-module-tree`](https://www.npmjs.com/package/universal-module-tree),
which walks the real npm dependency graph
(`package-lock.json` → `yarn.lock` → `node_modules`).

Three concrete defects in that code produced the payloads the user saw:

1. **Filename-as-package-name with placeholder version.** `dependency-tree`
   returns resolved file paths. The replacement code turned each path
   into a "package":

   ```js
   const name = path.basename(dep, path.extname(dep));
   const childNode = {
     data: { name, version: '0.0.0' }, // hard-coded
     children: []
   };
   ```

   So `jsonwebtoken.js` → `jwt @ 0.0.0`, `index.js` → `index @ 0.0.0`,
   and similar. That is the exact `jwt version 0.0.0` entry the user
   saw going out.

2. **Range-string fallback also produced `0.0.0`.** The auxiliary
   `getNpmDependencies` helper only read direct deps from `package.json`
   and did:

   ```js
   const cleanVersion = version.replace(/[^\d.]/g, '') || version;
   ```

   For `"latest"`, `"file:…"`, `"git+https://…"`, `"workspace:*"`, etc.
   the strip leaves `''` and the `||` fallback is still non-semver —
   so those deps were emitted as `name @ 0.0.0` too.

3. **Missing transitive deps.** `dependency-tree` only surfaces files
   the entry point actually `require()`s, and the `package.json`
   fallback only listed direct dependencies. The full transitive
   graph was never walked. This is the direct mechanical cause of the
   diff vs `npm audit`.

4. **`commands/report.js` had been patched to hide the fallout.** Any
   `null` / `undefined` `version` returned by the NCM service was
   coerced to `'0.0.0'` and still included in the rendered report,
   so bogus rows showed up in the UI too.

## Fix

### `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines)

- Reverted to `universal-module-tree` (already in `dependencies`, and
  the same library `commands/details.js` uses).
- Removed, in full:
  - the `dependency-tree` invocation and entry-point discovery logic
    (guessing `index.js`, `app.js`, `bin/*.js`, …),
  - filename-as-package-name logic,
  - `getNpmDependencies` and the duplicate `readPackagesFromPackageJson`
    that stripped `^` / `~` and fell back to `'0.0.0'`,
  - dead counters.

The new file gets a tree from `universalModuleTree(dir)`, walks it
keeping dedup + `paths` info, and POSTs `{ name, version }` pairs to
the GraphQL endpoint — same shape that already worked in
`commands/details.js`.

### `commands/report.js`

- Removed the `effectiveVersion = '0.0.0'` coercion. Packages the NCM
  service returns with `version === null` (unpublished / unknown) are
  now **skipped** instead of rendered as `@ 0.0.0`:

  ```js
  if (version === null || version === undefined) continue;
  ```

- Removed unused `includedCount` / `skippedCount` counters and the
  dead `getLicenseScore` helper.

### `package.json` / `package-lock.json`

- Removed the unused `dependency-tree` dependency
  (`npm uninstall dependency-tree`). `universal-module-tree` was
  already listed and is now the single source of truth for the
  dependency graph.

---

## Verification

### Empirical: correct coordinates go out

```
$ node -e "const umt=require('universal-module-tree');
  (async()=>{
    const t=await umt('./test/fixtures/mock-project');
    const f=umt.flatten(t);
    console.log('total:', f.length);
    console.log('zero-versions:', f.filter(p=>p.version==='0.0.0'));
    console.log('filename-like:', f.filter(p=>/\\.|\\//.test(p.name)));
  })()"
total: 37
zero-versions: []
filename-like: []
```

No `@ 0.0.0`, no `jwt`-style filename names — just real installed
packages from `package-lock.json`.

### Tests: `npm run test-only` → 24 / 24 pass

Notable guards:

- `report › report output matches snapshot` — asserts **"36 packages
  checked"**, which only holds when the transitive graph is walked
  correctly.
- `report › report with poisoned project` — asserts a mock package
  returned with `version: null` is **skipped**, not rendered as
  `@ 0.0.0`.
- All `--filter=*`, `--compliance`, `--security`, `--long` snapshot
  tests pass, plus `details`, `whitelist`, `install`,
  `github-actions`, and `proxied` suites.

---

## Issue 2: bare `ncm` "with no success"

`ncm` with no subcommand shows help and exits 0 — same as `git` or
`npm` without args. `bin/ncm-cli.js`:

```js
let [command = 'help', ...subargs] = argv._
if (!Object.keys(commands).includes(command)) command = 'help'
```

No API request is ever made, which is why the debug session looked
like "nothing happening". Verified post-fix: `node bin/ncm-cli.js`
prints help and exits 0. To actually exercise the analyzer against
the local API:

```sh
NCM_TOKEN=6c044113-c485-40cb-915b-cbc9d3a26730 \
NCM_API=http://localhost:3000 \
  ncm report --dir=/path/to/some/project
```

---

## Issue 4: vulnDB coverage investigation

Previously impossible to do meaningfully — the payload was garbage
(issue 1) and incomplete (issue 3). Now that real coordinates for the
full transitive tree are sent, a direct diff is valid:

```sh
cd /path/to/project
npm install                                # ensure lockfile + node_modules

npm audit --json > /tmp/npm-audit.json     # npm's view

NCM_TOKEN=… NCM_API=http://localhost:3000 \
  ncm report --long --json > /tmp/ncm-report.json   # ncm's view
```

Compare the `{name, version}` sets:

- advisories in `npm-audit` but not `ncm-report` → real gaps in the
  vulnDB, feed back to the data team;
- advisories in `ncm-report` but not `npm-audit` → extra NCM coverage
  (or a false positive to review).

---

## Files changed

- `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines).
- `commands/report.js` — `0.0.0` coercion and dead code removed.
- `package.json`, `package-lock.json` — `dependency-tree` removed.

* Fix: wrong package coordinates sent to NCM API

# Fix: wrong package coordinates sent to NCM API

## Summary

| # | Report | Status | Where |
|---|---|---|---|
| 1 | "sending odd packages versions to the API like this one jwt version 0.0.0" | Fixed | `lib/ncm-analyze-tree.js`, `commands/report.js` |
| 2 | `NCM_TOKEN=… NCM_API=… ncm` "with no success" | Not a bug; documented below | — |
| 3 | "still a diff on npm audit and ncm report" | Fixed (root cause shared with #1) | `lib/ncm-analyze-tree.js` |
| 4 | "we would need to investigate if our vulnDB has all the vulns" | Now meaningfully testable | see below |

Tests: **24 / 24** pass (`npm run test-only`).

---

## Root cause (issues 1 & 3)

`lib/ncm-analyze-tree.js` had been rewritten to use
[`dependency-tree`](https://www.npmjs.com/package/dependency-tree) — a
**source-code import analyzer** — instead of
[`universal-module-tree`](https://www.npmjs.com/package/universal-module-tree),
which walks the real npm dependency graph
(`package-lock.json` → `yarn.lock` → `node_modules`).

Three concrete defects in that code produced the payloads the user saw:

1. **Filename-as-package-name with placeholder version.** `dependency-tree`
   returns resolved file paths. The replacement code turned each path
   into a "package":

   ```js
   const name = path.basename(dep, path.extname(dep));
   const childNode = {
     data: { name, version: '0.0.0' }, // hard-coded
     children: []
   };
   ```

   So `jsonwebtoken.js` → `jwt @ 0.0.0`, `index.js` → `index @ 0.0.0`,
   and similar. That is the exact `jwt version 0.0.0` entry the user
   saw going out.

2. **Range-string fallback also produced `0.0.0`.** The auxiliary
   `getNpmDependencies` helper only read direct deps from `package.json`
   and did:

   ```js
   const cleanVersion = version.replace(/[^\d.]/g, '') || version;
   ```

   For `"latest"`, `"file:…"`, `"git+https://…"`, `"workspace:*"`, etc.
   the strip leaves `''` and the `||` fallback is still non-semver —
   so those deps were emitted as `name @ 0.0.0` too.

3. **Missing transitive deps.** `dependency-tree` only surfaces files
   the entry point actually `require()`s, and the `package.json`
   fallback only listed direct dependencies. The full transitive
   graph was never walked. This is the direct mechanical cause of the
   diff vs `npm audit`.

4. **`commands/report.js` had been patched to hide the fallout.** Any
   `null` / `undefined` `version` returned by the NCM service was
   coerced to `'0.0.0'` and still included in the rendered report,
   so bogus rows showed up in the UI too.

## Fix

### `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines)

- Reverted to `universal-module-tree` (already in `dependencies`, and
  the same library `commands/details.js` uses).
- Removed, in full:
  - the `dependency-tree` invocation and entry-point discovery logic
    (guessing `index.js`, `app.js`, `bin/*.js`, …),
  - filename-as-package-name logic,
  - `getNpmDependencies` and the duplicate `readPackagesFromPackageJson`
    that stripped `^` / `~` and fell back to `'0.0.0'`,
  - dead counters.

The new file gets a tree from `universalModuleTree(dir)`, walks it
keeping dedup + `paths` info, and POSTs `{ name, version }` pairs to
the GraphQL endpoint — same shape that already worked in
`commands/details.js`.

### `commands/report.js`

- Removed the `effectiveVersion = '0.0.0'` coercion. Packages the NCM
  service returns with `version === null` (unpublished / unknown) are
  now **skipped** instead of rendered as `@ 0.0.0`:

  ```js
  if (version === null || version === undefined) continue;
  ```

- Removed unused `includedCount` / `skippedCount` counters and the
  dead `getLicenseScore` helper.

### `package.json` / `package-lock.json`

- Removed the unused `dependency-tree` dependency
  (`npm uninstall dependency-tree`). `universal-module-tree` was
  already listed and is now the single source of truth for the
  dependency graph.

---

## Verification

### Empirical: correct coordinates go out

```
$ node -e "const umt=require('universal-module-tree');
  (async()=>{
    const t=await umt('./test/fixtures/mock-project');
    const f=umt.flatten(t);
    console.log('total:', f.length);
    console.log('zero-versions:', f.filter(p=>p.version==='0.0.0'));
    console.log('filename-like:', f.filter(p=>/\\.|\\//.test(p.name)));
  })()"
total: 37
zero-versions: []
filename-like: []
```

No `@ 0.0.0`, no `jwt`-style filename names — just real installed
packages from `package-lock.json`.

### Tests: `npm run test-only` → 24 / 24 pass

Notable guards:

- `report › report output matches snapshot` — asserts **"36 packages
  checked"**, which only holds when the transitive graph is walked
  correctly.
- `report › report with poisoned project` — asserts a mock package
  returned with `version: null` is **skipped**, not rendered as
  `@ 0.0.0`.
- All `--filter=*`, `--compliance`, `--security`, `--long` snapshot
  tests pass, plus `details`, `whitelist`, `install`,
  `github-actions`, and `proxied` suites.

---

## Issue 2: bare `ncm` "with no success"

`ncm` with no subcommand shows help and exits 0 — same as `git` or
`npm` without args. `bin/ncm-cli.js`:

```js
let [command = 'help', ...subargs] = argv._
if (!Object.keys(commands).includes(command)) command = 'help'
```

No API request is ever made, which is why the debug session looked
like "nothing happening". Verified post-fix: `node bin/ncm-cli.js`
prints help and exits 0. To actually exercise the analyzer against
the local API:

```sh
NCM_TOKEN=6c044113-c485-40cb-915b-cbc9d3a26730 \
NCM_API=http://localhost:3000 \
  ncm report --dir=/path/to/some/project
```

---

## Issue 4: vulnDB coverage investigation

Previously impossible to do meaningfully — the payload was garbage
(issue 1) and incomplete (issue 3). Now that real coordinates for the
full transitive tree are sent, a direct diff is valid:

```sh
cd /path/to/project
npm install                                # ensure lockfile + node_modules

npm audit --json > /tmp/npm-audit.json     # npm's view

NCM_TOKEN=… NCM_API=http://localhost:3000 \
  ncm report --long --json > /tmp/ncm-report.json   # ncm's view
```

Compare the `{name, version}` sets:

- advisories in `npm-audit` but not `ncm-report` → real gaps in the
  vulnDB, feed back to the data team;
- advisories in `ncm-report` but not `npm-audit` → extra NCM coverage
  (or a false positive to review).

---

## Files changed

- `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines).
- `commands/report.js` — `0.0.0` coercion and dead code removed.
- `package.json`, `package-lock.json` — `dependency-tree` removed.

* Fix: wrong package coordinates sent to NCM API

# Fix: wrong package coordinates sent to NCM API

## Summary

| # | Report | Status | Where |
|---|---|---|---|
| 1 | "sending odd packages versions to the API like this one jwt version 0.0.0" | Fixed | `lib/ncm-analyze-tree.js`, `commands/report.js` |
| 2 | `NCM_TOKEN=… NCM_API=… ncm` "with no success" | Not a bug; documented below | — |
| 3 | "still a diff on npm audit and ncm report" | Fixed (root cause shared with #1) | `lib/ncm-analyze-tree.js` |
| 4 | "we would need to investigate if our vulnDB has all the vulns" | Now meaningfully testable | see below |

Tests: **24 / 24** pass (`npm run test-only`).

---

## Root cause (issues 1 & 3)

`lib/ncm-analyze-tree.js` had been rewritten to use
[`dependency-tree`](https://www.npmjs.com/package/dependency-tree) — a
**source-code import analyzer** — instead of
[`universal-module-tree`](https://www.npmjs.com/package/universal-module-tree),
which walks the real npm dependency graph
(`package-lock.json` → `yarn.lock` → `node_modules`).

Three concrete defects in that code produced the payloads the user saw:

1. **Filename-as-package-name with placeholder version.** `dependency-tree`
   returns resolved file paths. The replacement code turned each path
   into a "package":

   ```js
   const name = path.basename(dep, path.extname(dep));
   const childNode = {
     data: { name, version: '0.0.0' }, // hard-coded
     children: []
   };
   ```

   So `jsonwebtoken.js` → `jwt @ 0.0.0`, `index.js` → `index @ 0.0.0`,
   and similar. That is the exact `jwt version 0.0.0` entry the user
   saw going out.

2. **Range-string fallback also produced `0.0.0`.** The auxiliary
   `getNpmDependencies` helper only read direct deps from `package.json`
   and did:

   ```js
   const cleanVersion = version.replace(/[^\d.]/g, '') || version;
   ```

   For `"latest"`, `"file:…"`, `"git+https://…"`, `"workspace:*"`, etc.
   the strip leaves `''` and the `||` fallback is still non-semver —
   so those deps were emitted as `name @ 0.0.0` too.

3. **Missing transitive deps.** `dependency-tree` only surfaces files
   the entry point actually `require()`s, and the `package.json`
   fallback only listed direct dependencies. The full transitive
   graph was never walked. This is the direct mechanical cause of the
   diff vs `npm audit`.

4. **`commands/report.js` had been patched to hide the fallout.** Any
   `null` / `undefined` `version` returned by the NCM service was
   coerced to `'0.0.0'` and still included in the rendered report,
   so bogus rows showed up in the UI too.

## Fix

### `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines)

- Reverted to `universal-module-tree` (already in `dependencies`, and
  the same library `commands/details.js` uses).
- Removed, in full:
  - the `dependency-tree` invocation and entry-point discovery logic
    (guessing `index.js`, `app.js`, `bin/*.js`, …),
  - filename-as-package-name logic,
  - `getNpmDependencies` and the duplicate `readPackagesFromPackageJson`
    that stripped `^` / `~` and fell back to `'0.0.0'`,
  - dead counters.

The new file gets a tree from `universalModuleTree(dir)`, walks it
keeping dedup + `paths` info, and POSTs `{ name, version }` pairs to
the GraphQL endpoint — same shape that already worked in
`commands/details.js`.

### `commands/report.js`

- Removed the `effectiveVersion = '0.0.0'` coercion. Packages the NCM
  service returns with `version === null` (unpublished / unknown) are
  now **skipped** instead of rendered as `@ 0.0.0`:

  ```js
  if (version === null || version === undefined) continue;
  ```

- Removed unused `includedCount` / `skippedCount` counters and the
  dead `getLicenseScore` helper.

### `package.json` / `package-lock.json`

- Removed the unused `dependency-tree` dependency
  (`npm uninstall dependency-tree`). `universal-module-tree` was
  already listed and is now the single source of truth for the
  dependency graph.

---

## Verification

### Empirical: correct coordinates go out

```
$ node -e "const umt=require('universal-module-tree');
  (async()=>{
    const t=await umt('./test/fixtures/mock-project');
    const f=umt.flatten(t);
    console.log('total:', f.length);
    console.log('zero-versions:', f.filter(p=>p.version==='0.0.0'));
    console.log('filename-like:', f.filter(p=>/\\.|\\//.test(p.name)));
  })()"
total: 37
zero-versions: []
filename-like: []
```

No `@ 0.0.0`, no `jwt`-style filename names — just real installed
packages from `package-lock.json`.

### Tests: `npm run test-only` → 24 / 24 pass

Notable guards:

- `report › report output matches snapshot` — asserts **"36 packages
  checked"**, which only holds when the transitive graph is walked
  correctly.
- `report › report with poisoned project` — asserts a mock package
  returned with `version: null` is **skipped**, not rendered as
  `@ 0.0.0`.
- All `--filter=*`, `--compliance`, `--security`, `--long` snapshot
  tests pass, plus `details`, `whitelist`, `install`,
  `github-actions`, and `proxied` suites.

---

## Issue 2: bare `ncm` "with no success"

`ncm` with no subcommand shows help and exits 0 — same as `git` or
`npm` without args. `bin/ncm-cli.js`:

```js
let [command = 'help', ...subargs] = argv._
if (!Object.keys(commands).includes(command)) command = 'help'
```

No API request is ever made, which is why the debug session looked
like "nothing happening". Verified post-fix: `node bin/ncm-cli.js`
prints help and exits 0. To actually exercise the analyzer against
the local API:

```sh
NCM_TOKEN=6c044113-c485-40cb-915b-cbc9d3a26730 \
NCM_API=http://localhost:3000 \
  ncm report --dir=/path/to/some/project
```

---

## Issue 4: vulnDB coverage investigation

Previously impossible to do meaningfully — the payload was garbage
(issue 1) and incomplete (issue 3). Now that real coordinates for the
full transitive tree are sent, a direct diff is valid:

```sh
cd /path/to/project
npm install                                # ensure lockfile + node_modules

npm audit --json > /tmp/npm-audit.json     # npm's view

NCM_TOKEN=… NCM_API=http://localhost:3000 \
  ncm report --long --json > /tmp/ncm-report.json   # ncm's view
```

Compare the `{name, version}` sets:

- advisories in `npm-audit` but not `ncm-report` → real gaps in the
  vulnDB, feed back to the data team;
- advisories in `ncm-report` but not `npm-audit` → extra NCM coverage
  (or a false positive to review).

---

## Files changed

- `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines).
- `commands/report.js` — `0.0.0` coercion and dead code removed.
- `package.json`, `package-lock.json` — `dependency-tree` removed.

* Fix: wrong package coordinates sent to NCM API

# Fix: wrong package coordinates sent to NCM API

## Summary

| # | Report | Status | Where |
|---|---|---|---|
| 1 | "sending odd packages versions to the API like this one jwt version 0.0.0" | Fixed | `lib/ncm-analyze-tree.js`, `commands/report.js` |
| 2 | `NCM_TOKEN=… NCM_API=… ncm` "with no success" | Not a bug; documented below | — |
| 3 | "still a diff on npm audit and ncm report" | Fixed (root cause shared with #1) | `lib/ncm-analyze-tree.js` |
| 4 | "we would need to investigate if our vulnDB has all the vulns" | Now meaningfully testable | see below |

Tests: **24 / 24** pass (`npm run test-only`).

---

## Root cause (issues 1 & 3)

`lib/ncm-analyze-tree.js` had been rewritten to use
[`dependency-tree`](https://www.npmjs.com/package/dependency-tree) — a
**source-code import analyzer** — instead of
[`universal-module-tree`](https://www.npmjs.com/package/universal-module-tree),
which walks the real npm dependency graph
(`package-lock.json` → `yarn.lock` → `node_modules`).

Three concrete defects in that code produced the payloads the user saw:

1. **Filename-as-package-name with placeholder version.** `dependency-tree`
   returns resolved file paths. The replacement code turned each path
   into a "package":

   ```js
   const name = path.basename(dep, path.extname(dep));
   const childNode = {
     data: { name, version: '0.0.0' }, // hard-coded
     children: []
   };
   ```

   So `jsonwebtoken.js` → `jwt @ 0.0.0`, `index.js` → `index @ 0.0.0`,
   and similar. That is the exact `jwt version 0.0.0` entry the user
   saw going out.

2. **Range-string fallback also produced `0.0.0`.** The auxiliary
   `getNpmDependencies` helper only read direct deps from `package.json`
   and did:

   ```js
   const cleanVersion = version.replace(/[^\d.]/g, '') || version;
   ```

   For `"latest"`, `"file:…"`, `"git+https://…"`, `"workspace:*"`, etc.
   the strip leaves `''` and the `||` fallback is still non-semver —
   so those deps were emitted as `name @ 0.0.0` too.

3. **Missing transitive deps.** `dependency-tree` only surfaces files
   the entry point actually `require()`s, and the `package.json`
   fallback only listed direct dependencies. The full transitive
   graph was never walked. This is the direct mechanical cause of the
   diff vs `npm audit`.

4. **`commands/report.js` had been patched to hide the fallout.** Any
   `null` / `undefined` `version` returned by the NCM service was
   coerced to `'0.0.0'` and still included in the rendered report,
   so bogus rows showed up in the UI too.

## Fix

### `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines)

- Reverted to `universal-module-tree` (already in `dependencies`, and
  the same library `commands/details.js` uses).
- Removed, in full:
  - the `dependency-tree` invocation and entry-point discovery logic
    (guessing `index.js`, `app.js`, `bin/*.js`, …),
  - filename-as-package-name logic,
  - `getNpmDependencies` and the duplicate `readPackagesFromPackageJson`
    that stripped `^` / `~` and fell back to `'0.0.0'`,
  - dead counters.

The new file gets a tree from `universalModuleTree(dir)`, walks it
keeping dedup + `paths` info, and POSTs `{ name, version }` pairs to
the GraphQL endpoint — same shape that already worked in
`commands/details.js`.

### `commands/report.js`

- Removed the `effectiveVersion = '0.0.0'` coercion. Packages the NCM
  service returns with `version === null` (unpublished / unknown) are
  now **skipped** instead of rendered as `@ 0.0.0`:

  ```js
  if (version === null || version === undefined) continue;
  ```

- Removed unused `includedCount` / `skippedCount` counters and the
  dead `getLicenseScore` helper.

### `package.json` / `package-lock.json`

- Removed the unused `dependency-tree` dependency
  (`npm uninstall dependency-tree`). `universal-module-tree` was
  already listed and is now the single source of truth for the
  dependency graph.

---

## Verification

### Empirical: correct coordinates go out

```
$ node -e "const umt=require('universal-module-tree');
  (async()=>{
    const t=await umt('./test/fixtures/mock-project');
    const f=umt.flatten(t);
    console.log('total:', f.length);
    console.log('zero-versions:', f.filter(p=>p.version==='0.0.0'));
    console.log('filename-like:', f.filter(p=>/\\.|\\//.test(p.name)));
  })()"
total: 37
zero-versions: []
filename-like: []
```

No `@ 0.0.0`, no `jwt`-style filename names — just real installed
packages from `package-lock.json`.

### Tests: `npm run test-only` → 24 / 24 pass

Notable guards:

- `report › report output matches snapshot` — asserts **"36 packages
  checked"**, which only holds when the transitive graph is walked
  correctly.
- `report › report with poisoned project` — asserts a mock package
  returned with `version: null` is **skipped**, not rendered as
  `@ 0.0.0`.
- All `--filter=*`, `--compliance`, `--security`, `--long` snapshot
  tests pass, plus `details`, `whitelist`, `install`,
  `github-actions`, and `proxied` suites.

---

## Issue 2: bare `ncm` "with no success"

`ncm` with no subcommand shows help and exits 0 — same as `git` or
`npm` without args. `bin/ncm-cli.js`:

```js
let [command = 'help', ...subargs] = argv._
if (!Object.keys(commands).includes(command)) command = 'help'
```

No API request is ever made, which is why the debug session looked
like "nothing happening". Verified post-fix: `node bin/ncm-cli.js`
prints help and exits 0. To actually exercise the analyzer against
the local API:

```sh
NCM_TOKEN=6c044113-c485-40cb-915b-cbc9d3a26730 \
NCM_API=http://localhost:3000 \
  ncm report --dir=/path/to/some/project
```

---

## Issue 4: vulnDB coverage investigation

Previously impossible to do meaningfully — the payload was garbage
(issue 1) and incomplete (issue 3). Now that real coordinates for the
full transitive tree are sent, a direct diff is valid:

```sh
cd /path/to/project
npm install                                # ensure lockfile + node_modules

npm audit --json > /tmp/npm-audit.json     # npm's view

NCM_TOKEN=… NCM_API=http://localhost:3000 \
  ncm report --long --json > /tmp/ncm-report.json   # ncm's view
```

Compare the `{name, version}` sets:

- advisories in `npm-audit` but not `ncm-report` → real gaps in the
  vulnDB, feed back to the data team;
- advisories in `ncm-report` but not `npm-audit` → extra NCM coverage
  (or a false positive to review).

---

## Files changed

- `lib/ncm-analyze-tree.js` — rewritten (550 → 131 lines).
- `commands/report.js` — `0.0.0` coercion and dead code removed.
- `package.json`, `package-lock.json` — `dependency-tree` removed.

Author: JungMinu

commands/report.js

@@ -14,6 +14,7 @@ const {
   SEVERITY_RMAP_NPM,
   moduleSort
 } = require('../lib/report/util')
+const licenses = require('../lib/report/licenses')
 const longReport = require('../lib/report/long')
 const shortReport = require('../lib/report/short')
 const { helpHeader } = require('../lib/help')
@@ -139,9 +140,6 @@ async function report (argv, _dir) {
   const isNested = pkgName === nestedPkgName && pkgVersion === nestedPkgVersion
 
   // Processing packages from NCM service
-  let includedCount = 0;
-  let skippedCount = 0;
-  
   for (const { name, version, scores, published } of data) {
     let maxSeverity = 0;
     let license = {};
@@ -170,45 +168,65 @@ async function report (argv, _dir) {
       }
     }
 
-    // Modified approach to include ALL packages in the report
-    // Even packages with null/undefined versions will be included with a default version
-    let effectiveVersion = version;
-    if (effectiveVersion === null || effectiveVersion === undefined) {
-      effectiveVersion = '0.0.0';
-      // Using default version 0.0.0 for package
-    }
-    
-    // Skip nested packages with severity issues
-    if (isNested && !!maxSeverity) {
-      skippedCount++;
-      // Skipping nested package
-      continue;
+    // Skip packages the NCM service didn't return data for (null version /
+    // unpublished). Previously these were coerced to '0.0.0' which polluted
+    // reports with placeholder entries like `jwt @ 0.0.0`.
+    if (version === null || version === undefined) continue;
+
+    // Skip nested packages (the project reporting on itself) with severity issues
+    if (isNested && !!maxSeverity) continue;
+
+    // License cert fallback: when the NCM API returned a license score but
+    // didn't commit to `pass` (or when `data.spdx` is a non-canonical or
+    // compound expression the server didn't normalise), apply the built-in
+    // SPDX policy so the CLI still reaches a deterministic verdict. The
+    // server-supplied verdict always wins when present.
+    if (license && license.data && license.data.spdx != null) {
+      const canonical = licenses.normalize(license.data.spdx);
+      if (canonical && canonical !== license.data.spdx) {
+        license = Object.assign({}, license, {
+          data: Object.assign({}, license.data, { spdx: canonical })
+        });
+      }
+      if (license.pass == null) {
+        const verdict = licenses.evaluate(canonical);
+        if (verdict !== null) {
+          license = Object.assign({}, license, {
+            pass: verdict,
+            severity: verdict ? 'NONE' : (license.severity || 'MEDIUM')
+          });
+          if (!verdict) {
+            failures.push(license);
+            hasFailures = true;
+          }
+        }
+      }
     }
-    
-    // Check if license has failed, which should upgrade to critical severity
-    const getLicenseScore = ({ pass }) => pass === false ? 0 : null;
+
+    // Escalate to Critical when the license is noncompliant (whether the
+    // verdict came from the server or the client-side fallback above).
     if (license && license.pass === false) {
       maxSeverity = 4;
     }
 
-    // Add the package to our report
     pkgScores.push({
       name,
-      version: effectiveVersion, // Use effective version instead of potentially null version
+      version,
       published,
       maxSeverity,
       failures,
       license,
       scores
     });
-    
-    includedCount++;
   }
-  
-  // Package processing complete
 
   pkgScores = moduleSort(pkgScores)
 
+  // Build name→version map from NCM data for npm audit v7+ version lookup
+  const versionByName = new Map([...data]
+    .filter(pkg => pkg.version)
+    .map(pkg => [pkg.name, pkg.version]))
+
   // Process whitelisted packages
   const whitelisted = pkgScores.filter(pkg => whitelist.has(`${pkg.name}@${pkg.version}`))
     .map(pkgScore => ({ ...pkgScore, quantitativeScore: score(pkgScore.scores, pkgScore.maxSeverity) }))
@@ -251,6 +269,7 @@ async function report (argv, _dir) {
   try {
     const npmAuditJson = JSON.parse(npmAuditData) || {}
     if (npmAuditJson.advisories) {
+      // npm v6 format
       for (const advisory of Object.values(npmAuditJson.advisories)) {
         const { version } = advisory.findings ? (advisory.findings[0] || {}) : {}
         const { module_name: name, severity = 'NONE' } = advisory
@@ -266,6 +285,29 @@ async function report (argv, _dir) {
           auditScore: maxSeverity
         })
       }
+    } else if (npmAuditJson.vulnerabilities) {
+      // npm v7+ format (auditReportVersion: 2). Packages already reported by
+      // NCM (in pkgScores or whitelisted) are skipped — otherwise every
+      // transitive vuln would show up twice.
+      const reportedIds = new Set(
+        [...pkgScores, ...whitelisted].map(p => `${p.name}@${p.version}`)
+      )
+      for (const [name, vuln] of Object.entries(npmAuditJson.vulnerabilities)) {
+        const version = versionByName.get(name)
+        if (reportedIds.has(`${name}@${version}`)) continue
+        const { severity = 'none' } = vuln
+        const maxSeverity = SEVERITY_RMAP_NPM.indexOf(severity.toUpperCase())
+        pkgScores.push({
+          name,
+          version,
+          published: true,
+          maxSeverity,
+          failures: [],
+          license: {},
+          scores: [],
+          auditScore: maxSeverity
+        })
+      }
     }
   } catch (err) { } // intentional noop
 

commands/whitelist.js

@@ -8,6 +8,7 @@ const { helpHeader } = require('../lib/help')
 const { getValue, setValue } = require('../lib/config')
 const whitelistReport = require('../lib/report/whitelist')
 const { SEVERITY_RMAP } = require('../lib/report/util')
+const licenses = require('../lib/report/licenses')
 const {
   COLORS,
   header,
@@ -191,6 +192,28 @@ async function whitelist (argv) {
         if (score.name === 'license') license = score
       }
 
+      // License cert fallback: if the server returned an SPDX but no pass
+      // verdict, apply the built-in policy so whitelisted modules render
+      // with a deterministic badge. Mirrors the logic in commands/report.js.
+      if (license && license.data && license.data.spdx != null) {
+        const canonical = licenses.normalize(license.data.spdx)
+        if (canonical && canonical !== license.data.spdx) {
+          license = Object.assign({}, license, {
+            data: Object.assign({}, license.data, { spdx: canonical })
+          })
+        }
+        if (license.pass == null) {
+          const verdict = licenses.evaluate(canonical)
+          if (verdict !== null) {
+            license = Object.assign({}, license, {
+              pass: verdict,
+              severity: verdict ? 'NONE' : (license.severity || 'MEDIUM')
+            })
+            if (!verdict) failures.push(license)
+          }
+        }
+      }
+
       const getLicenseScore = ({ pass }) => !pass ? 0 : null
       if (getLicenseScore(license) === 0) maxSeverity = 4