Missing dependency relationships between direct dependencies and transient dependencies in NPM packages

[duranjesus]

What happened: Generating an SBOM in SPDX format for a filesystem containing a Node.js (npm) project, the dependency relationships between direct dependencies and transient dependencies are non-existent. In other words, the DEPENDENCY_OF classification is not present in the relationships portion of the SBOM.

Note: This is only evident for NPM packages. The correct dependency relationships are being generated for Python (Poetry) projects.

What is being generated by Syft:

Note: I'm grabbing specific items from the relationships list in order to compare it to the expected result below.

"relationships": [
{
"spdxElementId": "SPDXRef-Package-npm-tiny-package-4fae87ebfc4badf1",
"relatedSpdxElement": "SPDXRef-File-package-lock.json-fd71c2238fc07657",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-Package-npm-express-e6213bae4cd38c7c",
"relatedSpdxElement": "SPDXRef-File-package-lock.json-fd71c2238fc07657",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-Package-npm-accepts-317fb941ea652a28",
"relatedSpdxElement": "SPDXRef-File-package-lock.json-fd71c2238fc07657",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-Package-npm-array-flatten-cfb05003ba72ba14",
"relatedSpdxElement": "SPDXRef-File-package-lock.json-fd71c2238fc07657",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
}
]

What you expected to happen:

"relationships": [
    {
        "spdxElementId": "SPDXRef-DOCUMENT",    
        "relatedSpdxElement": "SPDXRef-1-tiny-package-1.0.0",
        "relationshipType": "DESCRIBES" 
    },  
    {
        "spdxElementId": "SPDXRef-2-express-4.19.2",
        "relatedSpdxElement": "SPDXRef-1-tiny-package-1.0.0",
        "relationshipType": "DEPENDENCY_OF"
    },  
    {
        "spdxElementId": "SPDXRef-3-accepts-1.3.8",
        "relatedSpdxElement": "SPDXRef-2-express-4.19.2",
        "relationshipType": "DEPENDENCY_OF"
    },  
    {
        "spdxElementId": "SPDXRef-7-array-flatten-1.1.1",
        "relatedSpdxElement": "SPDXRef-2-express-4.19.2",
        "relationshipType": "DEPENDENCY_OF"
    },

Steps to reproduce the issue:

• mdkir tiny-package && cd tiny-package
• npm init -y
• npm install express
• syft . --source-name=tiny-package -o spdx-json=syft.sbom.json

Anything else we need to know?:

Environment:

• Output of syft version:

Application: syft Version:    1.10.0 BuildDate:  2024-07-30T16:02:52Z GitCommit:  Homebrew GitDescription: [not provided] Platform:   darwin/arm64 GoVersion:  go1.22.5 Compiler:   gc

• OS (e.g: cat /etc/os-release or similar):

macOS Venture 13.6

[spiffcs]

👋 thanks for the issue @duranjesus I reproduced this and agree that both the syft.json and spdx formats output should be more expressive. Currently we illustrate one direction on the graph with the CONTAINS relationship tiny-package---> *. We do not go the extra distance and do the opposite edge of DEPENDENCY_OF where * --> tiny-package

I've put this in our work for someone to pickup to enhance both documents. Until then I hope the CONTAINS can get you partially there when trying to describe how these packages are linked.

[spiffcs]

We talked about this on our live stream - https://www.youtube.com/watch?v=m0wG_LQUhPo

Short Version: For this cataloger we're going to move away from contains and add in the bidirectional graph of adding these relationships in teh way @duranjesus describes:

DEPENDS_ON | Is to be used when SPDXRef-A depends on SPDXRef-B. | Package A depends on the presence of package B in order to build and run
-- | -- | --
DEPENDENCY_OF | Is to be used when SPDXRef-A is dependency of SPDXRef-B.

cc @wagoodman if this is a breaking change and if we should keep the contains relationship and just tack on the newer dependencies when cataloging node packages