ArchiveAnalyzer does not extract package.json inside node_modules which are used by NodePackageAnalyzer

[mgmgithubtest]

ArchiveAnalyzer checks whether a file is "accepted" before extracting it: https://github.com/jeremylong/DependencyCheck/blob/2893c211442164b8a0576c6cd0229efd338603a3/core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java#L557-L559

AbstractNpmAnalyzer rejects files which are inside node_modules: https://github.com/jeremylong/DependencyCheck/blob/ab37c71265eac343a37dc3b749cfc22064be11a0/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java#L121-L129

DEBUG - Skipping analysis of node/bower module: /tmp/dctempb0929a55-0472-455e-977b-3b613287217f/check861646302956416460tmp/1/node_modules/ee-first/package.json 2021-03-01 17:52:29,382 org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer:127

Later, NodePackageAnalyzer tries to access files inside node_modules: https://github.com/jeremylong/DependencyCheck/blob/ab37c71265eac343a37dc3b749cfc22064be11a0/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java#L341-L342

but these files are missing:

WARN - Unable to find node module: /tmp/dctempb0929a55-0472-455e-977b-3b613287217f/check861646302956416460tmp/1/node_modules/ee-first/package.json 2021-03-01 17:52:30,473 org.owasp.dependencycheck.analyzer.NodePackageAnalyzer:378

which will result in the gathering of weaker evidence instead of the normal call to gatherEvidence in AbstractNpmAnalyzer.

Therefore, the search results between a folder and the same folder as a zip will diverge.

[jeremylong]

I see your point. However, the node package analyzer is being planned for deprecation. Some of its functionality will get pulled into other analyzers.