feat: detect simplified repositories from `package.json` like structures

[lal12]

The package https://github.com/vercel/ms / https://www.npmjs.com/package/ms specifies "repository": "vercel/ms".
The npm website and cli utility interprets this as a relative url to github.

The SBOM includes the vcs_url as vercel/ms. So I wonder if https://github.com should be prepended in such cases? Maybe with an option to specify a default URL to prepend?

[jkowalleck]

@lal12 you are right, there is missing a feature to do the needed repository transformations.

As the original request was a bug report in https://github.com/CycloneDX/cyclonedx-webpack-plugin/
I will implement an interim fix there ASAP.

---

justification / case / context

current implementation simply applies the "repository", and does not do the simplified-repository-rules that package managers know about.

• read https://docs.npmjs.com/cli/v9/configuring-npm/package-json/
• see https://docs.npmjs.com/cli/v9/configuring-npm/package-json
  especially:

For GitHub, GitHub gist, Bitbucket, or GitLab repositories you can use the same shortcut syntax you use for npm install:

{
  "repository": "npm/npm", // -> https://github.com/npm/npm
  "repository": "github:user/repo", // -> https://github.com/npm/npm
  "repository": "gist:3816096", // -> https://gist.github.com/3816096
  "repository": "gist:user/3816096", // -> https://gist.github.com/user/3816096
  "repository": "bitbucket:user/repo", // -> https://bitbucket.org/user/repo
  "repository": "gitlab:user/repo", // -> https://gitlab.com/user/repo
}

read https://github.com/npm/normalize-package-data

[jkowalleck]

@lal12 are you willing to contribute the missing feature based on #517 (comment)?

if so, then please follow the guidelines: https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/CONTRIBUTING.md
current implementation can be found here:

cyclonedx-javascript-library/src/factories/fromNodePackageJson.node.ts

Lines 62 to 65 in 2488ec6

	} else {
	url = repository
	comment = 'as detected from PackageJson property "repository"'
	}

PS: there is not no actual need for action. I will implement a fix in the downstream implementations that do the needed normalization.
See #517 (comment)

[jkowalleck]

The solution will not be to implement the needed normalization here,
but to enrich the documentations, and make downstream users aware, that they should to needed normalization.
Therefore, the docs will be enhanced, and a new release will make users aware of it.