Exclude devDependencies from package-lock.json parsing

cmd/syft/internal/test/integration/node_packages_test.go

@@ -25,7 +25,7 @@ func TestNpmPackageLockDirectory(t *testing.T) {
 	}
 
 	// ensure that integration test commonTestCases stay in sync with the available catalogers
-	const expectedPackageCount = 6
+	const expectedPackageCount = 2
 	if foundPackages.Size() != expectedPackageCount {
 		t.Errorf("found the wrong set of npm package-lock.json packages (expected: %d, actual: %d)", expectedPackageCount, foundPackages.Size())
 	}

syft/pkg/cataloger/javascript/parse_package_lock.go

@@ -29,6 +29,7 @@ type lockDependency struct {
 	Version   string `json:"version"`
 	Resolved  string `json:"resolved"`
 	Integrity string `json:"integrity"`
+	Dev       bool   `json:"dev"`
 }
 
 type lockPackage struct {
@@ -37,6 +38,7 @@ type lockPackage struct {
 	Resolved  string             `json:"resolved"`
 	Integrity string             `json:"integrity"`
 	License   packageLockLicense `json:"license"`
+	Dev       bool               `json:"dev"`
 }
 
 // packageLockLicense
@@ -74,6 +76,11 @@ func (a genericPackageLockAdapter) parsePackageLock(_ context.Context, resolver
 
 	if lock.LockfileVersion == 1 {
 		for name, pkgMeta := range lock.Dependencies {
+			// skip packages that are only present as a dev dependency
+			if pkgMeta.Dev {
+				continue
+			}
+
 			pkgs = append(pkgs, newPackageLockV1Package(a.cfg, resolver, reader.Location, name, pkgMeta))
 		}
 	}
@@ -87,6 +94,11 @@ func (a genericPackageLockAdapter) parsePackageLock(_ context.Context, resolver
 				name = pkgMeta.Name
 			}
 
+			// skip packages that are only present as a dev dependency
+			if pkgMeta.Dev {
+				continue
+			}
+
 			// handles alias names
 			if pkgMeta.Name != "" {
 				name = pkgMeta.Name

syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-2.json

@@ -9,6 +9,9 @@
             "version": "6.14.6",
             "dependencies": {
                 "@types/react": "^18.0.9"
+            },
+            "devDependencies": {
+                "async": "^3.2.4"
             }
         },
         "node_modules/@types/prop-types": {
@@ -39,6 +42,12 @@
             "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.0.tgz",
             "integrity": "sha1-TdysNxjXh8+d8NG30VAzklyPKfI=",
             "license": "MIT"
+        },
+        "node_modules/async": {
+            "version": "3.2.4",
+            "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
+            "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
+            "dev": true
         }
     },
     "dependencies": {
@@ -66,6 +75,12 @@
             "version": "3.1.0",
             "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.0.tgz",
             "integrity": "sha1-TdysNxjXh8+d8NG30VAzklyPKfI="
+        },
+        "async": {
+            "version": "3.2.4",
+            "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
+            "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
+            "dev": true
         }
     }
 }

syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-3.json

@@ -9,6 +9,9 @@
       "version": "1.0.0",
       "dependencies": {
         "@types/react": "^18.0.9"
+      },
+      "devDependencies": {
+        "async": "^3.2.4"
       }
     },
     "node_modules/@types/prop-types": {
@@ -35,6 +38,12 @@
       "version": "3.1.1",
       "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.1.tgz",
       "integrity": "sha512-DJR/VvkAvSZW9bTouZue2sSxDwdTN92uHjqeKVm+0dAqdfNykRzQ95tay8aXMBAAPpUiq4Qcug2L7neoRh2Egw=="
+    },
+    "node_modules/async": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
+      "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
+      "dev": true
     }
   }
 }