ZERO npm dependencies discovered if any npm dependency has an array as a license

[Mikcl]

Please provide a set of steps on how to reproduce the issue

1. Create a package.json with the following a package that has a deprecated license:

pause stream for example has 3 million weekly downloads, and a depreacted license it seems.

{
  "name": "tmp",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "pause-stream": "0.0.11"
  }
}

2. generate the package-lock.json via npm install --package-lock-only

You will see something like the following in the package-lock.json (note the deprecated license evaluated):

requires": true,
  "packages": {
    "": {
      "name": "tmp",
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "pause-stream": "0.0.11"
      }
    },
    "node_modules/pause-stream": {
      "version": "0.0.11",
      ....
      "license": [
        "MIT",
        "Apache2"
      ],
      "dependencies": {
        "through": "~2.3"
      }
    },
    ....

3. run syft . in the same directory.

What happened:

✔ Indexed .
 ✔ Cataloged packages      [0 packages]
No packages discovered

This happens even when there are numerous packages in the dependencies. i.e ZERO packages are discovered. Not pause-stream, nor its dependencies, or any other packages specified in package.json/package-lock.json prior to running syft.

What you expected to happen:

I would expect syft to find all the packages regardless of whether the licencse section is deprecated or not (possibly even if it is invalid?)

https://docs.npmjs.com/cli/v9/configuring-npm/package-json#license

Anything else we need to know?:

This is particualrly high importance as this would mean syft misses all of the npm dependencies if only one is "misformatted". No error is raised, only a warning when running in verbose mode.

WARN cataloger failed cataloger=javascript-lock-cataloger error=failed to parse package-lock.json file: json: cannot unmarshal array into Go struct field lockPackage.Packages.license of type string location=/home/[...redacted...]/package-lock.json

Happended for lockfileVersion: 2 however believe it occurs for version 1 and perhaps 3. Additioanlly there are likely many similar ways to cause 0 packages to be discovered. (make the unmarhalling step fail).

Environment:

• Output of syft version: 0.62.1 (same with latest)
• OS (e.g: cat /etc/os-release or similar):

[Mikcl]

Updated the title to reflect that its not just "deprecated" syntax but modern sytax can also be effected.

syft expects the license to always be a string but it could (valid) be evaulated as an array.