NPM - No support for package-lock v2 files

[amithkk]

Summary

As of February 2021, npm 7 is now generally available. By default npm 7 utilizes v2 lockfile. (Which are backwards compatible but have a slightly different structure)

However, attempting to generate SBOMs with a package-lock generated by npm7 causes a crash in spdx-sbom-generator. This has been attempted with node red

Background

Provide context to the issue - provide steps to reproduce the behavior, such as:

1. Download sbom-spdx-generator version 0.0.15
2. Clone repository https://github.com/node-red/node-red
3. Install dependencies with npm i
4. Run ./sbom-spdx-generator
5. Observe the following error:

INFO[2021-10-03T16:10:31+05:30] Starting to generate SPDX ...
INFO[2021-10-03T16:10:31+05:30] Running generator for Module Manager: `npm` with output `bom-npm.spdx` 
INFO[2021-10-03T16:10:34+05:30] Current Language Version 7.24.1
panic: interface conversion: interface {} is string, not map[string]interface {}

goroutine 1 [running]:
github.com/spdx/spdx-sbom-generator/pkg/modules/npm.appendDependencies(0xc11bc0, 0xc000cd3c50, 0xc00220fe00)
        <PATH-REDACTED>/spdx-sbom-generator/pkg/modules/npm/handler.go:372 +0x285
github.com/spdx/spdx-sbom-generator/pkg/modules/npm.appendNestedDependencies(0xc000a0f6e0, 0x14c6d80)
        <PATH-REDACTED>/spdx-sbom-generator/pkg/modules/npm/handler.go:359 +0x2ce
github.com/spdx/spdx-sbom-generator/pkg/modules/npm.(*npm).buildDependencies(0xc00006e1e0, 0xc000028110, 0xa, 0xc000a0f6e0, 0xc000134428, 0xb6352b, 0xc0032d1b80, 0x1a, 0x1)
        <PATH-REDACTED>/spdx-sbom-generator/pkg/modules/npm/handler.go:209 +0x505
github.com/spdx/spdx-sbom-generator/pkg/modules/npm.(*npm).ListModulesWithDeps(0xc00006e1e0, 0xc000028110, 0xa, 0x0, 0x0, 0x1, 
0x1, 0xccf860)
        <PATH-REDACTED>/spdx-sbom-generator/pkg/modules/npm/handler.go:185 +0x20e
github.com/spdx/spdx-sbom-generator/pkg/modules.(*Manager).Run(0xc000514040, 0x4, 0xd05a7f)
        <PATH-REDACTED>/spdx-sbom-generator/pkg/modules/modules.go:99 +0x15e
github.com/spdx/spdx-sbom-generator/pkg/handler.(*spdxHandler).Run(0xc000594180, 0xb, 0xc000028110)
        <PATH-REDACTED>/spdx-sbom-generator/pkg/handler/spdx.go:85 +0x35b
main.generate(0x14759c0, 0xc000332060, 0x0, 0x2)
        <PATH-REDACTED>/spdx-sbom-generator/cmd/generator/generator.go:118 +0x446
github.com/spf13/cobra.(*Command).execute(0x14759c0, 0xc00003e090, 0x2, 0x3, 0x14759c0, 0xc00003e090)
        <PATH-REDACTED>/spdx-sbom-generator/vendor/github.com/spf13/cobra/command.go:856 +0x2c2
github.com/spf13/cobra.(*Command).ExecuteC(0x14759c0, 0x44bd01, 0x0, 0x0)
        <PATH-REDACTED>/spdx-sbom-generator/vendor/github.com/spf13/cobra/command.go:960 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
        <PATH-REDACTED>/spdx-sbom-generator/vendor/github.com/spf13/cobra/command.go:897
main.main()
        <PATH-REDACTED>/spdx-sbom-generator/cmd/generator/generator.go:39 +0x68

Expected behavior

The SBOM is generated

Repository

Which repository causes this error?

• node-red
  (Any environment where npm v7 is installed)

Acceptance Criteria

The "done" criteria when this feature or problem is resolved. Such as:

When v2 lockfiles generated by NPM v7 can be used to generate SBOMs

References

Here is an example;
package-lock.json