Fossa-cli can't handle npm aliases

[mouchar]

We need to scan npm project containing transient aliased dependency. The relevant part of the yarn.lock file looks like this:

monaco-languageclient@^2.1.0:
  version "2.1.0"
  resolved "https://registry.yarnpkg.com/monaco-languageclient/-/monaco-languageclient-2.1.0.tgz#4c69eeafb31003c9a2a5a5a0481e8cdae4a1c591"
  integrity sha512-Ps+G97MH8p/T7dk7NqJnDgub6x2+SiAmFR6rjUyJ2qdSGUNgg310bPD521rEPUTNKGfP7VwBggFjcnoGGCi0vg==
  dependencies:
    glob-to-regexp "0.4.1"
    vscode "npm:@codingame/monaco-vscode-api@~1.67.20"
    vscode-jsonrpc "8.0.2"
    vscode-languageclient "8.0.2"
    vscode-languageserver-textdocument "1.0.5"
    vscode-uri "3.0.3"

Note the @codingame/monaco-vscode-api package is aliased to vscode according to NPM docs.

The output from fossa analyze -o /path/to/app/src contains the following element in projects[0].graph.deps array:

{
  "locations": [
    "https://registry.yarnpkg.com/@codingame/monaco-vscode-api/-/monaco-vscode-api-1.67.20.tgz"
  ],
  "name": "vscode",
  "tags": {},
  "type": "NodeJSType",
  "version": {
    "type": "EQUAL",
    "value": "1.67.20"
  }
}

This is obviously wrong (see the "name" attribute) and the dependency could not be parsed on fossa server:

The expected outcome from the fossa-cli should look like:

{
  "tags": {},
  "name": "@codingame/monaco-vscode-api",
  "type": "NodeJSType",
  "locations": [
    "https://registry.yarnpkg.com/@codingame/monaco-vscode-api/-/monaco-vscode-api-1.67.20.tgz"
  ],
  "version": {
    "type": "EQUAL",
    "value": "1.67.20"
  }
}

Checked with the latest fossa-cli 3.4.7.

[meghfossa]

Thank you for reporting this defect. I have been able to reproduce it and have added it as a work item in our internal backlog.

Reference: https://fossa.atlassian.net/browse/ANE-616

I or someone from the team will update this thread once the patch lands.