Incorrect value for the detected SBOM Component via manifest analysis

[spnzig]

Here is a SBOM component
{ "group": "", "name": "json5", "version": "2.1.1", "scope": "optional", "purl": "pkg:npm/[email protected]", "type": "library", "bom-ref": "pkg:npm/[email protected]", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/path/gui/nodegui/package-lock.json" } ] } },

Value given in SBOM is "/path/gui/nodegui/package-lock.json".
'json5' is not mentioned directly anywhere in the file package-lock.json.

However, this library is present within
/path/gui/nodegui/node_modules/npm-normalize-package-bin/package-lock.json.

I understand cdxgen recursively scans and gives me an SBOM. But shouldn't the value then be set to /path/gui/nodegui/node_modules/npm-normalize-package-bin/package-lock.json?

[prabhu]

Any sample repo to reproduce this issue?

[spnzig]

It's a restricted access private git repo. But let me share the repo structure. Its a regular NPM folder structure with nodegui and node_modules folders. All the required npm packages are saved under the node_modules directory as subfolders.
The main package-lock.json file is under the nodegui folder, the corresponding sub folders under it /node_modules/npm-normalize-package-bin also has an additional package-lock.json with additional dependency information. CDXGEN is able to pick this up but the value reported is not correct.

When I grep for json5 I can see its occurrence in the below locations

1. path/gui/nodegui/node_modules/mime-db/db.json
2. path/gui/nodegui/node_modules/npm-normalize-package-bin/package-lock.json`  

> nodegui
       > node_modules
             > npm-normalize-package-bin
                      > package.json
                      > index.js
                      > package-lock.json
                      > README.md
             > cookie
             > cors
             > cookie-parser
             > .....
         > package-lock.json
         > package.json
         > .....
 

I invoked the cdxgen command to create the SBOM from the nodegui folder.
My intention of looking into the value field of the SBOM is to be able to track back to the file location where it is used/declared.