From f7aeaf3cc51c183053744a57c2aa808c512cdc58 Mon Sep 17 00:00:00 2001
From: ARRY7686 <aadigupta2007@yahoo.com>
Date: Mon, 30 Sep 2024 02:14:18 +0530
Subject: [PATCH 1/4] changed devDependencies component.scope to excluded
 solving the issue 1151

---
 src/builders.ts | 52 ++++++++++++++++++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 18 deletions(-)

diff --git a/src/builders.ts b/src/builders.ts
index c925094d..91f5f11f 100644
--- a/src/builders.ts
+++ b/src/builders.ts
@@ -418,6 +418,7 @@ export class BomBuilder {
    */
   private readonly resolvedRE_ignore = /^(?:ignore|file):/i
 
+  // 
   private makeComponent (data: any, type?: Enums.ComponentType | undefined): Models.Component | false | undefined {
     // older npm-ls versions (v6) hide properties behind a `_`
     const isOptional = (data.optional ?? data._optional) === true
@@ -428,9 +429,24 @@ export class BomBuilder {
 
     // older npm-ls versions (v6) hide properties behind a `_`
     const isDev = (data.dev ?? data._development) === true
-    if (isDev && this.omitDependencyTypes.has('dev')) {
-      this.console.debug('DEBUG | omit dev component: %j %j', data.name, data._id)
-      return false
+    // if (isDev && this.omitDependencyTypes.has('dev')) {
+    //   this.console.debug('DEBUG | omit dev component: %j %j', data.name, data._id)
+    //   return false
+    // }
+
+    // Initialize component with a default value
+    let component: Models.Component | undefined = undefined;
+
+    // Modify the component's scope for devDependencies
+    if (isDev) {
+      // Set the scope of dev dependencies to 'Excluded'
+      component = this.componentBuilder.makeComponent(data, type);
+      if (component) {
+        component.scope = Enums.ComponentScope.Excluded;  // This line ensures dev dependencies are marked as excluded
+      }
+    } else {
+      // Handle other component logic (omitted for brevity)
+      component = this.componentBuilder.makeComponent(data, type);
     }
 
     // attention: `data.devOptional` are not to be skipped with devs, since they are still required by optionals.
@@ -453,48 +469,48 @@ export class BomBuilder {
     }
     // endregion fix normalizations
 
-    const component = this.componentBuilder.makeComponent(
+    const newComponent = this.componentBuilder.makeComponent(
       _dataC as normalizePackageData.Package,
       type
     )
-    if (component === undefined) {
+    if (newComponent === undefined) {
       this.console.debug('DEBUG | skip broken component: %j %j', data.name, data._id)
       return undefined
     }
 
-    component.licenses.forEach(l => {
+    newComponent.licenses.forEach(l => {
       l.acknowledgement = Enums.LicenseAcknowledgement.Declared
     })
 
     if (isOptional || isDevOptional) {
-      component.scope = Enums.ComponentScope.Optional
+      newComponent.scope = Enums.ComponentScope.Optional
     }
 
     // region properties
 
     if (isString(data.path)) {
-      component.properties.add(
+      newComponent.properties.add(
         new Models.Property(PropertyNames.PackageInstallPath, data.path as string)
       )
     }
     if (isDev || isDevOptional) {
-      component.properties.add(
+      newComponent.properties.add(
         new Models.Property(PropertyNames.PackageDevelopment, PropertyValueBool.True)
       )
     }
     if (data.extraneous === true) {
-      component.properties.add(
+      newComponent.properties.add(
         new Models.Property(PropertyNames.PackageExtraneous, PropertyValueBool.True)
       )
     }
     if (data.private === true || _dataC.private === true) {
-      component.properties.add(
+      newComponent.properties.add(
         new Models.Property(PropertyNames.PackagePrivate, PropertyValueBool.True)
       )
     }
     // older npm-ls versions (v6) hide properties behind a `_`
     if ((data.inBundle ?? data._inBundle) === true) {
-      component.properties.add(
+      newComponent.properties.add(
         new Models.Property(PropertyNames.PackageBundled, PropertyValueBool.True)
       )
     }
@@ -519,7 +535,7 @@ export class BomBuilder {
           }
         }
       }
-      component.externalReferences.add(
+      newComponent.externalReferences.add(
         new Models.ExternalReference(
           tryRemoveSecretsFromUrl(resolved),
           Enums.ExternalReferenceType.Distribution,
@@ -533,16 +549,16 @@ export class BomBuilder {
     }
 
     // even private packages may have a PURL for identification
-    component.purl = this.makePurl(component)
+    newComponent.purl = this.makePurl(newComponent)
 
     /* eslint-disable @typescript-eslint/strict-boolean-expressions, @typescript-eslint/prefer-nullish-coalescing
        -- since empty-string handling is needed */
-    component.bomRef.value = (isString(data._id) ? data._id : undefined) ||
-      `${component.group || '-'}/${component.name}@${component.version || '-'}`
+    newComponent.bomRef.value = (isString(data._id) ? data._id : undefined) ||
+      `${newComponent.group || '-'}/${newComponent.name}@${newComponent.version || '-'}`
     /* eslint-enable @typescript-eslint/strict-boolean-expressions, @typescript-eslint/prefer-nullish-coalescing */
 
-    return component
-  }
+    return newComponent
+}
 
   private makePurl (component: Models.Component): PackageURL | undefined {
     const purl = this.purlFactory.makeFromComponent(component, this.reproducible)

From d7827017f1e5276cc5f7990ee1c3503e7912ca8d Mon Sep 17 00:00:00 2001
From: ARRY7686 <aadigupta2007@yahoo.com>
Date: Tue, 1 Oct 2024 19:14:59 +0530
Subject: [PATCH 2/4] fixed the changes requested by the reviewer
 Signed-off-by: ARRY7686 aadigupta2007@yahoo.com

---
 src/builders.ts | 47 ++++++++++++++++++++---------------------------
 1 file changed, 20 insertions(+), 27 deletions(-)

diff --git a/src/builders.ts b/src/builders.ts
index 91f5f11f..e4faedbe 100644
--- a/src/builders.ts
+++ b/src/builders.ts
@@ -429,25 +429,18 @@ export class BomBuilder {
 
     // older npm-ls versions (v6) hide properties behind a `_`
     const isDev = (data.dev ?? data._development) === true
-    // if (isDev && this.omitDependencyTypes.has('dev')) {
-    //   this.console.debug('DEBUG | omit dev component: %j %j', data.name, data._id)
-    //   return false
-    // }
+
 
     // Initialize component with a default value
     let component: Models.Component | undefined = undefined;
+    // Handle other component logic (omitted for brevity)
+    component = this.componentBuilder.makeComponent(data, type);
+
 
     // Modify the component's scope for devDependencies
-    if (isDev) {
-      // Set the scope of dev dependencies to 'Excluded'
-      component = this.componentBuilder.makeComponent(data, type);
-      if (component) {
+    if (isDev && component) {
         component.scope = Enums.ComponentScope.Excluded;  // This line ensures dev dependencies are marked as excluded
-      }
-    } else {
-      // Handle other component logic (omitted for brevity)
-      component = this.componentBuilder.makeComponent(data, type);
-    }
+    } 
 
     // attention: `data.devOptional` are not to be skipped with devs, since they are still required by optionals.
     const isDevOptional = data.devOptional === true
@@ -469,48 +462,48 @@ export class BomBuilder {
     }
     // endregion fix normalizations
 
-    const newComponent = this.componentBuilder.makeComponent(
+     component = this.componentBuilder.makeComponent(
       _dataC as normalizePackageData.Package,
       type
     )
-    if (newComponent === undefined) {
+    if (component === undefined) {
       this.console.debug('DEBUG | skip broken component: %j %j', data.name, data._id)
       return undefined
     }
 
-    newComponent.licenses.forEach(l => {
+    component.licenses.forEach(l => {
       l.acknowledgement = Enums.LicenseAcknowledgement.Declared
     })
 
     if (isOptional || isDevOptional) {
-      newComponent.scope = Enums.ComponentScope.Optional
+      component.scope = Enums.ComponentScope.Optional
     }
 
     // region properties
 
     if (isString(data.path)) {
-      newComponent.properties.add(
+      component.properties.add(
         new Models.Property(PropertyNames.PackageInstallPath, data.path as string)
       )
     }
     if (isDev || isDevOptional) {
-      newComponent.properties.add(
+      component.properties.add(
         new Models.Property(PropertyNames.PackageDevelopment, PropertyValueBool.True)
       )
     }
     if (data.extraneous === true) {
-      newComponent.properties.add(
+      component.properties.add(
         new Models.Property(PropertyNames.PackageExtraneous, PropertyValueBool.True)
       )
     }
     if (data.private === true || _dataC.private === true) {
-      newComponent.properties.add(
+      component.properties.add(
         new Models.Property(PropertyNames.PackagePrivate, PropertyValueBool.True)
       )
     }
     // older npm-ls versions (v6) hide properties behind a `_`
     if ((data.inBundle ?? data._inBundle) === true) {
-      newComponent.properties.add(
+      component.properties.add(
         new Models.Property(PropertyNames.PackageBundled, PropertyValueBool.True)
       )
     }
@@ -535,7 +528,7 @@ export class BomBuilder {
           }
         }
       }
-      newComponent.externalReferences.add(
+      component.externalReferences.add(
         new Models.ExternalReference(
           tryRemoveSecretsFromUrl(resolved),
           Enums.ExternalReferenceType.Distribution,
@@ -549,15 +542,15 @@ export class BomBuilder {
     }
 
     // even private packages may have a PURL for identification
-    newComponent.purl = this.makePurl(newComponent)
+    component.purl = this.makePurl(component)
 
     /* eslint-disable @typescript-eslint/strict-boolean-expressions, @typescript-eslint/prefer-nullish-coalescing
        -- since empty-string handling is needed */
-    newComponent.bomRef.value = (isString(data._id) ? data._id : undefined) ||
-      `${newComponent.group || '-'}/${newComponent.name}@${newComponent.version || '-'}`
+    component.bomRef.value = (isString(data._id) ? data._id : undefined) ||
+      `${component.group || '-'}/${component.name}@${component.version || '-'}`
     /* eslint-enable @typescript-eslint/strict-boolean-expressions, @typescript-eslint/prefer-nullish-coalescing */
 
-    return newComponent
+    return component
 }
 
   private makePurl (component: Models.Component): PackageURL | undefined {

From 5e8b0225d90e11bb22f0fdd9516249227e3c77f1 Mon Sep 17 00:00:00 2001
From: ARRY7686 <aadigupta2007@yahoo.com>
Date: Tue, 1 Oct 2024 19:14:59 +0530
Subject: [PATCH 3/4] fixed the changes requested by the reviewer
 Signed-off-by: ARRY7686 aadigupta2007@yahoo.com

Signed-off-by: ARRY7686 <aadigupta2007@yahoo.com>
---
 src/builders.ts | 47 ++++++++++++++++++++---------------------------
 1 file changed, 20 insertions(+), 27 deletions(-)

diff --git a/src/builders.ts b/src/builders.ts
index 91f5f11f..e4faedbe 100644
--- a/src/builders.ts
+++ b/src/builders.ts
@@ -429,25 +429,18 @@ export class BomBuilder {
 
     // older npm-ls versions (v6) hide properties behind a `_`
     const isDev = (data.dev ?? data._development) === true
-    // if (isDev && this.omitDependencyTypes.has('dev')) {
-    //   this.console.debug('DEBUG | omit dev component: %j %j', data.name, data._id)
-    //   return false
-    // }
+
 
     // Initialize component with a default value
     let component: Models.Component | undefined = undefined;
+    // Handle other component logic (omitted for brevity)
+    component = this.componentBuilder.makeComponent(data, type);
+
 
     // Modify the component's scope for devDependencies
-    if (isDev) {
-      // Set the scope of dev dependencies to 'Excluded'
-      component = this.componentBuilder.makeComponent(data, type);
-      if (component) {
+    if (isDev && component) {
         component.scope = Enums.ComponentScope.Excluded;  // This line ensures dev dependencies are marked as excluded
-      }
-    } else {
-      // Handle other component logic (omitted for brevity)
-      component = this.componentBuilder.makeComponent(data, type);
-    }
+    } 
 
     // attention: `data.devOptional` are not to be skipped with devs, since they are still required by optionals.
     const isDevOptional = data.devOptional === true
@@ -469,48 +462,48 @@ export class BomBuilder {
     }
     // endregion fix normalizations
 
-    const newComponent = this.componentBuilder.makeComponent(
+     component = this.componentBuilder.makeComponent(
       _dataC as normalizePackageData.Package,
       type
     )
-    if (newComponent === undefined) {
+    if (component === undefined) {
       this.console.debug('DEBUG | skip broken component: %j %j', data.name, data._id)
       return undefined
     }
 
-    newComponent.licenses.forEach(l => {
+    component.licenses.forEach(l => {
       l.acknowledgement = Enums.LicenseAcknowledgement.Declared
     })
 
     if (isOptional || isDevOptional) {
-      newComponent.scope = Enums.ComponentScope.Optional
+      component.scope = Enums.ComponentScope.Optional
     }
 
     // region properties
 
     if (isString(data.path)) {
-      newComponent.properties.add(
+      component.properties.add(
         new Models.Property(PropertyNames.PackageInstallPath, data.path as string)
       )
     }
     if (isDev || isDevOptional) {
-      newComponent.properties.add(
+      component.properties.add(
         new Models.Property(PropertyNames.PackageDevelopment, PropertyValueBool.True)
       )
     }
     if (data.extraneous === true) {
-      newComponent.properties.add(
+      component.properties.add(
         new Models.Property(PropertyNames.PackageExtraneous, PropertyValueBool.True)
       )
     }
     if (data.private === true || _dataC.private === true) {
-      newComponent.properties.add(
+      component.properties.add(
         new Models.Property(PropertyNames.PackagePrivate, PropertyValueBool.True)
       )
     }
     // older npm-ls versions (v6) hide properties behind a `_`
     if ((data.inBundle ?? data._inBundle) === true) {
-      newComponent.properties.add(
+      component.properties.add(
         new Models.Property(PropertyNames.PackageBundled, PropertyValueBool.True)
       )
     }
@@ -535,7 +528,7 @@ export class BomBuilder {
           }
         }
       }
-      newComponent.externalReferences.add(
+      component.externalReferences.add(
         new Models.ExternalReference(
           tryRemoveSecretsFromUrl(resolved),
           Enums.ExternalReferenceType.Distribution,
@@ -549,15 +542,15 @@ export class BomBuilder {
     }
 
     // even private packages may have a PURL for identification
-    newComponent.purl = this.makePurl(newComponent)
+    component.purl = this.makePurl(component)
 
     /* eslint-disable @typescript-eslint/strict-boolean-expressions, @typescript-eslint/prefer-nullish-coalescing
        -- since empty-string handling is needed */
-    newComponent.bomRef.value = (isString(data._id) ? data._id : undefined) ||
-      `${newComponent.group || '-'}/${newComponent.name}@${newComponent.version || '-'}`
+    component.bomRef.value = (isString(data._id) ? data._id : undefined) ||
+      `${component.group || '-'}/${component.name}@${component.version || '-'}`
     /* eslint-enable @typescript-eslint/strict-boolean-expressions, @typescript-eslint/prefer-nullish-coalescing */
 
-    return newComponent
+    return component
 }
 
   private makePurl (component: Models.Component): PackageURL | undefined {

From 21816970c9e2bec49614e41a8146174fd5a6c813 Mon Sep 17 00:00:00 2001
From: ARRY7686 <aadigupta2007@yahoo.com>
Date: Tue, 1 Oct 2024 21:48:14 +0530
Subject: [PATCH 4/4] fix the issues again

---
 src/builders.ts                               | 21 +++++++++----------
 .../local-dependencies_from-setup.snap.json   | 10 ++++-----
 .../local-dependencies_from-setup.snap.xml    | 10 ++++-----
 .../local-dependencies_from-setup.snap.json   | 10 ++++-----
 .../local-dependencies_from-setup.snap.xml    | 10 ++++-----
 5 files changed, 30 insertions(+), 31 deletions(-)

diff --git a/src/builders.ts b/src/builders.ts
index e4faedbe..aaea028f 100644
--- a/src/builders.ts
+++ b/src/builders.ts
@@ -17,7 +17,9 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import { type Builders, Enums, type Factories, Models, Utils } from '@cyclonedx/cyclonedx-library'
+import type { Builders, Factories } from '@cyclonedx/cyclonedx-library'
+import { Enums, Models, Utils } from '@cyclonedx/cyclonedx-library'
+import type { PackageJson } from '@cyclonedx/cyclonedx-library/dist.d/_helpers/packageJson'
 import { existsSync } from 'fs'
 import * as normalizePackageData from 'normalize-package-data'
 import { type PackageURL } from 'packageurl-js'
@@ -418,7 +420,6 @@ export class BomBuilder {
    */
   private readonly resolvedRE_ignore = /^(?:ignore|file):/i
 
-  // 
   private makeComponent (data: any, type?: Enums.ComponentType | undefined): Models.Component | false | undefined {
     // older npm-ls versions (v6) hide properties behind a `_`
     const isOptional = (data.optional ?? data._optional) === true
@@ -430,17 +431,15 @@ export class BomBuilder {
     // older npm-ls versions (v6) hide properties behind a `_`
     const isDev = (data.dev ?? data._development) === true
 
-
     // Initialize component with a default value
-    let component: Models.Component | undefined = undefined;
+    let component: Models.Component | undefined
     // Handle other component logic (omitted for brevity)
-    component = this.componentBuilder.makeComponent(data, type);
-
+    component = this.componentBuilder.makeComponent(data as PackageJson, type)
 
     // Modify the component's scope for devDependencies
-    if (isDev && component) {
-        component.scope = Enums.ComponentScope.Excluded;  // This line ensures dev dependencies are marked as excluded
-    } 
+    if (isDev && component !== undefined) {
+      component.scope = Enums.ComponentScope.Excluded // This line ensures dev dependencies are marked as excluded
+    }
 
     // attention: `data.devOptional` are not to be skipped with devs, since they are still required by optionals.
     const isDevOptional = data.devOptional === true
@@ -462,7 +461,7 @@ export class BomBuilder {
     }
     // endregion fix normalizations
 
-     component = this.componentBuilder.makeComponent(
+    component = this.componentBuilder.makeComponent(
       _dataC as normalizePackageData.Package,
       type
     )
@@ -551,7 +550,7 @@ export class BomBuilder {
     /* eslint-enable @typescript-eslint/strict-boolean-expressions, @typescript-eslint/prefer-nullish-coalescing */
 
     return component
-}
+  }
 
   private makePurl (component: Models.Component): PackageURL | undefined {
     const purl = this.purlFactory.makeFromComponent(component, this.reproducible)
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.json
index 72919e06..e938f815 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.json
@@ -144,9 +144,9 @@
     },
     {
       "type": "library",
-      "name": "my-local-b",
+      "name": "my-local-b-off",
       "version": "0.0.0",
-      "bom-ref": "my-local-b@0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
       "description": "demo: my-local-b-off - a package with a different name than its dir",
       "licenses": [
         {
@@ -156,7 +156,7 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
       "externalReferences": [
         {
           "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
@@ -240,11 +240,11 @@
     {
       "ref": "my-local-a@0.0.0",
       "dependsOn": [
-        "my-local-b@0.0.0"
+        "my-local-b-off@0.0.0"
       ]
     },
     {
-      "ref": "my-local-b@0.0.0"
+      "ref": "my-local-b-off@0.0.0"
     },
     {
       "ref": "my-noname@0.0.0"
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.xml b/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.xml
index 1b89af22..d6a29402 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.xml
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.xml
@@ -105,8 +105,8 @@
         <property name="cdx:npm:package:private">true</property>
       </properties>
     </component>
-    <component type="library" bom-ref="my-local-b@0.0.0">
-      <name>my-local-b</name>
+    <component type="library" bom-ref="my-local-b-off@0.0.0">
+      <name>my-local-b-off</name>
       <version>0.0.0</version>
       <description>demo: my-local-b-off - a package with a different name than its dir</description>
       <licenses>
@@ -114,7 +114,7 @@
           <id>Apache-2.0</id>
         </license>
       </licenses>
-      <purl>pkg:npm/my-local-b@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b</purl>
+      <purl>pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b</purl>
       <externalReferences>
         <reference type="issue-tracker">
           <url>https://github.com/CycloneDX/cyclonedx-node-npm/issues</url>
@@ -170,9 +170,9 @@
       <dependency ref="my-noname@0.0.0"/>
     </dependency>
     <dependency ref="my-local-a@0.0.0">
-      <dependency ref="my-local-b@0.0.0"/>
+      <dependency ref="my-local-b-off@0.0.0"/>
     </dependency>
-    <dependency ref="my-local-b@0.0.0"/>
+    <dependency ref="my-local-b-off@0.0.0"/>
     <dependency ref="my-noname@0.0.0"/>
   </dependencies>
 </bom>
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.json
index 72919e06..e938f815 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.json
@@ -144,9 +144,9 @@
     },
     {
       "type": "library",
-      "name": "my-local-b",
+      "name": "my-local-b-off",
       "version": "0.0.0",
-      "bom-ref": "my-local-b@0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
       "description": "demo: my-local-b-off - a package with a different name than its dir",
       "licenses": [
         {
@@ -156,7 +156,7 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
       "externalReferences": [
         {
           "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
@@ -240,11 +240,11 @@
     {
       "ref": "my-local-a@0.0.0",
       "dependsOn": [
-        "my-local-b@0.0.0"
+        "my-local-b-off@0.0.0"
       ]
     },
     {
-      "ref": "my-local-b@0.0.0"
+      "ref": "my-local-b-off@0.0.0"
     },
     {
       "ref": "my-noname@0.0.0"
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.xml b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.xml
index 1b89af22..d6a29402 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.xml
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.xml
@@ -105,8 +105,8 @@
         <property name="cdx:npm:package:private">true</property>
       </properties>
     </component>
-    <component type="library" bom-ref="my-local-b@0.0.0">
-      <name>my-local-b</name>
+    <component type="library" bom-ref="my-local-b-off@0.0.0">
+      <name>my-local-b-off</name>
       <version>0.0.0</version>
       <description>demo: my-local-b-off - a package with a different name than its dir</description>
       <licenses>
@@ -114,7 +114,7 @@
           <id>Apache-2.0</id>
         </license>
       </licenses>
-      <purl>pkg:npm/my-local-b@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b</purl>
+      <purl>pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b</purl>
       <externalReferences>
         <reference type="issue-tracker">
           <url>https://github.com/CycloneDX/cyclonedx-node-npm/issues</url>
@@ -170,9 +170,9 @@
       <dependency ref="my-noname@0.0.0"/>
     </dependency>
     <dependency ref="my-local-a@0.0.0">
-      <dependency ref="my-local-b@0.0.0"/>
+      <dependency ref="my-local-b-off@0.0.0"/>
     </dependency>
-    <dependency ref="my-local-b@0.0.0"/>
+    <dependency ref="my-local-b-off@0.0.0"/>
     <dependency ref="my-noname@0.0.0"/>
   </dependencies>
 </bom>
\ No newline at end of file