Missed dependencies due to incorrect extraneous attribute assigned by `read-installed`

[farisv]

When trying cyclonedx-bom both with and without -d parameter in one of our internal big repos in my workplace, I found that this script missed many dependencies. This results in missing a lot of vulnerabilities when processing the bom file with tools like OWASP Dependency Track.

After some debugging, I found that the root cause is some dependencies are marked as extraneous by read-installed, even tough the dependency is not in devDependencies. Even when I run the script with -d parameter, many devDependencies are also missed because the extraneous attributes are set to true.

This is problematic because this script relies on extraneous attribute to include/exclude the package:

  createComponent(pkg, list, lockfile, isRootPkg = false) {
    //read-installed with default options marks devDependencies as extraneous
    //if a package is marked as extraneous, do not include it as a component
    if(pkg.extraneous) return;
    ...
  }

I haven't investigated why read-installed incorrectly set the extraneous attributes of some dependencies but this library is actually not maintained anymore since 6 years ago. The repo is already archived with some unresolved issues. For the continuity of this project, I suggest you to find another way to read installed dependencies.

For workaround, can we create an option param to bypass if(pkg.extraneous) return;?

[jkowalleck]

this issue is related to read-installed. so #215 is blocking it.