Skip install in dependencies map calculation if requested

build/testdata/npm/noBuildProject/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "npm_test2",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "lightweight": "^0.1.0",
+    "minimist": "^0.1.0",
+    "underscore": "^1.13.6",
+    "cors.js": "0.0.1-security"
+  }
+}

build/utils/npm.go

@@ -27,7 +27,7 @@ func CalculateNpmDependenciesList(executablePath, srcPath, moduleId string, npmP
 		log = &utils.NullLog{}
 	}
 	// Calculate npm dependency tree using 'npm ls...'.
-	dependenciesMap, err := CalculateDependenciesMap(executablePath, srcPath, moduleId, npmParams, log)
+	dependenciesMap, err := CalculateDependenciesMap(executablePath, srcPath, moduleId, npmParams, log, false)
 	if err != nil {
 		return nil, err
 	}
@@ -92,7 +92,7 @@ type dependencyInfo struct {
 
 // Run 'npm list ...' command and parse the returned result to create a dependencies map of.
 // The dependencies map looks like name:version -> entities.Dependency.
-func CalculateDependenciesMap(executablePath, srcPath, moduleId string, npmListParams NpmTreeDepListParam, log utils.Log) (map[string]*dependencyInfo, error) {
+func CalculateDependenciesMap(executablePath, srcPath, moduleId string, npmListParams NpmTreeDepListParam, log utils.Log, skipInstall bool) (map[string]*dependencyInfo, error) {
 	dependenciesMap := make(map[string]*dependencyInfo)
 	// These arguments must be added at the end of the command, to override their other values (if existed in nm.npmArgs).
 	npmVersion, err := GetNpmVersion(executablePath, log)
@@ -108,7 +108,7 @@ func CalculateDependenciesMap(executablePath, srcPath, moduleId string, npmListP
 	if nodeModulesExist && !npmListParams.IgnoreNodeModules {
 		data = runNpmLsWithNodeModules(executablePath, srcPath, npmListParams.Args, log)
 	} else {
-		data, err = runNpmLsWithoutNodeModules(executablePath, srcPath, npmListParams, log, npmVersion)
+		data, err = runNpmLsWithoutNodeModules(executablePath, srcPath, npmListParams, log, npmVersion, skipInstall)
 		if err != nil {
 			return nil, err
 		}
@@ -135,13 +135,14 @@ func runNpmLsWithNodeModules(executablePath, srcPath string, npmArgs []string, l
 	return
 }
 
-func runNpmLsWithoutNodeModules(executablePath, srcPath string, npmListParams NpmTreeDepListParam, log utils.Log, npmVersion *version.Version) ([]byte, error) {
-	isPackageLockExist, isDirExistsErr := utils.IsFileExists(filepath.Join(srcPath, "package-lock.json"), false)
-	if isDirExistsErr != nil {
-		return nil, isDirExistsErr
+func runNpmLsWithoutNodeModules(executablePath, srcPath string, npmListParams NpmTreeDepListParam, log utils.Log, npmVersion *version.Version, skipInstall bool) ([]byte, error) {
+	installRequired, err := isInstallRequired(srcPath, npmListParams, log, skipInstall)
+	if err != nil {
+		return nil, err
 	}
-	if !isPackageLockExist || (npmListParams.OverwritePackageLock && checkIfLockFileShouldBeUpdated(srcPath, log)) {
-		err := installPackageLock(executablePath, srcPath, npmListParams.InstallCommandArgs, npmListParams.Args, log, npmVersion)
+
+	if installRequired {
+		err = installPackageLock(executablePath, srcPath, npmListParams.InstallCommandArgs, npmListParams.Args, log, npmVersion)
 		if err != nil {
 			return nil, err
 		}
@@ -156,6 +157,34 @@ func runNpmLsWithoutNodeModules(executablePath, srcPath string, npmListParams Np
 	return data, nil
 }
 
+// This function determines whether a project installation is required by evaluating the following criteria:
+// 1) Checks if the "package-lock.json" file exists in the project directory.
+// 2) Verifies if an installation command was provided by the user.
+// 3) Checks if the lock file should be updated due to an override request.
+//
+// Conditions for triggering installation:
+// - If the user provided an installation command, installation is required.
+// - If the "package-lock.json" file is missing or an override request to update the lock file exists, installation is required, unless the user explicitly requested to skip the installation.
+//
+// If installation is required but skipped by the user's request, an error is returned.
+func isInstallRequired(srcPath string, npmListParams NpmTreeDepListParam, log utils.Log, skipInstall bool) (bool, error) {
+	isPackageLockExist, err := utils.IsFileExists(filepath.Join(srcPath, "package-lock.json"), false)
+	if err != nil {
+		return false, err
+	}
+
+	if len(npmListParams.InstallCommandArgs) > 0 {
+		return true, nil
+	}
+	if !isPackageLockExist || (npmListParams.OverwritePackageLock && checkIfLockFileShouldBeUpdated(srcPath, log)) {
+		if skipInstall {
+			return false, &utils.ErrProjectNotInstalled{UninstalledDir: srcPath}
+		}
+		return true, nil
+	}
+	return false, nil
+}
+
 func installPackageLock(executablePath, srcPath string, npmInstallCommandArgs, npmArgs []string, log utils.Log, npmVersion *version.Version) error {
 	if npmVersion.AtLeast("6.0.0") {
 		npmArgs = append(npmArgs, "--package-lock-only")

build/utils/npm_test.go

@@ -2,6 +2,7 @@ package utils
 
 import (
 	"encoding/json"
+	"errors"
 	"os"
 	"path/filepath"
 	"strings"
@@ -233,7 +234,7 @@ func TestDependencyWithNoIntegrity(t *testing.T) {
 	assert.Greaterf(t, len(dependencies), 0, "Error: dependencies are not found!")
 }
 
-// This test case verifies that CalculateNpmDependenciesList correctly handles the exclusion of 'node_modules'
+// This test case verifies that CalculateDependenciesMap correctly handles the exclusion of 'node_modules'
 // and updates 'package-lock.json' as required, based on the 'IgnoreNodeModules' and 'OverwritePackageLock' parameters.
 func TestDependencyPackageLockOnly(t *testing.T) {
 	npmVersion, _, err := GetNpmVersionAndExecPath(logger)
@@ -249,12 +250,25 @@ func TestDependencyPackageLockOnly(t *testing.T) {
 
 	// Calculate dependencies.
 	dependencies, err := CalculateDependenciesMap("npm", path, "jfrogtest",
-		NpmTreeDepListParam{Args: []string{}, IgnoreNodeModules: true, OverwritePackageLock: true}, logger)
+		NpmTreeDepListParam{Args: []string{}, IgnoreNodeModules: true, OverwritePackageLock: true}, logger, false)
 	assert.NoError(t, err)
 	var expectedRes = getExpectedRespForTestDependencyPackageLockOnly()
 	assert.Equal(t, expectedRes, dependencies)
 }
 
+func TestCalculateDependenciesMapWithProhibitedInstallation(t *testing.T) {
+	path, cleanup := tests.CreateTestProject(t, filepath.Join("..", "testdata", "npm", "noBuildProject"))
+	defer cleanup()
+
+	dependencies, err := CalculateDependenciesMap("npm", path, "jfrogtest",
+		NpmTreeDepListParam{Args: []string{}, IgnoreNodeModules: false, OverwritePackageLock: false}, logger, true)
+
+	assert.Nil(t, dependencies)
+	assert.Error(t, err)
+	var installForbiddenErr *utils.ErrProjectNotInstalled
+	assert.True(t, errors.As(err, &installForbiddenErr))
+}
+
 func getExpectedRespForTestDependencyPackageLockOnly() map[string]*dependencyInfo {
 	return map[string]*dependencyInfo{
 		"underscore:1.13.6": {

utils/error.go

@@ -1,6 +1,7 @@
 package utils
 
 import (
+	"fmt"
 	"strings"
 )
 
@@ -28,6 +29,14 @@ func NewForbiddenError() *ForbiddenError {
 	return &ForbiddenError{}
 }
 
+type ErrProjectNotInstalled struct {
+	UninstalledDir string
+}
+
+func (err *ErrProjectNotInstalled) Error() string {
+	return fmt.Sprintf("Directory '%s' is not installed. Skipping SCA scan in this directory...", err.UninstalledDir)
+}
+
 // IsForbiddenOutput checks whether the provided output includes a 403 Forbidden. The various package managers have their own forbidden output formats.
 func IsForbiddenOutput(tech PackageManager, cmdOutput string) bool {
 	switch tech {