Ingest npm data through github api

Signed-off-by: Tushar Goel <[email protected]>

Author: TG1999

vulnerabilities/importers/github.py

@@ -114,6 +114,7 @@
     "COMPOSER": "composer",
     "PIP": "pypi",
     "RUBYGEMS": "gem",
+    "NPM": "npm",
     # "GO": "golang",
 }
 
@@ -123,7 +124,7 @@
 
 # TODO: We will try to gather more info from GH API
 # Check https://github.com/nexB/vulnerablecode/issues/645
-# set of all possible values of first '%s' = {'MAVEN','COMPOSER', 'NUGET', 'RUBYGEMS', 'PYPI'}
+# set of all possible values of first '%s' = {'MAVEN','COMPOSER', 'NUGET', 'RUBYGEMS', 'PYPI', 'NPM'}
 # second '%s' is interesting, it will have the value '' for the first request,
 GRAPHQL_QUERY_TEMPLATE = """
 query{
@@ -208,7 +209,7 @@ def get_purl(pkg_type: str, github_name: str) -> Optional[PackageURL]:
         vendor, _, name = github_name.partition("/")
         return PackageURL(type=pkg_type, namespace=vendor, name=name)
 
-    if pkg_type in ("nuget", "pypi", "gem", "golang"):
+    if pkg_type in ("nuget", "pypi", "gem", "golang", "npm"):
         return PackageURL(type=pkg_type, name=github_name)
 
     logger.error(f"get_purl: Unknown package type {pkg_type}")

vulnerabilities/package_managers.py

@@ -266,7 +266,8 @@ class NpmVersionAPI(VersionAPI):
     package_type = "npm"
 
     def fetch(self, pkg):
-        url = f"https://registry.npmjs.org/{pkg}"
+        lower_pkg = pkg.lower()
+        url = f"https://registry.npmjs.org/{lower_pkg}"
         response = get_response(url=url, content_type="json")
         if not response:
             logger.error(f"Failed to fetch {url}")