add missing indirect dependencies from deps.dev

Signed-off-by: pxp928 <parth.psu@gmail.com>

internal/testing/testdata/testdata.go

@@ -1771,6 +1771,31 @@ var (
 				 "origin":"",
 				 "versionRange":"^3.0.0 || ^4.0.0"
 			  }
+		   },
+		   {
+			  "CurrentPackageInput":{
+				 "name":"react",
+				 "namespace":"",
+				 "qualifiers":null,
+				 "subpath":"",
+				 "type":"npm",
+				 "version":"17.0.0"
+			  },
+			  "DepPackageInput":{
+				 "name":"js-tokens",
+				 "namespace":"",
+				 "qualifiers":null,
+				 "subpath":"",
+				 "type":"npm",
+				 "version":"4.0.0"
+			  },
+			  "IsDependency":{
+				 "collector":"",
+				 "dependencyType":"INDIRECT",
+				 "justification":"dependency data collected via deps.dev",
+				 "origin":"",
+				 "versionRange":"^3.0.0 || ^4.0.0"
+			  }
 		   }
 		],
 		"Scorecard":null,

pkg/handler/collector/deps_dev/deps_dev.go

@@ -499,17 +499,34 @@ func (d *depsCollector) fetchDependencies(ctx context.Context, purl string, docC
 	component.DepPackages = append(component.DepPackages, dependencyNodes[1:]...)
 
 	for _, edge := range deps.Edges {
-		isDep := &model.IsDependencyInputSpec{
-			VersionRange:   edge.Requirement,
-			DependencyType: model.DependencyTypeDirect,
-			Justification:  "dependency data collected via deps.dev",
-		}
 		foundDepPackage := &IsDepPackage{
 			CurrentPackageInput: dependencyNodes[edge.FromNode].CurrentPackage,
 			DepPackageInput:     dependencyNodes[edge.ToNode].CurrentPackage,
-			IsDependency:        isDep,
+			IsDependency: &model.IsDependencyInputSpec{
+				VersionRange: edge.Requirement,
+				// direct dependency from to the to node. See issue: https://github.com/google/deps.dev/issues/12#issuecomment-1517103380
+				// for more details and example
+				DependencyType: model.DependencyTypeDirect,
+				Justification:  "dependency data collected via deps.dev",
+			},
 		}
 		component.IsDepPackages = append(component.IsDepPackages, foundDepPackage)
+
+		// if its not from the root node, it is an indirect dependency. See issue: https://github.com/google/deps.dev/issues/12#issuecomment-1517103380
+		// for more details and example
+		if edge.FromNode != 0 {
+			rootDepPackage := &IsDepPackage{
+				CurrentPackageInput: dependencyNodes[0].CurrentPackage,
+				DepPackageInput:     dependencyNodes[edge.ToNode].CurrentPackage,
+				IsDependency: &model.IsDependencyInputSpec{
+					VersionRange: edge.Requirement,
+					// note: this is marked as indirect
+					DependencyType: model.DependencyTypeIndirect,
+					Justification:  "dependency data collected via deps.dev",
+				},
+			}
+			component.IsDepPackages = append(component.IsDepPackages, rootDepPackage)
+		}
 	}
 
 	logger.Infof("obtained additional metadata for package: %s", purl)

pkg/ingestor/parser/deps_dev/deps_dev_test.go

@@ -95,6 +95,29 @@ func Test_depsDevParser_Parse(t *testing.T) {
 						Origin:         "",
 						Collector:      "",
 					},
+				}, {
+					Pkg: &model.PkgInputSpec{
+						Type:      "npm",
+						Namespace: ptrfrom.String(""),
+						Name:      "react",
+						Version:   ptrfrom.String("17.0.0"),
+						Subpath:   ptrfrom.String(""),
+					},
+					DepPkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
+					DepPkg: &model.PkgInputSpec{
+						Type:      "npm",
+						Namespace: ptrfrom.String(""),
+						Name:      "js-tokens",
+						Version:   ptrfrom.String("4.0.0"),
+						Subpath:   ptrfrom.String(""),
+					},
+					IsDependency: &model.IsDependencyInputSpec{
+						DependencyType: model.DependencyTypeIndirect,
+						VersionRange:   "^3.0.0 || ^4.0.0",
+						Justification:  "dependency data collected via deps.dev",
+						Origin:         "",
+						Collector:      "",
+					},
 				}, {
 					Pkg: &model.PkgInputSpec{
 						Type:      "npm",