Show what dep brought in a dep, also the path to it

src/Application/Application.ts

@@ -184,7 +184,7 @@ export class Application {
       this.spinner.maybeStop();
 
       logMessage('Attempting to audit results', DEBUG);
-      const failed = auditOSSIndex.auditResults(ossIndexResults);
+      const failed = auditOSSIndex.auditResults(ossIndexResults, this.results);
 
       logMessage('Results audited', DEBUG, { failureCode: failed });
       failed ? shutDownLoggerAndExit(1) : shutDownLoggerAndExit(0);

src/Audit/AuditOSSIndex.spec.ts

@@ -28,7 +28,7 @@ const oldWrite = process.stdout.write;
 
 const doAuditOSSIndex = (results: OssIndexServerResult[]): boolean => {
   process.stdout.write = write;
-  const auditResult = auditOSSIndex.auditResults(results);
+  const auditResult = auditOSSIndex.auditResults(results, []);
   process.stdout.write = oldWrite;
   return auditResult;
 };

src/Audit/AuditOSSIndex.ts

@@ -18,6 +18,7 @@ import { Formatter, getNumberOfVulnerablePackagesFromResults } from './Formatter
 import { JsonFormatter } from './Formatters/JsonFormatter';
 import { TextFormatter } from './Formatters/TextFormatter';
 import { XmlFormatter } from './Formatters/XmlFormatter';
+import { Coordinates } from '../Types/Coordinates';
 
 export class AuditOSSIndex {
   private formatter: Formatter;
@@ -32,12 +33,17 @@ export class AuditOSSIndex {
     }
   }
 
-  public auditResults(results: Array<OssIndexServerResult>): boolean {
+  public auditResults(results: Array<OssIndexServerResult>, supplemental: Array<Coordinates>): boolean {
     if (this.quiet) {
       results = results.filter((x) => {
         return x.vulnerabilities && x.vulnerabilities?.length > 0;
       });
     }
+    for (let i = 0; i < supplemental.length; i++) {
+      const index = results.findIndex((res) => res.coordinates == supplemental[i].toPurl());
+      results[index].requiredBy = Array.from(supplemental[i].requestedBy).join(', ');
+      results[index].realPath = supplemental[i].pathOnDisk;
+    }
 
     this.formatter.printAuditResults(results);
 

src/Audit/Formatters/TextFormatter.ts

@@ -40,6 +40,10 @@ export class TextFormatter implements Formatter {
         this.printVulnerability(i, total, x);
       } else {
         this.printLine(chalk.keyword('green')(`[${i + 1}/${total}] - ${x.toAuditLog()}`));
+        console.group();
+        this.printLine(chalk.keyword('green')(`Path: ${x.realPath}`));
+        this.printLine(chalk.keyword('green')(`Required By: ${x.requiredBy}`));
+        console.groupEnd();
       }
     });
 
@@ -85,6 +89,8 @@ export class TextFormatter implements Formatter {
     console.log(
       chalk.keyword(this.getColorFromMaxScore(maxScore)).bold(`[${i + 1}/${total}] - ${result.toAuditLog()}`),
     );
+    console.log(chalk.keyword(this.getColorFromMaxScore(maxScore)).bold(`Path: ${result.realPath}`));
+    console.log(chalk.keyword(this.getColorFromMaxScore(maxScore)).bold(`Required By: ${result.requiredBy}`));
     console.log();
     result.vulnerabilities &&
       printVuln(

src/Munchers/NpmList.ts

@@ -101,19 +101,39 @@ export class NpmList implements Muncher {
           return x.name == name[1] && x.version == pkg.version && x.group == name[0];
         })
       ) {
+        const foundIndex = list.findIndex((x) => x.name == name[1] && x.version == pkg.version && x.group == name[0]);
+        pkg._requiredBy.forEach((item: string) => {
+          list[foundIndex].requestedBy.add(item);
+        });
+
         return false;
       }
-      list.push(new Coordinates(name[1], pkg.version, name[0]));
+      const set = new Set<string>();
+      pkg._requiredBy.forEach((item: string) => {
+        set.add(item);
+      });
+      list.push(
+        new Coordinates(name[1], pkg.version, name[0], set, this.stripPwdAndNodeModulesFromRealPath(pkg.realPath)),
+      );
       return true;
     } else if (pkg.name) {
       if (
         list.find((x) => {
           return x.name == pkg.name && x.version == pkg.version && x.group == '';
         })
       ) {
+        const foundIndex = list.findIndex((x) => x.name == pkg.name && x.version == pkg.version && x.group == '');
+        pkg._requiredBy.forEach((item: string) => {
+          list[foundIndex].requestedBy.add(item);
+        });
+
         return false;
       }
-      list.push(new Coordinates(pkg.name, pkg.version, ''));
+      const set = new Set<string>();
+      pkg._requiredBy.forEach((item: string) => {
+        set.add(item);
+      });
+      list.push(new Coordinates(pkg.name, pkg.version, '', set, this.stripPwdAndNodeModulesFromRealPath(pkg.realPath)));
       return true;
     }
     return false;
@@ -136,4 +156,10 @@ export class NpmList implements Muncher {
     }
     return `${name}/${version}`;
   }
+
+  private stripPwdAndNodeModulesFromRealPath(realPath: string): string {
+    const cwd = process.cwd();
+
+    return realPath.substr(cwd.length);
+  }
 }

src/Types/Coordinates.ts

@@ -14,7 +14,13 @@
  * limitations under the License.
  */
 export class Coordinates {
-  constructor(readonly name: string, readonly version: string, readonly group?: string) {}
+  constructor(
+    readonly name: string,
+    readonly version: string,
+    readonly group?: string,
+    public requestedBy: Set<string> = new Set(),
+    public pathOnDisk: string = '',
+  ) {}
 
   public toPurl(ecosystem = 'npm'): string {
     if (this.group) {

src/Types/OssIndexServerResult.ts

@@ -18,6 +18,8 @@ export class OssIndexServerResult {
   readonly description?: string;
   readonly reference: string;
   readonly vulnerabilities?: Array<Vulnerability>;
+  public requiredBy = '';
+  public realPath = '';
 
   constructor(result: any) {
     this.coordinates = result.coordinates;