When Javascript files are scanned, the file is matched to a component in order to identify the applicable license. In some cases Javascript files may be present in more than one component which makes identifying the correct package more difficult.
Modifying the build to scan the package.json files associated with the components being scanned will produce better identification and more accurate license associations.
In cases where the package.json was not included in the scan and the Javascript file exists in multiple components, the security vulnerabilities identified will still be valid since those are associated directly to the Javascript files that contain them.