feat(nodejs): add v9 pnpm lock file support (#6617)

Author: DmitriyLewen

docs/docs/coverage/language/nodejs.md

@@ -13,12 +13,12 @@ The following scanners are supported.
 
 The following table provides an outline of the features Trivy offers.
 
-| Package manager | File              | Transitive dependencies | Dev dependencies  | [Dependency graph][dependency-graph] | Position |
-|:---------------:|-------------------|:-----------------------:|:-----------------:|:------------------------------------:|:--------:|
-|       npm       | package-lock.json |            ✓            | [Excluded](#npm)  |                  ✓                   |    ✓     |
-|      Yarn       | yarn.lock         |            ✓            | [Excluded](#yarn) |                  ✓                   |    ✓     |
-|      pnpm       | pnpm-lock.yaml    |            ✓            |     Excluded      |                  ✓                   |    -     |
-|       Bun       | yarn.lock         |            ✓            | [Excluded](#yarn) |                  ✓                   |    ✓     |
+| Package manager | File              | Transitive dependencies |         Dev dependencies          | [Dependency graph][dependency-graph] | Position |
+|:---------------:|-------------------|:-----------------------:|:---------------------------------:|:------------------------------------:|:--------:|
+|       npm       | package-lock.json |            ✓            |         [Excluded](#npm)          |                  ✓                   |    ✓     |
+|      Yarn       | yarn.lock         |            ✓            |         [Excluded](#yarn)         |                  ✓                   |    ✓     |
+|      pnpm       | pnpm-lock.yaml    |            ✓            | [Excluded](#lock-file-v9-version) |                  ✓                   |    -     |
+|       Bun       | yarn.lock         |            ✓            |         [Excluded](#yarn)         |                  ✓                   |    ✓     |
 
 In addition, Trivy scans installed packages with `package.json`.
 
@@ -55,8 +55,8 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
 
-!!! note
-    Trivy currently only supports Lockfile [v6][pnpm-lockfile-v6] or earlier.
+#### lock file v9 version
+Trivy supports `Dev` field for `pnpm-lock.yaml` v9 or later. Use the `--include-dev-deps` flag to include the developer's dependencies in the result.
 
 ### Bun
 Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.

pkg/dependency/parser/nodejs/pnpm/parse.go

@@ -2,10 +2,12 @@ package pnpm
 
 import (
 	"fmt"
+	"sort"
 	"strconv"
 	"strings"
 
 	"github.com/samber/lo"
+	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"
 
@@ -34,6 +36,28 @@ type LockFile struct {
 	Dependencies    map[string]any         `yaml:"dependencies,omitempty"`
 	DevDependencies map[string]any         `yaml:"devDependencies,omitempty"`
 	Packages        map[string]PackageInfo `yaml:"packages,omitempty"`
+
+	// V9
+	Importers Importer            `yaml:"importers,omitempty"`
+	Snapshots map[string]Snapshot `yaml:"snapshots,omitempty"`
+}
+
+type Importer struct {
+	Root RootImporter `yaml:".,omitempty"`
+}
+
+type RootImporter struct {
+	Dependencies    map[string]ImporterDepVersion `yaml:"dependencies,omitempty"`
+	DevDependencies map[string]ImporterDepVersion `yaml:"devDependencies,omitempty"`
+}
+
+type ImporterDepVersion struct {
+	Version string `yaml:"version,omitempty"`
+}
+
+type Snapshot struct {
+	Dependencies         map[string]string `yaml:"dependencies,omitempty"`
+	OptionalDependencies map[string]string `yaml:"optionalDependencies,omitempty"`
 }
 
 type Parser struct {
@@ -57,8 +81,16 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		return nil, nil, nil
 	}
 
-	pkgs, deps := p.parse(lockVer, lockFile)
+	var pkgs []ftypes.Package
+	var deps []ftypes.Dependency
+	if lockVer >= 9 {
+		pkgs, deps = p.parseV9(lockFile)
+	} else {
+		pkgs, deps = p.parse(lockVer, lockFile)
+	}
 
+	sort.Sort(ftypes.Packages(pkgs))
+	sort.Sort(ftypes.Dependencies(deps))
 	return pkgs, deps, nil
 }
 
@@ -78,9 +110,11 @@ func (p *Parser) parse(lockVer float64, lockFile LockFile) ([]ftypes.Package, []
 		// cf. https://github.com/pnpm/spec/blob/274ff02de23376ad59773a9f25ecfedd03a41f64/lockfile/6.0.md#packagesdependencypathname
 		name := info.Name
 		version := info.Version
+		var ref string
 
 		if name == "" {
-			name, version = p.parsePackage(depPath, lockVer)
+			name, version, ref = p.parseDepPath(depPath, lockVer)
+			version = p.parseVersion(depPath, version, lockVer)
 		}
 		pkgID := packageID(name, version)
 
@@ -90,13 +124,15 @@ func (p *Parser) parse(lockVer float64, lockFile LockFile) ([]ftypes.Package, []
 		}
 
 		pkgs = append(pkgs, ftypes.Package{
-			ID:           pkgID,
-			Name:         name,
-			Version:      version,
-			Relationship: lo.Ternary(isDirectPkg(name, lockFile.Dependencies), ftypes.RelationshipDirect, ftypes.RelationshipIndirect),
+			ID:                 pkgID,
+			Name:               name,
+			Version:            version,
+			Relationship:       lo.Ternary(isDirectPkg(name, lockFile.Dependencies), ftypes.RelationshipDirect, ftypes.RelationshipIndirect),
+			ExternalReferences: toExternalRefs(ref),
 		})
 
 		if len(dependencies) > 0 {
+			sort.Strings(dependencies)
 			deps = append(deps, ftypes.Dependency{
 				ID:        pkgID,
 				DependsOn: dependencies,
@@ -107,6 +143,98 @@ func (p *Parser) parse(lockVer float64, lockFile LockFile) ([]ftypes.Package, []
 	return pkgs, deps
 }
 
+func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependency) {
+	lockVer := 9.0
+	resolvedPkgs := make(map[string]ftypes.Package)
+	resolvedDeps := make(map[string]ftypes.Dependency)
+
+	// Check all snapshots and save with resolved versions
+	resolvedSnapshots := make(map[string][]string)
+	for depPath, snapshot := range lockFile.Snapshots {
+		name, version, _ := p.parseDepPath(depPath, lockVer)
+
+		var dependsOn []string
+		for depName, depVer := range lo.Assign(snapshot.OptionalDependencies, snapshot.Dependencies) {
+			depVer = p.trimPeerDeps(depVer, lockVer) // pnpm has already separated dep name. therefore, we only need to separate peer deps.
+			depVer = p.parseVersion(depPath, depVer, lockVer)
+			id := packageID(depName, depVer)
+			if _, ok := lockFile.Packages[id]; ok {
+				dependsOn = append(dependsOn, id)
+			}
+		}
+		if len(dependsOn) > 0 {
+			resolvedSnapshots[packageID(name, version)] = dependsOn
+		}
+
+	}
+
+	for depPath, pkgInfo := range lockFile.Packages {
+		name, ver, ref := p.parseDepPath(depPath, lockVer)
+		parsedVer := p.parseVersion(depPath, ver, lockVer)
+
+		if pkgInfo.Version != "" {
+			parsedVer = pkgInfo.Version
+		}
+
+		// By default, pkg is dev pkg.
+		// We will update `Dev` field later.
+		dev := true
+		relationship := ftypes.RelationshipIndirect
+		if dep, ok := lockFile.Importers.Root.DevDependencies[name]; ok && dep.Version == ver {
+			relationship = ftypes.RelationshipDirect
+		}
+		if dep, ok := lockFile.Importers.Root.Dependencies[name]; ok && dep.Version == ver {
+			relationship = ftypes.RelationshipDirect
+			dev = false // mark root direct deps to update `dev` field of their child deps.
+		}
+
+		id := packageID(name, parsedVer)
+		resolvedPkgs[id] = ftypes.Package{
+			ID:                 id,
+			Name:               name,
+			Version:            parsedVer,
+			Relationship:       relationship,
+			Dev:                dev,
+			ExternalReferences: toExternalRefs(ref),
+		}
+
+		// Save child deps
+		if dependsOn, ok := resolvedSnapshots[depPath]; ok {
+			sort.Strings(dependsOn)
+			resolvedDeps[id] = ftypes.Dependency{
+				ID:        id,
+				DependsOn: dependsOn, // Deps from dependsOn has been resolved when parsing snapshots
+			}
+		}
+	}
+
+	// Overwrite the `Dev` field for dev deps and their child dependencies.
+	for _, pkg := range resolvedPkgs {
+		if !pkg.Dev {
+			p.markRootPkgs(pkg.ID, resolvedPkgs, resolvedDeps)
+		}
+	}
+
+	return maps.Values(resolvedPkgs), maps.Values(resolvedDeps)
+}
+
+// markRootPkgs sets `Dev` to false for non dev dependency.
+func (p *Parser) markRootPkgs(id string, pkgs map[string]ftypes.Package, deps map[string]ftypes.Dependency) {
+	pkg, ok := pkgs[id]
+	if !ok {
+		return
+	}
+
+	pkg.Dev = false
+	pkgs[id] = pkg
+
+	// Update child deps
+	for _, depID := range deps[id].DependsOn {
+		p.markRootPkgs(depID, pkgs, deps)
+	}
+	return
+}
+
 func (p *Parser) parseLockfileVersion(lockFile LockFile) float64 {
 	switch v := lockFile.LockfileVersion.(type) {
 	// v5
@@ -127,55 +255,109 @@ func (p *Parser) parseLockfileVersion(lockFile LockFile) float64 {
 	}
 }
 
-// cf. https://github.com/pnpm/pnpm/blob/ce61f8d3c29eee46cee38d56ced45aea8a439a53/packages/dependency-path/src/index.ts#L112-L163
-func (p *Parser) parsePackage(depPath string, lockFileVersion float64) (string, string) {
-	// The version separator is different between v5 and v6+.
-	versionSep := "@"
-	if lockFileVersion < 6 {
-		versionSep = "/"
+func (p *Parser) parseDepPath(depPath string, lockVer float64) (string, string, string) {
+	dPath, nonDefaultRegistry := p.trimRegistry(depPath, lockVer)
+
+	var scope string
+	scope, dPath = p.separateScope(dPath)
+
+	var name string
+	name, dPath = p.separateName(dPath, lockVer)
+
+	// add scope to pkg name
+	if scope != "" {
+		name = fmt.Sprintf("%s/%s", scope, name)
 	}
-	return p.parseDepPath(depPath, versionSep)
+
+	ver := p.trimPeerDeps(dPath, lockVer)
+
+	return name, ver, lo.Ternary(nonDefaultRegistry, depPath, "")
 }
 
-func (p *Parser) parseDepPath(depPath, versionSep string) (string, string) {
-	// Skip registry
-	// e.g.
-	//    - "registry.npmjs.org/lodash/4.17.10" => "lodash/4.17.10"
-	//    - "registry.npmjs.org/@babel/generator/7.21.9" => "@babel/generator/7.21.9"
-	//    - "/lodash/4.17.10" => "lodash/4.17.10"
-	_, depPath, _ = strings.Cut(depPath, "/")
+// trimRegistry trims registry (or `/` prefix) for depPath.
+// It returns true if non-default registry has been trimmed.
+// e.g.
+//   - "registry.npmjs.org/lodash/4.17.10" => "lodash/4.17.10", false
+//   - "registry.npmjs.org/@babel/generator/7.21.9" => "@babel/generator/7.21.9", false
+//   - "private.npm.org/@babel/generator/7.21.9" => "@babel/generator/7.21.9", true
+//   - "/lodash/4.17.10" => "lodash/4.17.10", false
+//   - "/asap@2.0.6" => "asap@2.0.6", false
+func (p *Parser) trimRegistry(depPath string, lockVer float64) (string, bool) {
+	var nonDefaultRegistry bool
+	// lock file v9 doesn't use registry prefix
+	if lockVer < 9 {
+		var registry string
+		registry, depPath, _ = strings.Cut(depPath, "/")
+		if registry != "" && registry != "registry.npmjs.org" {
+			nonDefaultRegistry = true
+		}
+	}
+	return depPath, nonDefaultRegistry
+}
 
-	// Parse scope
-	// e.g.
-	//    - v5:  "@babel/generator/7.21.9" => {"babel", "generator/7.21.9"}
-	//    - v6+: "@babel/helper-annotate-as-pure@7.18.6" => "{"babel", "helper-annotate-as-pure@7.18.6"}
+// separateScope separates the scope (if set) from the rest of the depPath.
+// e.g.
+//   - v5:  "@babel/generator/7.21.9" => {"babel", "generator/7.21.9"}
+//   - v6+: "@babel/helper-annotate-as-pure@7.18.6" => "{"babel", "helper-annotate-as-pure@7.18.6"}
+func (p *Parser) separateScope(depPath string) (string, string) {
 	var scope string
 	if strings.HasPrefix(depPath, "@") {
 		scope, depPath, _ = strings.Cut(depPath, "/")
 	}
+	return scope, depPath
+}
 
-	// Parse package name
-	// e.g.
-	//    - v5:  "generator/7.21.9" => {"generator", "7.21.9"}
-	//    - v6+: "helper-annotate-as-pure@7.18.6" => {"helper-annotate-as-pure", "7.18.6"}
-	var name, version string
-	name, version, _ = strings.Cut(depPath, versionSep)
-	if scope != "" {
-		name = fmt.Sprintf("%s/%s", scope, name)
+// separateName separates pkg name and version.
+// e.g.
+//   - v5:  "generator/7.21.9" => {"generator", "7.21.9"}
+//   - v6+: "7.21.5(@babel/core@7.20.7)" => "7.21.5"
+//
+// for v9+ version can be filePath or link:
+//   - "package1@file:package1:"
+//   - "is-negative@https://codeload.github.com/zkochan/is-negative/tar.gz/2fa0531ab04e300a24ef4fd7fb3a280eccb7ccc5"
+//
+// Also version can contain peer deps:
+//   - "debug@4.3.4(supports-color@8.1.1)"
+func (p *Parser) separateName(depPath string, lockVer float64) (string, string) {
+	sep := "@"
+	if lockVer < 6 {
+		sep = "/"
+	}
+	name, version, _ := strings.Cut(depPath, sep)
+	return name, version
+}
+
+// Trim peer deps
+// e.g.
+//   - v5:  "7.21.5_@babel+core@7.21.8" => "7.21.5"
+//   - v6+: "7.21.5(@babel/core@7.20.7)" => "7.21.5"
+func (p *Parser) trimPeerDeps(depPath string, lockVer float64) string {
+	sep := "("
+	if lockVer < 6 {
+		sep = "_"
 	}
-	// Trim peer deps
-	// e.g.
-	//    - v5:  "7.21.5_@babel+core@7.21.8" => "7.21.5"
-	//    - v6+: "7.21.5(@babel/core@7.20.7)" => "7.21.5"
-	if idx := strings.IndexAny(version, "_("); idx != -1 {
-		version = version[:idx]
+	version, _, _ := strings.Cut(depPath, sep)
+	return version
+}
+
+// parseVersion parses version.
+// v9 can use filePath or link as version - we need to clear these versions.
+// e.g.
+//   - "package1@file:package1:"
+//   - "is-negative@https://codeload.github.com/zkochan/is-negative/tar.gz/2fa0531ab04e300a24ef4fd7fb3a280eccb7ccc5"
+//
+// Other versions should be semver valid.
+func (p *Parser) parseVersion(depPath, ver string, lockVer float64) string {
+	if lockVer < 9 && (strings.HasPrefix(ver, "file:") || strings.HasPrefix(ver, "http")) {
+		return ""
 	}
-	if _, err := semver.Parse(version); err != nil {
+	if _, err := semver.Parse(ver); err != nil {
 		p.logger.Debug("Skip non-semver package", log.String("pkg_path", depPath),
-			log.String("version", version), log.Err(err))
-		return "", ""
+			log.String("version", ver), log.Err(err))
+		return ""
 	}
-	return name, version
+
+	return ver
 }
 
 func isDirectPkg(name string, directDeps map[string]interface{}) bool {
@@ -186,3 +368,15 @@ func isDirectPkg(name string, directDeps map[string]interface{}) bool {
 func packageID(name, version string) string {
 	return dependency.ID(ftypes.Pnpm, name, version)
 }
+
+func toExternalRefs(ref string) []ftypes.ExternalRef {
+	if ref == "" {
+		return nil
+	}
+	return []ftypes.ExternalRef{
+		{
+			Type: ftypes.RefVCS,
+			URL:  ref,
+		},
+	}
+}