Skip to content

Commit

Permalink
Improve pnpm support
Browse files Browse the repository at this point in the history 
- Parse packages section from pnpm-lock.yaml to get transitive dependencies.
- Should add support for getting dependencies from pnpm-lock.yaml files that use workspaces.
  - This is due to the fact all dependencies should get listed under the packages section.

Closes anchore#1535

Signed-off-by: Shane Dell <shanedell100@gmail.com>
  • Loading branch information
@shanedell
shanedell committed Apr 21, 2023
1 parent b2b332e commit 60cd03f
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 1 deletion.
17 changes: 16 additions & 1 deletion syft/pkg/cataloger/javascript/parse_pnpm_lock.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package javascript
import (
"fmt"
"io"
"strings"

"gopkg.in/yaml.v3"

Expand All @@ -16,7 +17,8 @@ import (
var _ generic.Parser = parsePnpmLock

type pnpmLockYaml struct {
Dependencies map[string]string `json:"dependencies"`
Dependencies map[string]string `json:"dependencies"`
Packages map[string]interface{} `json:"packages"`
}

func parsePnpmLock(resolver source.FileResolver, _ *generic.Environment, reader source.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
Expand All @@ -36,6 +38,19 @@ func parsePnpmLock(resolver source.FileResolver, _ *generic.Environment, reader
pkgs = append(pkgs, newPnpmPackage(resolver, reader.Location, name, version))
}

// parse packages from packages section of pnpm-lock.yaml
for nameVersion := range lockFile.Packages {
nameVersionSplit := strings.Split(strings.TrimPrefix(nameVersion, "/"), "/")

// last element in split array is version
version := nameVersionSplit[len(nameVersionSplit)-1]

// construct name from all array items other than last item (version)
name := strings.Join(nameVersionSplit[:len(nameVersionSplit)-1], "/")

pkgs = append(pkgs, newPnpmPackage(resolver, reader.Location, name, version))
}

pkg.Sort(pkgs)

return pkgs, nil, nil
Expand Down
8 changes: 8 additions & 0 deletions syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,14 @@ func TestParsePnpmLock(t *testing.T) {
Language: pkg.JavaScript,
Type: pkg.NpmPkg,
},
{
Name: "@bcoe/v8-coverage",
Version: "0.2.3",
PURL: "pkg:npm/%40bcoe/v8-coverage@0.2.3",
Locations: locationSet,
Language: pkg.JavaScript,
Type: pkg.NpmPkg,
},
}

pkgtest.TestFileParser(t, fixture, parsePnpmLock, expectedPkgs, expectedRelationships)
Expand Down

0 comments on commit 60cd03f

Please sign in to comment.