From 13485ca5e735ae4c5eea48729a44a941b36e8710 Mon Sep 17 00:00:00 2001
From: Shane Dell <32347414+Shanedell@users.noreply.github.com>
Date: Fri, 21 Apr 2023 13:58:23 -0400
Subject: [PATCH] fix: Improve pnpm support (#1752)

Signed-off-by: Shane Dell <shanedell100@gmail.com>
---
 .../pkg/cataloger/javascript/parse_pnpm_lock.go | 17 ++++++++++++++++-
 .../javascript/parse_pnpm_lock_test.go          |  8 ++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/syft/pkg/cataloger/javascript/parse_pnpm_lock.go b/syft/pkg/cataloger/javascript/parse_pnpm_lock.go
index 2ae6bce1a..071334b46 100644
--- a/syft/pkg/cataloger/javascript/parse_pnpm_lock.go
+++ b/syft/pkg/cataloger/javascript/parse_pnpm_lock.go
@@ -3,6 +3,7 @@ package javascript
 import (
 	"fmt"
 	"io"
+	"strings"
 
 	"gopkg.in/yaml.v3"
 
@@ -16,7 +17,8 @@ import (
 var _ generic.Parser = parsePnpmLock
 
 type pnpmLockYaml struct {
-	Dependencies map[string]string `json:"dependencies"`
+	Dependencies map[string]string      `json:"dependencies"`
+	Packages     map[string]interface{} `json:"packages"`
 }
 
 func parsePnpmLock(resolver source.FileResolver, _ *generic.Environment, reader source.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
@@ -36,6 +38,19 @@ func parsePnpmLock(resolver source.FileResolver, _ *generic.Environment, reader
 		pkgs = append(pkgs, newPnpmPackage(resolver, reader.Location, name, version))
 	}
 
+	// parse packages from packages section of pnpm-lock.yaml
+	for nameVersion := range lockFile.Packages {
+		nameVersionSplit := strings.Split(strings.TrimPrefix(nameVersion, "/"), "/")
+
+		// last element in split array is version
+		version := nameVersionSplit[len(nameVersionSplit)-1]
+
+		// construct name from all array items other than last item (version)
+		name := strings.Join(nameVersionSplit[:len(nameVersionSplit)-1], "/")
+
+		pkgs = append(pkgs, newPnpmPackage(resolver, reader.Location, name, version))
+	}
+
 	pkg.Sort(pkgs)
 
 	return pkgs, nil, nil
diff --git a/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go b/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go
index e4750f949..275cc0439 100644
--- a/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go
+++ b/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go
@@ -40,6 +40,14 @@ func TestParsePnpmLock(t *testing.T) {
 			Language:  pkg.JavaScript,
 			Type:      pkg.NpmPkg,
 		},
+		{
+			Name:      "@bcoe/v8-coverage",
+			Version:   "0.2.3",
+			PURL:      "pkg:npm/%40bcoe/v8-coverage@0.2.3",
+			Locations: locationSet,
+			Language:  pkg.JavaScript,
+			Type:      pkg.NpmPkg,
+		},
 	}
 
 	pkgtest.TestFileParser(t, fixture, parsePnpmLock, expectedPkgs, expectedRelationships)