feat: add support for pnpm (#1166)

2025-11-17 16:33:21 +01:00 · 2022-08-22 07:45:55 -07:00 · 2022-08-22 07:45:55 -07:00 · e9221ae25d
commit e9221ae25d
parent f3c3d3d98e
4 changed files with 168 additions and 0 deletions
--- a/syft/pkg/cataloger/javascript/cataloger.go
+++ b/syft/pkg/cataloger/javascript/cataloger.go
@ -29,6 +29,7 @@ func NewJavascriptLockCataloger() *common.GenericCataloger {
 	globParsers := map[string]common.ParserFn{
 		"**/package-lock.json": parsePackageLock,
 		"**/yarn.lock":         parseYarnLock,
+		"**/pnpm-lock.yaml":    parsePnpmLock,
 	}

 	return common.NewGenericCataloger(nil, globParsers, "javascript-lock-cataloger", addLicenses)
--- a/syft/pkg/cataloger/javascript/parse_pnpm_lock.go
+++ b/syft/pkg/cataloger/javascript/parse_pnpm_lock.go
@ -0,0 +1,43 @@
+package javascript
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/common"
+	"gopkg.in/yaml.v3"
+)
+
+// integrity check
+var _ common.ParserFn = parsePnpmLock
+
+type pnpmLockYaml struct {
+	Dependencies map[string]string `json:"dependencies"`
+}
+
+func parsePnpmLock(path string, reader io.Reader) ([]*pkg.Package, []artifact.Relationship, error) {
+	bytes, err := io.ReadAll(reader)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to load pnpm-lock.yaml file: %w", err)
+	}
+
+	var pkgs []*pkg.Package
+	var lockFile pnpmLockYaml
+
+	if err := yaml.Unmarshal(bytes, &lockFile); err != nil {
+		return nil, nil, fmt.Errorf("failed to parse pnpm-lock.yaml file: %w", err)
+	}
+
+	for name, version := range lockFile.Dependencies {
+		pkgs = append(pkgs, &pkg.Package{
+			Name:     name,
+			Version:  version,
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		})
+	}
+
+	return pkgs, nil, nil
+}
--- a/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go
+++ b/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go
@ -0,0 +1,52 @@
+package javascript
+
+import (
+	"os"
+	"testing"
+
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/go-test/deep"
+)
+
+func fixtureP(str string) *string {
+	return &str
+}
+
+func TestParsePnpmLock(t *testing.T) {
+	expected := []*pkg.Package{
+		{
+			Name:     "nanoid",
+			Version:  "3.3.4",
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		},
+		{
+			Name:     "picocolors",
+			Version:  "1.0.0",
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		},
+		{
+			Name:     "source-map-js",
+			Version:  "1.0.2",
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		},
+	}
+
+	fixture, err := os.Open("test-fixtures/pnpm/pnpm-lock.yaml")
+	if err != nil {
+		t.Fatalf("failed to open fixture: %+v", err)
+	}
+
+	// TODO: no relationships are under test yet
+	actual, _, err := parsePnpmLock(fixture.Name(), fixture)
+	if err != nil {
+		t.Error(err)
+	}
+
+	differences := deep.Equal(expected, actual)
+	if differences != nil {
+		t.Errorf("returned package list differed from expectation: %+v", differences)
+	}
+}
--- a/syft/pkg/cataloger/javascript/test-fixtures/pnpm/pnpm-lock.yaml
+++ b/syft/pkg/cataloger/javascript/test-fixtures/pnpm/pnpm-lock.yaml
@ -0,0 +1,72 @@
+lockfileVersion: 5.4
+
+specifiers:
+  '@logux/eslint-config': ^47.2.0
+  '@size-limit/preset-small-lib': ^8.0.0
+  '@types/fs-extra': ^9.0.13
+  '@types/node': ^18.6.4
+  '@typescript-eslint/eslint-plugin': ^5.32.0
+  '@typescript-eslint/parser': ^5.32.0
+  c8: ^7.12.0
+  check-dts: ^0.6.7
+  clean-publish: ^4.0.1
+  concat-with-sourcemaps: ^1.1.0
+  eslint: ^8.21.0
+  eslint-config-standard: ^17.0.0
+  eslint-plugin-import: ^2.26.0
+  eslint-plugin-n: ^15.2.4
+  eslint-plugin-prefer-let: ^3.0.1
+  eslint-plugin-promise: ^6.0.0
+  fs-extra: ^10.1.0
+  nanodelay: ^1.0.8
+  nanoid: ^3.3.4
+  nanospy: ^0.5.0
+  picocolors: ^1.0.0
+  postcss-parser-tests: ^8.5.1
+  simple-git-hooks: ^2.8.0
+  size-limit: ^8.0.0
+  source-map-js: ^1.0.2
+  strip-ansi: ^6.0.1
+  ts-node: ^10.9.1
+  typescript: ^4.7.4
+  uvu: ^0.5.6
+
+dependencies:
+  nanoid: 3.3.4
+  picocolors: 1.0.0
+  source-map-js: 1.0.2
+
+devDependencies:
+  '@logux/eslint-config': 47.2.0_7hz3xvmviof7onfgk6hpedqcom
+  '@size-limit/preset-small-lib': 8.0.0_size-limit@8.0.0
+  '@types/fs-extra': 9.0.13
+  '@types/node': 18.6.4
+  '@typescript-eslint/eslint-plugin': 5.32.0_iosr3hrei2tubxveewluhu5lhy
+  '@typescript-eslint/parser': 5.32.0_qugx7qdu5zevzvxaiqyxfiwquq
+  c8: 7.12.0
+  check-dts: 0.6.7_typescript@4.7.4
+  clean-publish: 4.0.1
+  concat-with-sourcemaps: 1.1.0
+  eslint: 8.21.0
+  eslint-config-standard: 17.0.0_dfwa53o44x4e5xhsfv5mvfhk5a
+  eslint-plugin-import: 2.26.0_wuikv5nqgdfyng42xxm7lklfmi
+  eslint-plugin-n: 15.2.4_eslint@8.21.0
+  eslint-plugin-prefer-let: 3.0.1
+  eslint-plugin-promise: 6.0.0_eslint@8.21.0
+  fs-extra: 10.1.0
+  nanodelay: 1.0.8
+  nanospy: 0.5.0
+  postcss-parser-tests: 8.5.1
+  simple-git-hooks: 2.8.0
+  size-limit: 8.0.0
+  strip-ansi: 6.0.1
+  ts-node: 10.9.1_hn66opzbaneygq52jmwjxha6su
+  typescript: 4.7.4
+  uvu: 0.5.6
+
+packages:
+  /@bcoe/v8-coverage/0.2.3:
+    resolution: {integrity: sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==}
+    dev: true
+
+  # removed other packages