fix(pnpm): add support for local directories

[DmitriyLewen]

Discussed in #6030

^{Originally posted by john-d8r February 1, 2024}

Description

When using local package (https://docs.npmjs.com/cli/v10/configuring-npm/package-json#local-paths) with pnpm (pnpm-lock.yaml), trivy is unable to detect the package names for them. Meanwhile for npm (package.json) it works fine

Desired Behavior

Trivy to populate package names for the local packages same as what's been reported for npm (package.lock.json)

{
          "ID": "package-a@1.0.0",
          "Name": "package-a",
          "Version": "1.0.0",
          "Licenses": [
            "ISC"
          ],
          "DependsOn": [
            "lodash@4.17.21"
          ],
          "Layer": {},
        },
        {
          "ID": "package-b@1.0.0",
          "Name": "package-b",
          "Version": "1.0.0",
          "Licenses": [
            "ISC"
          ],
          "DependsOn": [
            "react@18.2.0"
          ],
          "Layer": {},
          ]
        },

Actual Behavior

{
          "ID": "@",
          "Indirect": true,
          "DependsOn": [
            "react@18.2.0"
          ],
          "Layer": {}
        },
        {
          "ID": "@",
          "Indirect": true,
          "DependsOn": [
            "react@18.2.0"
          ],
          "Layer": {}
        },

Reproduction Steps

1. git clone https://github.com/john-d8r/trivy-test-pnpm-local.git
2. cd trivy-test-pnpm-local
3. trivy fs . -f json -o report.json --list-all-pkgs
4. notice the target `pnpm-lock.yaml` has two entries with no package name (local packages)
5. while `package-lock.json` target displays the local packages as expected

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

2024-02-01T08:07:27.767+0530    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-01T08:07:27.768+0530    DEBUG   Ignore statuses {"statuses": null}
2024-02-01T08:07:27.778+0530    DEBUG   cache dir:  /home/john/.cache/trivy
2024-02-01T08:07:27.778+0530    DEBUG   DB update was skipped because the local DB is the latest
2024-02-01T08:07:27.778+0530    DEBUG   DB Schema: 2, UpdatedAt: 2024-02-01 00:17:06.315344565 +0000 UTC, NextUpdate: 2024-02-01 06:17:06.315344285 +0000 UTC, DownloadedAt: 2024-02-01 02:14:58.381178952 +0000 UTC
2024-02-01T08:07:27.778+0530    INFO    Vulnerability scanning is enabled
2024-02-01T08:07:27.778+0530    DEBUG   Vulnerability type:  [os library]
2024-02-01T08:07:27.778+0530    INFO    Secret scanning is enabled
2024-02-01T08:07:27.778+0530    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-01T08:07:27.778+0530    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-02-01T08:07:27.778+0530    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-01T08:07:27.778+0530    DEBUG   No secret config detected: trivy-secret.yaml
2024-02-01T08:07:27.778+0530    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-02-01T08:07:27.778+0530    DEBUG   Walk the file tree rooted at '.' in parallel
2024-02-01T08:07:27.779+0530    DEBUG   Skip "" package. "" doesn't match semver: invalid semantic version
2024-02-01T08:07:27.779+0530    DEBUG   Skip "" package. "" doesn't match semver: invalid semantic version
2024-02-01T08:07:27.783+0530    INFO    To collect the license information of packages in "package-a/package-lock.json", "npm install" needs to be performed beforehand
2024-02-01T08:07:27.785+0530    DEBUG   OS is not detected.
2024-02-01T08:07:27.785+0530    DEBUG   Detected OS: unknown
2024-02-01T08:07:27.785+0530    INFO    Number of language-specific files: 4
2024-02-01T08:07:27.785+0530    INFO    Detecting npm vulnerabilities...
2024-02-01T08:07:27.785+0530    DEBUG   Detecting library vulnerabilities, type: npm, path: package-a/package-lock.json
2024-02-01T08:07:27.785+0530    DEBUG   Detecting library vulnerabilities, type: npm, path: package-b/package-lock.json
2024-02-01T08:07:27.785+0530    DEBUG   Detecting library vulnerabilities, type: npm, path: package-lock.json
2024-02-01T08:07:27.785+0530    INFO    Detecting pnpm vulnerabilities...
2024-02-01T08:07:27.785+0530    DEBUG   Detecting library vulnerabilities, type: pnpm, path: pnpm-lock.yaml

Operating System

Ubuntu

Version

Version: 0.48.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-01 00:17:06.315344565 +0000 UTC
  NextUpdate: 2024-02-01 06:17:06.315344285 +0000 UTC
  DownloadedAt: 2024-02-01 02:14:58.381178952 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting