pnpm workspace tree (#1417)

* Retain pnpm workspace packages tree

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Support for file and workspace links

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Support for overrides

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Types

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

.github/workflows/npm-release.yml

@@ -74,8 +74,7 @@ jobs:
         chmod +x nydus-static/*
         mv nydus-static/* /usr/local/bin/
         rm -rf nydus-static-v2.2.4-linux-amd64.tgz nydus-static
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+    - run: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
     - name: Log in to the Container registry

.vscode/settings.json

@@ -4,5 +4,6 @@
     "quickfix.biome": "explicit",
     "source.organizeImports.biome": "explicit"
   },
-  "editor.defaultFormatter": "biomejs.biome"
+  "editor.defaultFormatter": "biomejs.biome",
+  "deno.enable": false
 }

bin/cdxgen.js

@@ -5,7 +5,7 @@ import fs from "node:fs";
 import { tmpdir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
 import process from "node:process";
-import { URL, fileURLToPath } from "node:url";
+import { URL } from "node:url";
 import { findUpSync } from "find-up";
 import globalAgent from "global-agent";
 import { load as _load } from "js-yaml";

bin/verify.js

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
 import fs from "node:fs";
-import { dirname, join } from "node:path";
+import { join } from "node:path";
 import process from "node:process";
-import { URL, fileURLToPath } from "node:url";
+import { URL } from "node:url";
 import jws from "jws";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";

biome.json

@@ -1,5 +1,5 @@
 {
-  "$schema": "https://biomejs.dev/schemas/1.8.1/schema.json",
+  "$schema": "https://biomejs.dev/schemas/1.9.3/schema.json",
   "organizeImports": {
     "enabled": true
   },

ci/Dockerfile

@@ -143,7 +143,6 @@ RUN set -e; \
     && sudo ./linux-install.sh \
     && curl -L --output /usr/local/bin/bazel https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-${GOBIN_VERSION} \
     && chmod +x /usr/local/bin/bazel \
-    && bazel --version \
     && useradd -ms /bin/bash cyclonedx \
     && npm install --unsafe-perm -g node-gyp @microsoft/rush --omit=dev \
     && npx node-gyp install \
@@ -155,7 +154,7 @@ RUN set -e; \
     && gem install bundler \
     && gem --version \
     && bundler --version \
-    && cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-import-method copy \
+    && cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-import-method copy && corepack pnpm cache delete \
     && mkdir -p /opt/cdxgen-node-cache \
     && chown -R cyclonedx:cyclonedx /opt/cdxgen /opt/cdxgen-node-cache \
     && chmod a-w -R /opt \

ci/Dockerfile-ppc64

@@ -106,7 +106,7 @@ RUN set -e; \
     && gem --version \
     && bundler --version
 COPY . /opt/cdxgen
-RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-import-method copy \
+RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-import-method copy && corepack pnpm cache delete \
     && chown -R cyclonedx:cyclonedx /opt/cdxgen \
     && chmod a-w -R /opt \
     && rm -rf /root/.cache /var/cache/yum /root/.cargo \

deno.json

@@ -3,9 +3,7 @@
   "version": "10.10.5",
   "exports": "./lib/cli/index.js",
   "compilerOptions": {
-    "allowJs": true,
     "lib": ["deno.window"],
-    "exclude": ["*.test.js", "./types/**/*"],
     "strict": true
   },
   "include": ["*.js", "data/", "bin/", "lib/**"],
@@ -52,8 +50,8 @@
   "imports": {
     "@appthreat/atom": "npm:@appthreat/atom@2.0.21",
     "@appthreat/cdx-proto": "npm:@appthreat/cdx-proto@1.0.1",
-    "@babel/parser": "npm:@babel/parser@^7.24.8",
-    "@babel/traverse": "npm:@babel/traverse@^7.24.8",
+    "@babel/parser": "npm:@babel/parser@^7.25.8",
+    "@babel/traverse": "npm:@babel/traverse@^7.25.7",
     "@npmcli/arborist": "npm:@npmcli/arborist@8.0.0",
     "ajv": "npm:ajv@^8.16.0",
     "ajv-formats": "npm:ajv-formats@^3.0.1",
@@ -62,7 +60,7 @@
     "find-up": "npm:find-up@7.0.0",
     "glob": "npm:glob@^11.0.0",
     "global-agent": "npm:global-agent@^3.0.0",
-    "got": "npm:got@14.4.2",
+    "got": "npm:got@^14.4.3",
     "iconv-lite": "npm:iconv-lite@^0.6.3",
     "js-yaml": "npm:js-yaml@^4.1.0",
     "jws": "npm:jws@^4.0.0",

docs/PROJECT_TYPES.md

@@ -13,7 +13,7 @@ _Note: there are multiple project types / aliases that will produce the same out
 
 | Language/Platform         | Project Types                                                                                                                                                    | Package Formats                                                                                                                       | Supported Evidence                                                                                    | Supports Transitives |
 | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------------- |
-| Node.js                   | `npm`, `pnpm`, `nodejs`, `js`, `javascript`, `typescript`, `ts`, `tsx`                                                                                           | `npm-shrinkwrap.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, `rush.js`, `bower.json`, `.min.js`                         | Yes, except for `.min.js`                                                                             | ✅                   |
+| Node.js                   | `npm`, `pnpm`, `nodejs`, `js`, `javascript`, `typescript`, `ts`, `tsx`, `yarn`, `rush`                                                                           | `npm-shrinkwrap.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, `rush.js`, `bower.json`, `.min.js`                         | Yes, except for `.min.js`                                                                             | ✅                   |
 | Java (Default)            | `java`, `groovy`, `kotlin`, `scala`, `jvm`, `gradle`, `mvn`, `maven`, `sbt`                                                                                      | `pom.xml` [1], `build.gradle`, `.kts`, `sbt`, `bazel`                                                                                 | Yes, unless `pom.xml` is manually parsed due to unavailability of maven or errors)                    | ✅                   |
 | Java (Specific version)   | `java8`, `java11`, `java17`, `java21`, `java22`, `java23`                                                                                                        | `pom.xml` [1], `build.gradle`, `.kts`, `sbt`, `bazel`                                                                                 | Yes, unless `pom.xml` is manually parsed due to unavailability of maven or errors)                    | ✅                   |
 | Android                   | `android`, `apk`, `aab`                                                                                                                                          | `apk`, `aab`                                                                                                                          | -                                                                                                     | -                    |

lib/cli/index.js

@@ -16,7 +16,7 @@ import {
 import { platform as _platform, homedir, tmpdir } from "node:os";
 import { basename, dirname, join, resolve, sep } from "node:path";
 import process from "node:process";
-import { URL, fileURLToPath } from "node:url";
+import { URL } from "node:url";
 import got from "got";
 import { PackageURL } from "packageurl-js";
 import { parse } from "ssri";
@@ -27,7 +27,6 @@ import {
   getOriginUrl,
   gitTreeHashes,
   listFiles,
-  runSwiftCommand,
 } from "../helpers/envcontext.js";
 import {
   CARGO_CMD,
@@ -161,7 +160,6 @@ import { collectOSCryptoLibs } from "../helpers/cbomutils.js";
 import {
   executeOsQuery,
   getBinaryBom,
-  getCargoAuditableInfo,
   getDotnetSlices,
   getOSPackages,
 } from "../managers/binary.js";
@@ -2310,17 +2308,44 @@ export async function createNodejsBom(path, options) {
       options,
     );
   }
-  if (pnpmLockFiles?.length) {
+  if (
+    pnpmLockFiles?.length &&
+    isPackageManagerAllowed("pnpm", ["npm", "yarn", "rush"], options)
+  ) {
     manifestFiles = manifestFiles.concat(pnpmLockFiles);
     for (const f of pnpmLockFiles) {
+      if (DEBUG_MODE) {
+        console.log(`Parsing ${f}`);
+      }
       const basePath = dirname(f);
       // Determine the parent component
       const packageJsonF = join(basePath, "package.json");
-      if (existsSync(packageJsonF)) {
-        const pcs = await parsePkgJson(packageJsonF, true);
-        if (pcs.length) {
-          parentComponent = pcs[0];
-          parentComponent.type = "application";
+      if (!Object.keys(parentComponent).length) {
+        if (existsSync(packageJsonF)) {
+          const pcs = await parsePkgJson(packageJsonF, true);
+          if (pcs.length) {
+            parentComponent = pcs[0];
+            parentComponent.type = "application";
+            ppurl = new PackageURL(
+              "npm",
+              options.projectGroup || parentComponent.group,
+              parentComponent.name,
+              options.projectVersion || parentComponent.version,
+              null,
+              null,
+            ).toString();
+            parentComponent["bom-ref"] = decodeURIComponent(ppurl);
+            parentComponent["purl"] = ppurl;
+          }
+        } else {
+          let dirName = dirname(f);
+          const tmpA = dirName.split(sep);
+          dirName = tmpA[tmpA.length - 1];
+          parentComponent = {
+            group: "",
+            name: dirName,
+            type: "application",
+          };
           ppurl = new PackageURL(
             "npm",
             options.projectGroup || parentComponent.group,
@@ -2332,32 +2357,16 @@ export async function createNodejsBom(path, options) {
           parentComponent["bom-ref"] = decodeURIComponent(ppurl);
           parentComponent["purl"] = ppurl;
         }
-      } else {
-        let dirName = dirname(f);
-        const tmpA = dirName.split(sep);
-        dirName = tmpA[tmpA.length - 1];
-        parentComponent = {
-          group: "",
-          name: dirName,
-          type: "application",
-        };
-        ppurl = new PackageURL(
-          "npm",
-          options.projectGroup || parentComponent.group,
-          options.projectName || parentComponent.name,
-          options.projectVersion || parentComponent.version,
-          null,
-          null,
-        ).toString();
-        parentComponent["bom-ref"] = decodeURIComponent(ppurl);
-        parentComponent["purl"] = ppurl;
       }
       // Parse the pnpm file
       const parsedList = await parsePnpmLock(f, parentComponent);
       const dlist = parsedList.pkgList;
       if (dlist?.length) {
         pkgList = pkgList.concat(dlist);
       }
+      if (parsedList?.parentSubComponents?.length) {
+        parentComponent.components = parsedList.parentSubComponents;
+      }
       if (parsedList.dependenciesList && parsedList.dependenciesList) {
         dependencies = mergeDependencies(
           dependencies,
@@ -2367,7 +2376,10 @@ export async function createNodejsBom(path, options) {
       }
     }
   }
-  if (pkgLockFiles?.length) {
+  if (
+    pkgLockFiles?.length &&
+    isPackageManagerAllowed("npm", ["pnpm", "yarn"], options)
+  ) {
     manifestFiles = manifestFiles.concat(pkgLockFiles);
     for (const f of pkgLockFiles) {
       if (DEBUG_MODE) {
@@ -2395,7 +2407,10 @@ export async function createNodejsBom(path, options) {
       }
     }
   }
-  if (existsSync(join(path, "rush.json"))) {
+  if (
+    existsSync(join(path, "rush.json")) &&
+    isPackageManagerAllowed("rush", ["npm", "yarn", "pnpm"], options)
+  ) {
     // Rush.js creates node_modules inside common/temp directory
     const nmDir = join(path, "common", "temp", "node_modules");
     // Do rush install if we don't have node_modules directory
@@ -2466,7 +2481,10 @@ export async function createNodejsBom(path, options) {
     );
     options.failOnError && process.exit(1);
   }
-  if (yarnLockFiles?.length) {
+  if (
+    yarnLockFiles?.length &&
+    isPackageManagerAllowed("yarn", ["npm", "pnpm"], options)
+  ) {
     manifestFiles = manifestFiles.concat(yarnLockFiles);
     for (const f of yarnLockFiles) {
       if (DEBUG_MODE) {
@@ -2483,7 +2501,7 @@ export async function createNodejsBom(path, options) {
           ppurl = new PackageURL(
             "npm",
             options.projectGroup || tmpParentComponent.group,
-            options.projectName || tmpParentComponent.name,
+            tmpParentComponent.name,
             options.projectVersion || tmpParentComponent.version,
             null,
             null,
@@ -2542,7 +2560,7 @@ export async function createNodejsBom(path, options) {
           const ppurl = new PackageURL(
             "npm",
             options.projectGroup || parentComponent.group,
-            options.projectName || parentComponent.name,
+            parentComponent.name,
             options.projectVersion || parentComponent.version,
             null,
             null,
@@ -2584,7 +2602,7 @@ export async function createNodejsBom(path, options) {
           ppurl = new PackageURL(
             "npm",
             options.projectGroup || parentComponent.group,
-            options.projectName || parentComponent.name,
+            parentComponent.name,
             options.projectVersion || parentComponent.version,
             null,
             null,
@@ -2634,7 +2652,6 @@ export function createPixiBom(path, options) {
   let dependencies = [];
   let pkgList = [];
   let formulationList = [];
-  let frozen = true;
   let parentComponent = createDefaultParentComponent(path, "pypi", options);
   let PixiLockData = {};
 
@@ -2689,7 +2706,6 @@ export function createPixiBom(path, options) {
   }
 
   pkgList = PixiLockData.pkgList;
-  frozen = PixiLockData.frozen;
   formulationList = PixiLockData.formulationList;
   dependencies = PixiLockData.dependencies;
 
@@ -5048,14 +5064,13 @@ export async function createCsharpBom(path, options) {
       const csProjData = readFileSync(f, { encoding: "utf-8" });
       const retMap = parseCsProjData(csProjData, f, {});
       if (retMap?.parentComponent?.properties) {
-        const parentProperties = retMap.parentComponent.properties;
         retMap.parentComponent.properties
           .filter(
             (p) =>
               p.name === "cdx:dotnet:target_framework" && p.value.trim().length,
           )
           .forEach((p) => {
-            const frameworkValues = p.value
+            p.value
               .split(";")
               .filter((v) => v.trim().length && !v.startsWith("$("))
               .forEach((v) => {