CM-55551 CLI SCA Scan Fails to Detect Indirect Dependencies Due to PNPM Lock File Handling (#360)

Author: morsa4406

cycode/cli/files_collector/sca/base_restore_dependencies.py

@@ -57,8 +57,14 @@ def get_manifest_file_path(self, document: Document) -> str:
 
     def try_restore_dependencies(self, document: Document) -> Optional[Document]:
         manifest_file_path = self.get_manifest_file_path(document)
-        restore_file_path = build_dep_tree_path(document.absolute_path, self.get_lock_file_name())
-        relative_restore_file_path = build_dep_tree_path(document.path, self.get_lock_file_name())
+        restore_file_paths = [
+            build_dep_tree_path(document.absolute_path, restore_file_path_item)
+            for restore_file_path_item in self.get_lock_file_names()
+        ]
+        restore_file_path = self.get_any_restore_file_already_exist(document, restore_file_paths)
+        relative_restore_file_path = build_dep_tree_path(
+            document.path, self.get_restored_lock_file_name(restore_file_path)
+        )
 
         if not self.verify_restore_file_already_exist(restore_file_path):
             output = execute_commands(
@@ -76,6 +82,16 @@ def try_restore_dependencies(self, document: Document) -> Optional[Document]:
     def get_working_directory(self, document: Document) -> Optional[str]:
         return os.path.dirname(document.absolute_path)
 
+    def get_restored_lock_file_name(self, restore_file_path: str) -> str:
+        return self.get_lock_file_name()
+
+    def get_any_restore_file_already_exist(self, document: Document, restore_file_paths: list[str]) -> str:
+        for restore_file_path in restore_file_paths:
+            if os.path.isfile(restore_file_path):
+                return restore_file_path
+
+        return build_dep_tree_path(document.absolute_path, self.get_lock_file_name())
+
     @staticmethod
     def verify_restore_file_already_exist(restore_file_path: str) -> bool:
         return os.path.isfile(restore_file_path)
@@ -91,3 +107,7 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
     @abstractmethod
     def get_lock_file_name(self) -> str:
         pass
+
+    @abstractmethod
+    def get_lock_file_names(self) -> list[str]:
+        pass

cycode/cli/files_collector/sca/go/restore_go_dependencies.py

@@ -43,3 +43,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return GO_RESTORE_FILE_NAME
+
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]

cycode/cli/files_collector/sca/maven/restore_gradle_dependencies.py

@@ -41,6 +41,9 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
     def get_lock_file_name(self) -> str:
         return BUILD_GRADLE_DEP_TREE_FILE_NAME
 
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]
+
     def get_working_directory(self, document: Document) -> Optional[str]:
         return get_path_from_context(self.ctx) if self.is_gradle_sub_projects() else None
 

cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py

@@ -34,6 +34,9 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
     def get_lock_file_name(self) -> str:
         return join_paths('target', MAVEN_CYCLONE_DEP_TREE_FILE_NAME)
 
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]
+
     def try_restore_dependencies(self, document: Document) -> Optional[Document]:
         manifest_file_path = self.get_manifest_file_path(document)
         if document.content is None:

cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py

@@ -7,6 +7,7 @@
 
 NPM_PROJECT_FILE_EXTENSIONS = ['.json']
 NPM_LOCK_FILE_NAME = 'package-lock.json'
+NPM_LOCK_FILE_NAMES = [NPM_LOCK_FILE_NAME, 'yarn.lock', 'pnpm-lock.yaml', 'deno.lock']
 NPM_MANIFEST_FILE_NAME = 'package.json'
 
 
@@ -30,9 +31,15 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
             ]
         ]
 
+    def get_restored_lock_file_name(self, restore_file_path: str) -> str:
+        return os.path.basename(restore_file_path)
+
     def get_lock_file_name(self) -> str:
         return NPM_LOCK_FILE_NAME
 
+    def get_lock_file_names(self) -> str:
+        return NPM_LOCK_FILE_NAMES
+
     @staticmethod
     def prepare_manifest_file_path_for_command(manifest_file_path: str) -> str:
         return manifest_file_path.replace(os.sep + NPM_MANIFEST_FILE_NAME, '')

cycode/cli/files_collector/sca/nuget/restore_nuget_dependencies.py

@@ -19,3 +19,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return NUGET_LOCK_FILE_NAME
+
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]

cycode/cli/files_collector/sca/ruby/restore_ruby_dependencies.py

@@ -14,3 +14,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return RUBY_LOCK_FILE_NAME
+
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]

cycode/cli/files_collector/sca/sbt/restore_sbt_dependencies.py

@@ -14,3 +14,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return SBT_LOCK_FILE_NAME
+
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]