CM-55551 CLI SCA Scan Fails to Detect Indirect Dependencies Due to PNPM Lock File Handling

Author: morsa4406

cycode/cli/files_collector/sca/base_restore_dependencies.py

@@ -55,12 +55,13 @@ def get_manifest_file_path(self, document: Document) -> str:
             join_paths(get_path_from_context(self.ctx), document.path) if self.ctx.obj.get('monitor') else document.path
         )
 
-    def try_restore_dependencies(self, document: Document) -> Optional[Document]: 
+    def try_restore_dependencies(self, document: Document) -> Optional[Document]:
         manifest_file_path = self.get_manifest_file_path(document)
-        restore_file_path = build_dep_tree_path(document.absolute_path, self.get_lock_file_name())
-        relative_restore_file_path = build_dep_tree_path(document.path, self.get_lock_file_name())
+        restore_file_paths = [build_dep_tree_path(document.absolute_path, restore_file_path_item) for restore_file_path_item in self.get_lock_file_names()]
+        restore_file_path = self.get_any_restore_file_already_exist(restore_file_paths)
+        relative_restore_file_path = build_dep_tree_path(document.path, self.get_restored_lock_file_name(restore_file_path))
 
-        if not self.verify_restore_file_already_exist(restore_file_path):
+        if self.verify_lockfile_missing(restore_file_path):
             output = execute_commands(
                 commands=self.get_commands(manifest_file_path),
                 timeout=self.command_timeout,
@@ -75,10 +76,21 @@ def try_restore_dependencies(self, document: Document) -> Optional[Document]:
 
     def get_working_directory(self, document: Document) -> Optional[str]:
         return os.path.dirname(document.absolute_path)
+    
+    def get_restored_lock_file_name(self, restore_file_path: str) -> str:
+        return self.get_lock_file_name()
+    
+    @staticmethod
+    def get_any_restore_file_already_exist(restore_file_paths: list[str]) -> Optional[str]:
+        for restore_file_path in restore_file_paths:
+            if os.path.isfile(restore_file_path):
+                return restore_file_path
+        
+        return None
 
     @staticmethod
-    def verify_restore_file_already_exist(restore_file_path: str) -> bool:
-        return os.path.isfile(restore_file_path)
+    def verify_lockfile_missing(restore_file_path: Optional[str]) -> bool:
+        return restore_file_path is None
 
     @abstractmethod
     def is_project(self, document: Document) -> bool:
@@ -91,3 +103,7 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
     @abstractmethod
     def get_lock_file_name(self) -> str:
         pass
+    
+    @abstractmethod
+    def get_lock_file_names(self) -> list[str]:
+        pass

cycode/cli/files_collector/sca/go/restore_go_dependencies.py

@@ -43,3 +43,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return GO_RESTORE_FILE_NAME
+    
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]

cycode/cli/files_collector/sca/maven/restore_gradle_dependencies.py

@@ -40,6 +40,9 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return BUILD_GRADLE_DEP_TREE_FILE_NAME
+    
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]
 
     def get_working_directory(self, document: Document) -> Optional[str]:
         return get_path_from_context(self.ctx) if self.is_gradle_sub_projects() else None

cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py

@@ -33,6 +33,9 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return join_paths('target', MAVEN_CYCLONE_DEP_TREE_FILE_NAME)
+    
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]
 
     def try_restore_dependencies(self, document: Document) -> Optional[Document]:
         manifest_file_path = self.get_manifest_file_path(document)

cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py

@@ -7,6 +7,12 @@
 
 NPM_PROJECT_FILE_EXTENSIONS = ['.json']
 NPM_LOCK_FILE_NAME = 'package-lock.json'
+NPM_LOCK_FILE_NAMES = [
+    NPM_LOCK_FILE_NAME,
+    'yarn.lock',
+    'pnpm-lock.yaml',
+    'deno.lock'
+]
 NPM_MANIFEST_FILE_NAME = 'package.json'
 
 
@@ -29,9 +35,15 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
                 '--no-audit',
             ]
         ]
+        
+    def get_restored_lock_file_name(self, restore_file_path: str) -> str:
+        return NPM_LOCK_FILE_NAME if restore_file_path is None else  os.path.basename(restore_file_path)
 
     def get_lock_file_name(self) -> str:
         return NPM_LOCK_FILE_NAME
+    
+    def get_lock_file_names(self) -> str:
+        return NPM_LOCK_FILE_NAMES
 
     @staticmethod
     def prepare_manifest_file_path_for_command(manifest_file_path: str) -> str:

cycode/cli/files_collector/sca/nuget/restore_nuget_dependencies.py

@@ -19,3 +19,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return NUGET_LOCK_FILE_NAME
+    
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]

cycode/cli/files_collector/sca/ruby/restore_ruby_dependencies.py

@@ -14,3 +14,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return RUBY_LOCK_FILE_NAME
+    
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]

cycode/cli/files_collector/sca/sbt/restore_sbt_dependencies.py

@@ -14,3 +14,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return SBT_LOCK_FILE_NAME
+    
+    def get_lock_file_names(self) -> str:
+        return [self.get_lock_file_name()]