feat: add pnpm lockfile support for container scanning (#734)

* feat: add pnpm lockfile support for container scanning

Add support for scanning Node.js applications that use pnpm as their
package manager. This enables vulnerability detection in container
images that contain pnpm-lock.yaml files.

Implementation changes:
- Add pnpm-lock.yaml to the list of extracted node app files so the
  extractor picks up pnpm lockfiles from container images
- Introduce detectLockFile() helper function that finds lockfiles in a
  directory with priority order: npm > yarn > pnpm. This consolidates
  the lockfile detection logic and makes it easier to extend
- Refactor findManifestLockPairsInSameDirectory() and
  findManifestNodeModulesFilesInSameDirectory() to use the new
  detectLockFile() helper
- Add PnpmLockV5, PnpmLockV6, and PnpmLockV9 cases to buildDepGraph()
  which calls lockFileParser.parsePnpmProject() to generate dependency
  graphs from pnpm lockfiles
- Update shouldBuildDepTree() to include pnpm lockfile versions,
  indicating they can be parsed directly without dep tree conversion

Test changes:
- Add unit tests for detectLockFile() covering all lockfile types,
  null case, and priority ordering when multiple lockfiles exist
- Add pnpm v5 test case to getLockFileVersion tests
- Update shouldBuildDepTree tests to verify pnpm versions return false
  (they don't need dep tree conversion)
- Update extractContent test to verify pnpm-lock.yaml files are
  extracted alongside package.json, package-lock.json, and yarn.lock
- Add integration test for scanning container images with pnpm v6 and
  v9 lockfiles, verifying the dep graph is correctly generated with
  pkgManager.name set to "pnpm"
- Add test fixtures: pnpmlockv6.tar and pnpmlockv9.tar containing
  Alpine-based images with pnpm projects

CN-552

* fix: pr suggestions, more unit tests

Author: parker-snyk

lib/analyzer/applications/node.ts

@@ -215,6 +215,33 @@ async function depGraphFromManifestFiles(
   return scanResults;
 }
 
+export interface LockFileInfo {
+  path: string;
+  type: lockFileParser.LockfileType;
+}
+
+export function detectLockFile(
+  directoryPath: string,
+  filesInDirectory: Set<string>,
+): LockFileInfo | null {
+  const lockFiles: Array<{
+    filename: string;
+    type: lockFileParser.LockfileType;
+  }> = [
+    { filename: "package-lock.json", type: lockFileParser.LockfileType.npm },
+    { filename: "yarn.lock", type: lockFileParser.LockfileType.yarn },
+    { filename: "pnpm-lock.yaml", type: lockFileParser.LockfileType.pnpm },
+  ];
+
+  for (const { filename, type } of lockFiles) {
+    const lockPath = path.join(directoryPath, filename);
+    if (filesInDirectory.has(lockPath)) {
+      return { path: lockPath, type };
+    }
+  }
+  return null;
+}
+
 function findManifestLockPairsInSameDirectory(
   fileNamesGroupedByDirectory: FilesByDirMap,
 ): ManifestLockPathPair[] {
@@ -231,26 +258,21 @@ function findManifestLockPairsInSameDirectory(
     }
 
     const expectedManifest = path.join(directoryPath, "package.json");
-    const expectedNpmLockFile = path.join(directoryPath, "package-lock.json");
-    const expectedYarnLockFile = path.join(directoryPath, "yarn.lock");
-
-    const hasManifestFile = filesInDirectory.has(expectedManifest);
-    const hasLockFile =
-      filesInDirectory.has(expectedNpmLockFile) ||
-      filesInDirectory.has(expectedYarnLockFile);
+    if (!filesInDirectory.has(expectedManifest)) {
+      continue;
+    }
 
-    if (hasManifestFile && hasLockFile) {
-      manifestLockPathPairs.push({
-        manifest: expectedManifest,
-        // TODO: correlate filtering action with expected lockfile types
-        lock: filesInDirectory.has(expectedNpmLockFile)
-          ? expectedNpmLockFile
-          : expectedYarnLockFile,
-        lockType: filesInDirectory.has(expectedNpmLockFile)
-          ? lockFileParser.LockfileType.npm
-          : lockFileParser.LockfileType.yarn,
-      });
+    // TODO: correlate filtering action with expected lockfile types
+    const lockFile = detectLockFile(directoryPath, filesInDirectory);
+    if (!lockFile) {
+      continue;
     }
+
+    manifestLockPathPairs.push({
+      manifest: expectedManifest,
+      lock: lockFile.path,
+      lockType: lockFile.type,
+    });
   }
 
   return manifestLockPathPairs;
@@ -269,13 +291,9 @@ function findManifestNodeModulesFilesInSameDirectory(
     }
 
     const expectedManifest = path.join(directoryPath, "package.json");
-    const expectedNpmLockFile = path.join(directoryPath, "package-lock.json");
-    const expectedYarnLockFile = path.join(directoryPath, "yarn.lock");
-
     const hasManifestFile = filesInDirectory.has(expectedManifest);
     const hasLockFile =
-      filesInDirectory.has(expectedNpmLockFile) ||
-      filesInDirectory.has(expectedYarnLockFile);
+      detectLockFile(directoryPath, filesInDirectory) !== null;
 
     if (hasManifestFile && hasLockFile) {
       continue;
@@ -347,6 +365,21 @@ async function buildDepGraph(
           strictOutOfSync: shouldBeStrictForManifestAndLockfileOutOfSync,
         },
       );
+    case NodeLockfileVersion.PnpmLockV5:
+    case NodeLockfileVersion.PnpmLockV6:
+    case NodeLockfileVersion.PnpmLockV9:
+      return await lockFileParser.parsePnpmProject(
+        manifestFileContents,
+        lockFileContents,
+        {
+          includeDevDeps: shouldIncludeDevDependencies,
+          includeOptionalDeps: true,
+          includePeerDeps: false,
+          pruneWithinTopLevelDeps: true,
+          strictOutOfSync: shouldBeStrictForManifestAndLockfileOutOfSync,
+        },
+        lockfileVersion,
+      );
   }
   throw new Error(
     "Failed to build dep graph from current project, unknown lockfile version : " +
@@ -401,6 +434,9 @@ export function shouldBuildDepTree(lockfileVersion: NodeLockfileVersion) {
     lockfileVersion === NodeLockfileVersion.YarnLockV1 ||
     lockfileVersion === NodeLockfileVersion.YarnLockV2 ||
     lockfileVersion === NodeLockfileVersion.NpmLockV2 ||
-    lockfileVersion === NodeLockfileVersion.NpmLockV3
+    lockfileVersion === NodeLockfileVersion.NpmLockV3 ||
+    lockfileVersion === NodeLockfileVersion.PnpmLockV5 ||
+    lockfileVersion === NodeLockfileVersion.PnpmLockV6 ||
+    lockfileVersion === NodeLockfileVersion.PnpmLockV9
   );
 }

lib/inputs/node/static.ts

@@ -2,7 +2,12 @@ import { basename } from "path";
 import { ExtractAction } from "../../extractor/types";
 import { streamToString } from "../../stream-utils";
 
-const nodeAppFiles = ["package.json", "package-lock.json", "yarn.lock"];
+const nodeAppFiles = [
+  "package.json",
+  "package-lock.json",
+  "yarn.lock",
+  "pnpm-lock.yaml",
+];
 const deletedAppFiles = nodeAppFiles.map((file) => ".wh." + file);
 
 const nodeJsTsAppFileSuffixes = [