feat: add support for pnpm (#182)

* feat: add support for pnpm

Signed-off-by: Ruben Romero Montes <[email protected]>

* feat: add support for pnpm

Signed-off-by: Ruben Romero Montes <[email protected]>

* chore: use invokeCommand instead of execSync

* feat: fix tests

Signed-off-by: Ruben Romero Montes <[email protected]>

---------

Signed-off-by: Ruben Romero Montes <[email protected]>
Co-authored-by: Noah Santschi-Cooney <[email protected]>

Author: ruromero

.eslintrc.json

@@ -1,28 +1,28 @@
 {
-    "root": true,
-	"extends": [
-		"eslint:recommended",
-		"plugin:editorconfig/all"
-	],
-	"parserOptions": {
-		"ecmaVersion": 2022,
-		"sourceType": "module"
-	},
-	"env": {
-		"node": true,
-		"mocha": true,
-		"es6": true
-	},
-	"plugins": [
-		"editorconfig"
-    ],
-    "rules": {
-        "curly": "warn",
-        "eqeqeq": "warn",
-        "no-throw-literal": "warn",
-		"sort-imports":"warn"
-    },
-	"ignorePatterns": [
-		"integration"
-	]
-}
+  "root": true,
+  "extends": [
+    "eslint:recommended",
+    "plugin:editorconfig/all"
+  ],
+  "parserOptions": {
+    "ecmaVersion": 2022,
+    "sourceType": "module"
+  },
+  "env": {
+    "node": true,
+    "mocha": true,
+    "es6": true
+  },
+  "plugins": [
+    "editorconfig"
+  ],
+  "rules": {
+    "curly": "warn",
+    "eqeqeq": "warn",
+    "no-throw-literal": "warn",
+    "sort-imports": "warn"
+  },
+  "ignorePatterns": [
+    "integration"
+  ]
+}

.github/workflows/pr.yml

@@ -51,6 +51,9 @@ jobs:
         with:
           go-version: '1.20.1'
 
+      - name: Install pnpm
+        run: npm install -g pnpm
+
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v4
 

README.md

@@ -152,6 +152,7 @@ $ exhort-javascript-api component /path/to/pom.xml
 <ul>
 <li><a href="https://www.java.com/">Java</a> - <a href="https://maven.apache.org/">Maven</a></li>
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://www.npmjs.com/">Npm</a></li>
+<li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://pnpm.io/">pnpm</a></li>
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
 <li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
@@ -298,6 +299,7 @@ import fs from 'node:fs'
 let options = {
   'EXHORT_MVN_PATH': '/path/to/my/mvn',
   'EXHORT_NPM_PATH': '/path/to/npm',
+  'EXHORT_PNPM_PATH': '/path/to/pnpm',
   'EXHORT_GO_PATH': '/path/to/go',
   //python - python3, pip3 take precedence if python version > 3 installed
   'EXHORT_PYTHON3_PATH' : '/path/to/python3',
@@ -343,6 +345,11 @@ following keys for setting custom paths for the said executables.
 <td>EXHORT_NPM_PATH</td>
 </tr>
 <tr>
+<td><a href="https://pnpm.io/">PNPM</a></td>
+<td><em>pnpm</em></td>
+<td>EXHORT_PNPM_PATH</td>
+</tr>
+<tr>
 <td><a href="https://go.dev/blog/using-go-modules/">Go Modules</a></td>
 <td><em>go</em></td>
 <td>EXHORT_GO_PATH</td>

src/provider.js

@@ -1,19 +1,21 @@
+import path from 'node:path'
+
 import golangGomodulesProvider from './providers/golang_gomodules.js'
 import Java_gradle_groovy from "./providers/java_gradle_groovy.js";
 import Java_gradle_kotlin from "./providers/java_gradle_kotlin.js";
 import Java_maven from "./providers/java_maven.js";
-import javascriptNpmProvider from './providers/javascript_npm.js'
-import path from 'node:path'
 import pythonPipProvider from './providers/python_pip.js'
+import Javascript_npm from './providers/javascript_npm.js';
+import Javascript_pnpm from './providers/javascript_pnpm.js';
 
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(): void, provideComponent: function(string, {}): Provided, provideStack: function(string, {}): Provided}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided, provideStack: function(string, {}): Provided}} Provider */
 
 /**
  * MUST include all providers here.
  * @type {[Provider]}
  */
-export const availableProviders = [new Java_maven(), new Java_gradle_groovy(), new Java_gradle_kotlin(), javascriptNpmProvider, golangGomodulesProvider, pythonPipProvider]
+export const availableProviders = [new Java_maven(), new Java_gradle_groovy(), new Java_gradle_kotlin(), new Javascript_npm(), new Javascript_pnpm(), golangGomodulesProvider, pythonPipProvider]
 
 /**
  * Match a provider from a list or providers based on file type.
@@ -26,15 +28,14 @@ export const availableProviders = [new Java_maven(), new Java_gradle_groovy(), n
  * @throws {Error} when the manifest is not supported and no provider was matched
  */
 export function match(manifest, providers) {
-	let manifestPath = path.parse(manifest)
-	let provider = providers.find(prov => prov.isSupported(manifestPath.base))
-	if (!provider) {
+	const manifestPath = path.parse(manifest)
+	const supported = providers.filter(prov => prov.isSupported(manifestPath.base))
+	if (supported.length === 0) {
 		throw new Error(`${manifestPath.base} is not supported`)
 	}
-
-	if (provider) {
-		provider.validateLockFile(manifestPath.dir);
+	const provider = supported.find(prov => prov.validateLockFile(manifestPath.dir))
+	if(!provider) {
+		throw new Error(`${manifestPath.base} requires a lock file. Use your preferred package manager to generate the lock file.`);
 	}
-
 	return provider
 }

src/providers/base_java.js

@@ -1,4 +1,5 @@
 import { PackageURL } from 'packageurl-js'
+
 import { invokeCommand } from "../tools.js"
 
 
@@ -44,7 +45,7 @@ export default class Base_Java {
 				let matchedScope = target.match(/:compile|:provided|:runtime|:test|:system|:import/g)
 				let matchedScopeSrc = src.match(/:compile|:provided|:runtime|:test|:system|:import/g)
 				// only add dependency to sbom if it's not with test scope or if it's root
-				if ((matchedScope && matchedScope[0] !== ":test" && (matchedScopeSrc && matchedScopeSrc[0] !== ":test")) || (srcDepth == 0 && matchedScope && matchedScope[0] !== ":test")) {
+				if ((matchedScope && matchedScope[0] !== ":test" && (matchedScopeSrc && matchedScopeSrc[0] !== ":test")) || (srcDepth === 0 && matchedScope && matchedScope[0] !== ":test")) {
 					sbom.addDependency(sbom.purlToComponent(from), to)
 				}
 			} else {

src/providers/base_javascript.js

@@ -0,0 +1,212 @@
+import fs from 'node:fs'
+import os from "node:os";
+import path from 'node:path'
+import { PackageURL } from 'packageurl-js'
+
+import { getCustomPath, invokeCommand } from "../tools.js";
+import Sbom from '../sbom.js'
+
+/** @typedef {import('../provider.js').Provider} */
+
+/** @typedef {import('../provider.js').Provided} Provided */
+
+const ecosystem = 'npm'
+const defaultVersion = 'v0.0.0'
+
+export default class Base_javascript {
+
+	// Resolved cmd to use
+	#cmd;
+
+	/**
+   * @returns {string} the name of the lock file name for the specific implementation
+   */
+	_lockFileName() {
+		throw new TypeError("_lockFileName must be implemented");
+	}
+
+	/**
+   * @returns {string} the command name to use for the specific JS package manager
+   */
+	_cmdName() {
+		throw new TypeError("_cmdName must be implemented");
+	}
+
+	/**
+   * @returns {Array<string>}
+   */
+	_listCmdArgs() {
+		throw new TypeError("_listCmdArgs must be implemented");
+	}
+
+	/**
+   * @returns {Array<string>}
+   */
+	_updateLockFileCmdArgs() {
+		throw new TypeError("_updateLockFileCmdArgs must be implemented");
+	}
+
+	/**
+   * @param {string} manifestName - the subject manifest name-type
+   * @returns {boolean} - return true if `pom.xml` is the manifest name-type
+   */
+	isSupported(manifestName) {
+		return 'package.json' === manifestName;
+	}
+
+	/**
+   * Checks if a required lock file exists in the same path as the manifest
+   *
+   * @param {string} manifestDir - The base directory where the manifest is located
+   * @returns {boolean} - True if the lock file exists
+   */
+	validateLockFile(manifestDir) {
+		const lock = path.join(manifestDir, this._lockFileName());
+		return fs.existsSync(lock);
+	}
+
+	/**
+   * Provide content and content type for maven-maven stack analysis.
+   * @param {string} manifest - the manifest path or name
+   * @param {{}} [opts={}] - optional various options to pass along the application
+   * @returns {Provided}
+   */
+	provideStack(manifest, opts = {}) {
+		return {
+			ecosystem,
+			content: this.#getSBOM(manifest, opts, true),
+			contentType: 'application/vnd.cyclonedx+json'
+		}
+	}
+
+	/**
+   * Provide content and content type for maven-maven component analysis.
+   * @param {string} manifest - path to pom.xml for component report
+   * @param {{}} [opts={}] - optional various options to pass along the application
+   * @returns {Provided}
+   */
+	provideComponent(manifest, opts = {}) {
+		return {
+			ecosystem,
+			content: this.#getSBOM(manifest, opts, false),
+			contentType: 'application/vnd.cyclonedx+json'
+		}
+	}
+
+	/**
+   * Utility function for creating Purl String
+   * @param name the name of the artifact, can include a namespace(group) or not - namespace/artifactName.
+   * @param version the version of the artifact
+   * @returns {PackageURL|null} PackageUrl Object ready to be used in SBOM
+   */
+	#toPurl(name, version) {
+		let parts = name.split("/");
+		var purlNs, purlName;
+		if (parts.length === 2) {
+			purlNs = parts[0];
+			purlName = parts[1];
+		} else {
+			purlName = parts[0];
+		}
+		return new PackageURL('npm', purlNs, purlName, version, undefined, undefined);
+	}
+
+	_buildDependencyTree(includeTransitive, manifest) {
+		this.#version();
+		let manifestDir = path.dirname(manifest)
+		this.#createLockFile(manifestDir);
+
+		let npmOutput = this.#executeListCmd(includeTransitive, manifestDir);
+		return JSON.parse(npmOutput);
+	}
+
+	/**
+   * Create SBOM json string for npm Package.
+   * @param {string} manifest - path for package.json
+   * @param {{}} [opts={}] - optional various options to pass along the application
+   * @returns {string} the SBOM json content
+   * @private
+   */
+	#getSBOM(manifest, opts = {}, includeTransitive) {
+		this.#cmd = getCustomPath(this._cmdName(), opts);
+		const depsObject = this._buildDependencyTree(includeTransitive, manifest, opts);
+		let rootName = depsObject["name"]
+		let rootVersion = depsObject["version"]
+		if (!rootVersion) {
+			rootVersion = defaultVersion
+		}
+		let mainComponent = this.#toPurl(rootName, rootVersion);
+
+		let sbom = new Sbom();
+		sbom.addRoot(mainComponent)
+
+		let dependencies = depsObject["dependencies"] || {};
+		this.#addAllDependencies(sbom, sbom.getRoot(), dependencies)
+		let packageJson = fs.readFileSync(manifest).toString()
+		let packageJsonObject = JSON.parse(packageJson);
+		if (packageJsonObject.exhortignore !== undefined) {
+			let ignoredDeps = Array.from(packageJsonObject.exhortignore);
+			sbom.filterIgnoredDeps(ignoredDeps)
+		}
+		return sbom.getAsJsonString(opts)
+	}
+
+	/**
+   * This function recursively build the Sbom from the JSON that npm listing returns
+   * @param sbom this is the sbom object
+   * @param from this is the current component in bom (Should start with root/main component of SBOM) for which we want to add all its dependencies.
+   * @param dependencies the current dependency list (initially it's the list of the root component)
+   * @private
+   */
+	#addAllDependencies(sbom, from, dependencies) {
+		Object.entries(dependencies)
+			.filter(entry => entry[1].version !== undefined)
+			.forEach(entry => {
+				let [name, artifact] = entry;
+				let purl = this.#toPurl(name, artifact.version);
+				sbom.addDependency(from, purl)
+				let transitiveDeps = artifact.dependencies
+				if (transitiveDeps !== undefined) {
+					this.#addAllDependencies(sbom, sbom.purlToComponent(purl), transitiveDeps)
+				}
+			});
+	}
+
+	#executeListCmd(includeTransitive, manifestDir) {
+		const listArgs = this._listCmdArgs(includeTransitive, manifestDir);
+		return this.#invokeCommand(listArgs);
+	}
+
+	#version() {
+		this.#invokeCommand(['--version'], { stdio: 'ignore' });
+	}
+
+	#createLockFile(manifestDir) {
+		// in windows os, --prefix flag doesn't work, it behaves really weird , instead of installing the package.json fromm the prefix folder,
+		// it's installing package.json (placed in current working directory of process) into prefix directory, so
+		let originalDir = process.cwd()
+		if (os.platform() === 'win32') {
+			process.chdir(manifestDir)
+		}
+		const args = this._updateLockFileCmdArgs(manifestDir);
+		try {
+			this.#invokeCommand(args);
+		} finally {
+			if (os.platform() === 'win32') {
+				process.chdir(originalDir)
+			}
+		}
+	}
+
+	#invokeCommand(args, opts = {}) {
+		try {
+			return invokeCommand(this.#cmd, args, opts);
+		} catch (error) {
+			if (error.code === 'ENOENT') {
+				throw new Error(`${this.#cmd} is not accessible`);
+			}
+			throw new Error(`failed to execute ${this.#cmd} ${args}`, { cause: error })
+		}
+	}
+}
+

src/providers/golang_gomodules.js

@@ -32,7 +32,7 @@ function isSupported(manifestName) {
 /**
  * @param {string} manifestDir - the directory where the manifest lies
  */
-function validateLockFile() {}
+function validateLockFile() { return true; }
 
 /**
  * Provide content and content type for maven-maven stack analysis.

src/providers/java_gradle.js

@@ -113,7 +113,7 @@ export default class Java_gradle extends Base_java {
 	/**
 	 * @param {string} manifestDir - the directory where the manifest lies
  	 */
-	validateLockFile() {}
+	validateLockFile() { return true; }
 
 	/**
 	 * Provide content and content type for stack analysis.
@@ -131,10 +131,6 @@ export default class Java_gradle extends Base_java {
 		}
 	}
 
-	testMeNow() {
-		return {hello: "there"}
-	}
-
 	/**
 	 * Provide content and content type for maven-maven component analysis.
 	 * @param {string} manifest - path to pom.xml for component report