feat(nodejs): add license parser to pnpm analyser

[oscarbc96]

Description

pnpm-lock.yaml files do not contain dependency license information.
This PR parses */node_modules/<package_name>/package.json files alongside pnpm-lock.json and identify licenses.

Related Issues

• Close pnpm license support #7076
• Node.js license support #3718

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[knqyf263]

You can reference this page to pass tests. Please feel free to ask if you need assistance.

[knqyf263]

Thanks for your contribution. LGTM.
One comment: I want as few test files as possible so we can easily maintain tests in the future. Can you please provide a minimum file structure that meets the case you want to test?

[oscarbc96]

Thanks for your feedback! The tests are already consolidated into a minimal structure. The happy path test requires only two dependencies: ms, which has no additional dependencies, and @babel/parser, which has several indirect dependencies. This allows us to comprehensively test that everything is working correctly.

Due to the nature of these dependencies, it might appear that we have several test data files. However, to keep things simple, everything except the package.json file has been removed. This ensures that we maintain the necessary coverage while adhering to the minimal file structure.

[knqyf263]

I still feel like @babel/parser has too many dependencies. We don't need to use an actual package for unit tests. You can add it to integration tests.

[oscarbc96]

You're right. After giving it a second thought, I removed @babel/parser since testing the detection of indirect dependencies should be handled by the pnpm parser. The pnpm parser already has tests for these dependencies.

[knqyf263]

@DmitriyLewen Could you also take a look?

[DmitriyLewen]

Hello @oscarbc96
Thanks for your work!

Add comments. Take a look please.

[DmitriyLewen]

all package.json files don't use version range.
We don't need comparer to match version from package.json and pnpm-lock.yaml files.

[DmitriyLewen]

similar case.
package.json file contain license name.
We don't need to use licenceClassifier.

[DmitriyLewen]

do we need this link?

We skip this link in Required function.

[oscarbc96]

Nope, it's not necessary actually.

[DmitriyLewen]

remove it please.

[DmitriyLewen]

LGTM

cc. @knqyf263

[knqyf263]

I think we should update an integration test similar to npm (adding node_modules so licenses will be detected).

The test case is here.

trivy/integration/repo_test.go

Lines 105 to 112 in acbec05

	{
	name: "pnpm",
	args: args{
	scanner: types.VulnerabilityScanner,
	input: "testdata/fixtures/repo/pnpm",
	},
	golden: "testdata/pnpm.json.golden",
	},

You can update the golden file with mage test:updateGolden.

[DmitriyLewen]

You don't need to create a new gold file.

You need to update testdata/pnpm.json.golden file.

[oscarbc96]

I'm not sure if I'm doing this right; the testdata/pnpm.json.golden file is not updating. 🤔
I'm running mage test:updateGolden. @DmitriyLewen Can you help me figure out what might be wrong?

[DmitriyLewen]

Sorry, i missed that list-all-pkgs flag is not used for pnpm testcase.
I added flag and updated golden file in 602b4d9

[oscarbc96]

Thank you!

[knqyf263]

Thanks for your great contribution!