aquasecurity · knqyf263 · Sep 2, 2024 · Aug 26, 2024 · Aug 26, 2024
@@ -37,15 +37,11 @@ type LockFile struct {
 	Packages        map[string]PackageInfo `yaml:"packages,omitempty"`
 
 	// V9
-	Importers Importer            `yaml:"importers,omitempty"`
+	Importers map[string]Importer `yaml:"importers,omitempty"`
 	Snapshots map[string]Snapshot `yaml:"snapshots,omitempty"`
 }
 
 type Importer struct {
-	Root RootImporter `yaml:".,omitempty"`
-}
-
-type RootImporter struct {
 	Dependencies    map[string]ImporterDepVersion `yaml:"dependencies,omitempty"`
 	DevDependencies map[string]ImporterDepVersion `yaml:"devDependencies,omitempty"`
 }
@@ -167,6 +163,18 @@ func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependen
 
 	}
 
+	// Parse `Importers` to find all direct dependencies
+	devDeps := make(map[string]string)
+	deps := make(map[string]string)
+	for _, importer := range lockFile.Importers {
+		for n, v := range importer.DevDependencies {
+			devDeps[n] = v.Version
+		}
+		for n, v := range importer.Dependencies {
+			deps[n] = v.Version
+		}
+	}
+
 	for depPath, pkgInfo := range lockFile.Packages {
 		name, ver, ref := p.parseDepPath(depPath, lockVer)
 		parsedVer := p.parseVersion(depPath, ver, lockVer)
@@ -179,10 +187,10 @@ func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependen
 		// We will update `Dev` field later.
 		dev := true
 		relationship := ftypes.RelationshipIndirect
-		if dep, ok := lockFile.Importers.Root.DevDependencies[name]; ok && dep.Version == ver {
+		if v, ok := devDeps[name]; ok && p.trimPeerDeps(v, lockVer) == ver {
 			relationship = ftypes.RelationshipDirect
 		}
-		if dep, ok := lockFile.Importers.Root.Dependencies[name]; ok && p.trimPeerDeps(dep.Version, lockVer) == ver {
+		if v, ok := deps[name]; ok && p.trimPeerDeps(v, lockVer) == ver {
 			relationship = ftypes.RelationshipDirect
 			dev = false // mark root direct deps to update `dev` field of their child deps.
 		}

@@ -59,12 +59,6 @@ func TestParse(t *testing.T) {
 			want:     pnpmV9,
 			wantDeps: pnpmV9Deps,
 		},
-		{
-			name:     "v9",
-			file:     "testdata/pnpm-lock_v9.yaml",
-			want:     pnpmV9,
-			wantDeps: pnpmV9Deps,
-		},
 		{
 			name:     "v9 with cyclic dependencies import",
 			file:     "testdata/pnpm-lock_v9_cyclic_import.yaml",

@@ -752,6 +752,13 @@ var (
 			Version:      "0.4.0",
 			Relationship: ftypes.RelationshipIndirect,
 		},
+		{
+			ID:           "[email protected]",
+			Name:         "await-sleep",
+			Version:      "0.0.1",
+			Dev:          true,
+			Relationship: ftypes.RelationshipDirect,
+		},
 		{
 			ID:           "[email protected]",
 			Name:         "debug",
@@ -843,6 +850,12 @@ var (
 			Version:      "8.1.0",
 			Relationship: ftypes.RelationshipDirect,
 		},
+		{
+			ID:           "[email protected]",
+			Name:         "sleep-utils",
+			Version:      "1.0.3",
+			Relationship: ftypes.RelationshipDirect,
+		},
 		{
 			ID:           "[email protected]",
 			Name:         "statuses",

@@ -40,6 +40,17 @@ importers:
         specifier: 2.0.0
         version: 2.0.0
 
+  subdir:
+    dependencies:
+      sleep-utils:
+        specifier: 1.0.3
+        version: 1.0.3
+
+    devDependencies:
+      await-sleep:
+        specifier: ^0.0.1
+        version: 0.0.1
+
 packages:
 
   '@babel/[email protected]':
@@ -52,6 +63,9 @@ packages:
   [email protected]:
     resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
 
+  [email protected]:
+    resolution: {integrity: sha512-H3X3eAxwGpeNIk/yvFOs8g7500Q1YvzrxjSC9TNgLGtjrMFxPwhDdcT34QNs2iGWpZ+5WKkMJdjDoYs+Sw+TaA==}
+
   [email protected]:
     resolution: {integrity: sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==}
     engines: {node: '>=6.0'}
@@ -117,6 +131,9 @@ packages:
   [email protected]:
     resolution: {integrity: sha512-W04AqnILOL/sPRXziNicCjSNRruLAuIHEOVBazepu0545DDNGYHz7ar9ZgZ1fMU8/MA4mVxp5rkBWRi6OXIy3Q==}
 
+  [email protected]:
+    resolution: {integrity: sha512-uJW7WDHISE1zJIdvoIewcdmis3pBvJhM30rni2gH7fHhV1NkTWLKw3J6CPRFdg3h+rFChFHzAgbkCKUErd4s8Q==}
+
   [email protected]:
     resolution: {integrity: sha512-zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew==}
     engines: {node: '>= 0.6'}
@@ -134,6 +151,8 @@ snapshots:
 
   [email protected]: {}
 
+  [email protected]: {}
+
   [email protected]([email protected]):
     dependencies:
       ms: 2.0.0
@@ -186,6 +205,8 @@ snapshots:
     optionalDependencies:
       asap: 2.0.6
 
+  [email protected]: {}
+
   [email protected]: {}
 
   [email protected]: {}