PNPM Lockfile v9 support #6503

willem-delbare · 2024-04-16T18:24:58Z

willem-delbare
Apr 16, 2024

Description

When running trivy on the new PNPM v9 lockfiles, Trivy detects incorrect versions

Desired Behavior

Correctly parse the new (slightly altered) lockfile format

Actual Behavior

Mixes versions of different packages

Reproduction Steps

lockfile version 8: (pnpm-lock.yaml)

lockfileVersion: '6.0'

settings:
  autoInstallPeers: true
  excludeLinksFromLockfile: false

dependencies:
  lodash:
    specifier: ^4.17.21
    version: 4.17.21

devDependencies:
  '@types/lodash':
    specifier: ^4.17.0
    version: 4.17.0

packages:

  /@types/[email protected]:
    resolution: {integrity: sha512-t7dhREVv6dbNj0q17X12j7yDG4bD/DHYX7o5/DbDxobP0HnGPgpRz2Ej77aL7TZT3DSw13fqUTj8J4mMnqa7WA==}
    dev: true

  /[email protected]:
    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}
    dev: false

When scanning above file, no issues are found (correct behavior)

Lockfile version 9: (pnpm-lock.yaml)

lockfileVersion: '9.0'

settings:
  autoInstallPeers: true
  excludeLinksFromLockfile: false

importers:

  .:
    dependencies:
      lodash:
        specifier: ^4.17.21
        version: 4.17.21
    devDependencies:
      '@types/lodash':
        specifier: ^4.17.0
        version: 4.17.0

packages:

  '@types/[email protected]':
    resolution: {integrity: sha512-t7dhREVv6dbNj0q17X12j7yDG4bD/DHYX7o5/DbDxobP0HnGPgpRz2Ej77aL7TZT3DSw13fqUTj8J4mMnqa7WA==}

  [email protected]:
    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}

snapshots:

  '@types/[email protected]': {}

  [email protected]: {}

Result: Trivy finds critical CVE-2019-10744 in lodash because it believes lodash 4.17.0 is installed (it is not)

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

NA

Operating System

Windows+Linux

Version

0.50.1

Checklist

Run trivy image --reset
Read the troubleshooting

knqyf263 · 2024-04-17T03:39:20Z

knqyf263
Apr 17, 2024
Maintainer

The format looks much different. It's not a bug but a new feature.
@DmitriyLewen We may want to mention which version Trivy supports in our docs?

0 replies

DmitriyLewen · 2024-04-17T08:42:20Z

DmitriyLewen
Apr 17, 2024
Maintainer

Created #6510 to update documentation.
I also created #6509 about adding v9 support.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PNPM Lockfile v9 support #6503

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments

{{title}}

{{title}}

Select a reply

PNPM Lockfile v9 support #6503

willem-delbare Apr 16, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments

knqyf263 Apr 17, 2024 Maintainer

DmitriyLewen Apr 17, 2024 Maintainer

willem-delbare
Apr 16, 2024

knqyf263
Apr 17, 2024
Maintainer

DmitriyLewen
Apr 17, 2024
Maintainer