bug(pnpm): Trivy incorrect marks Dev packages

[DmitriyLewen]

Description

Trivy non-deterministic marks Dev package for pnpm-lock.json files:

➜ trivy -q fs -f json --list-all-pkgs ./pnpm-lock.yaml --include-dev-deps | jq ' .Results[].Packages[] | select(.ID=="unrs-resolver@1.9.2")'
{
  "ID": "unrs-resolver@1.9.2",
  "Name": "unrs-resolver",
  "Identifier": {
    "PURL": "pkg:npm/unrs-resolver@1.9.2",
    "UID": "cf90da27ce156ff"
  },
  "Version": "1.9.2",
  "Dev": true,
  "Indirect": true,
  "Relationship": "indirect",
...
}
➜ trivy -q fs -f json --list-all-pkgs ./pnpm-lock.yaml --include-dev-deps | jq ' .Results[].Packages[] | select(.ID=="unrs-resolver@1.9.2")'
{
  "ID": "unrs-resolver@1.9.2",
  "Name": "unrs-resolver",
  "Identifier": {
    "PURL": "pkg:npm/unrs-resolver@1.9.2",
    "UID": "5b2d4bd73247bc76"
  },
  "Version": "1.9.2",
  "Indirect": true,
  "Relationship": "indirect",
...
}

Discussed in #9247

[amitverse]

Hi, I'm interested in this issue. Can i take it?

[knqyf263]

Yes, sure, but we haven't had time to investigate the cause of the bug yet. Could you first leave a comment here on how we should approach fixing it?

[amitverse]

Root Cause

There are some snapshots in the lockfile which has an optionalDependency of different version. And these optionalDependencies are not listed under one parent instead listed separately as shown below-

While parsing these dependencies, the parser loops over the snapshots and stores the dependencies in an array of string. If the length of array is more than 0 then assigning this array to the map of dependency of the snapshot.

In case of dependencies listed separately, parser is overwriting the previous set of dependency with new one.

trivy/pkg/dependency/parser/nodejs/pnpm/parse.go

Line 162 in ea6663a

resolvedSnapshots[packageID(name, version)] = dependsOn

Later, the parser use a DFS call to mark all the child dependencies.

trivy/pkg/dependency/parser/nodejs/pnpm/parse.go

Line 231 in ea6663a

func (p *Parser) markRootPkgs(id string, pkgs map[string]ftypes.Package, deps map[string]ftypes.Dependency, visited set.Set[string]) {

Since parser is adding only one set of dependencies, so the DFS calls are processing the last encountered set of dependencies only which is causing inconsistency in result.

Possible Fix

Instead of storing only last set of encountered dependencies, it should store all the sets to process all the dependencies.