PNPM scanning is broken

[kikar]

Description

Trivy does not find any vulnerabilities or SBOMs in pnpm-lock.yaml files at all

Desired Behavior

Trivy should find at least some vulnerabilities or dependencies

Actual Behavior

Trivy finds none

Reproduction Steps

1. Clone monorepo https://github.com/kikar/pnpm-turbo-docker-monorepo
2. Run trivy
3. TRIVY_DEBUG=true trivy fs -f json --scanners vuln pnpm-lock.yaml

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

TRIVY_DEBUG=true trivy fs -f json --scanners vuln ./pnpm-lock.yaml

2023-06-04T12:01:31.713+0300	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-04T12:01:31.726+0300	DEBUG	cache dir:  /Users/bait/Library/Caches/trivy
2023-06-04T12:01:31.726+0300	DEBUG	DB update was skipped because the local DB is the latest
2023-06-04T12:01:31.726+0300	DEBUG	DB Schema: 2, UpdatedAt: 2023-06-04 06:08:25.823259834 +0000 UTC, NextUpdate: 2023-06-04 12:08:25.823259334 +0000 UTC, DownloadedAt: 2023-06-04 08:08:40.52256 +0000 UTC
2023-06-04T12:01:31.726+0300	INFO	Vulnerability scanning is enabled
2023-06-04T12:01:31.726+0300	DEBUG	Vulnerability type:  [os library]
2023-06-04T12:01:31.726+0300	DEBUG	Walk the file tree rooted at 'pnpm-lock.yaml' in parallel
2023-06-04T12:01:31.733+0300	DEBUG	Analysis error: unable to parse pnpm-lock.yaml: failed to parse pnpm-lock.yaml: failed to parse pnpm-lock.yaml: decode error: yaml: unmarshal errors:
  line 8: cannot unmarshal !!map into string
…
  line 171: cannot unmarshal !!map into string
2023-06-04T12:01:31.742+0300	DEBUG	OS is not detected.
2023-06-04T12:01:31.742+0300	DEBUG	Detected OS: unknown
2023-06-04T12:01:31.742+0300	INFO	Number of language-specific files: 0
{
  "SchemaVersion": 2,
  "ArtifactName": "pnpm-lock.yaml",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  }
}

### Operating System

macOS Ventura 13.4

### Version

```bash
Version: 0.42.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-06-04 06:08:25.823259834 +0000 UTC
  NextUpdate: 2023-06-04 12:08:25.823259334 +0000 UTC
  DownloadedAt: 2023-06-04 08:08:40.52256 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-05-30 01:02:47.138577833 +0000 UTC
  NextUpdate: 2023-06-02 01:02:47.138577333 +0000 UTC
  DownloadedAt: 2023-05-30 07:51:07.568171 +0000 UTC
Policy Bundle:
  Digest: sha256:030345bff4845bae1c89450da85681bc25c0c40d2144a0d9db5254674d155298
  DownloadedAt: 2023-05-30 07:31:18.843201 +0000 UTC

Checklist

• Run trivy --reset
• Read the troubleshooting

[knqyf263]

@DmitriyLewen is on vacation. @nikpivkin @afdesk Can you please take a look?

[knqyf263]

If you confirm the bug, I'd include the fix in v0.42.1.

[afdesk]

yes, sure.

[nikpivkin]

This is a bug. I reproduce this only when there are dev dependencies. The structure of some fields has changed in the lock file v6. A fix was released for version and dependencies fields, but the case with devDependencies was not handled. I'll fix it.

[knqyf263]

@nikpivkin Once you confirm the bug and create an issue, please close the discussion. We'll keep discussing it in the issue.
#4559

[afdesk]

@knqyf263 sorry, my fault. i had to close it

[knqyf263]

No big deal. it is a new workflow.