fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)

pkg/fanal/analyzer/language/nodejs/pnpm/pnpm.go

@@ -11,6 +11,7 @@ import (
 
 	"golang.org/x/xerrors"
 
+	"github.com/aquasecurity/trivy/pkg/dependency"
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/packagejson"
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/pnpm"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
@@ -65,8 +66,11 @@ func (a pnpmAnalyzer) PostAnalyze(ctx context.Context, input analyzer.PostAnalys
 		}
 
 		// Fill licenses
-		for i, lib := range app.Packages {
-			if l, ok := licenses[lib.ID]; ok {
+		for i, pkg := range app.Packages {
+			// We use snapshots for pnpm package IDs.
+			// But to match licenses, we need to use the ID-building logic as for `package.json` files.
+			id := dependency.ID(types.NodePkg, pkg.Name, pkg.Version)
+			if l, ok := licenses[id]; ok {
 				app.Packages[i].Licenses = l
 			}
 		}

pkg/fanal/analyzer/language/nodejs/pnpm/pnpm_test.go

@@ -39,6 +39,27 @@ func Test_pnpmPkgLibraryAnalyzer_Analyze(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "V9 with node_modules",
+			dir:  "testdata/happy-v9",
+			want: &analyzer.AnalysisResult{
+				Applications: []types.Application{
+					{
+						Type:     types.Pnpm,
+						FilePath: "pnpm-lock.yaml",
+						Packages: types.Packages{
+							{
+								ID:           "vue-router@4.5.1(vue@3.5.22)",
+								Name:         "vue-router",
+								Version:      "4.5.1",
+								Licenses:     []string{"MIT"},
+								Relationship: types.RelationshipDirect,
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "without node_modules",
 			dir:  "testdata/no-node_modules",

pkg/fanal/analyzer/language/nodejs/pnpm/testdata/happy-v9/node_modules/vue-router/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "vue-router",
+  "version": "4.5.1",
+  "main": "index.js",
+  "unpkg": "dist/vue-router.global.js",
+  "jsdelivr": "dist/vue-router.global.js",
+  "module": "dist/vue-router.mjs",
+  "types": "dist/vue-router.d.ts",
+  "sideEffects": false,
+  "author": {
+    "name": "Eduardo San Martin Morote",
+    "email": "posva13@gmail.com"
+  },
+  "funding": "https://github.com/sponsors/posva",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/vuejs/router.git"
+  },
+  "bugs": {
+    "url": "https://github.com/vuejs/router/issues"
+  },
+  "homepage": "https://github.com/vuejs/router#readme"
+}

pkg/fanal/analyzer/language/nodejs/pnpm/testdata/happy-v9/pnpm-lock.yaml

@@ -0,0 +1,24 @@
+lockfileVersion: '9.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+importers:
+
+  .:
+    dependencies:
+      vue-router:
+        specifier: ^4.5.1
+        version: 4.5.1(vue@3.5.22)
+
+packages:
+
+  vue-router@4.5.1:
+    resolution: {integrity: sha512-ogAF3P97NPm8fJsE4by9dwSYtDwXIY1nFY9T6DyQnGHd1E2Da94w9JIolpe42LJGIl0DwOHBi8TcRPlPGwbTtw==}
+    peerDependencies:
+      vue: ^3.2.0
+
+snapshots:
+
+  vue-router@4.5.1(vue@3.5.22): {}