CM-55551 CLI SCA Scan Fails to Detect Indirect Dependencies Due to PNPM Lock File Handling

Author: morsa4406

cycode/cli/files_collector/sca/base_restore_dependencies.py

@@ -14,10 +14,10 @@ def build_dep_tree_path(path: str, generated_file_name: str) -> str:
 
 
 def execute_commands(
-    commands: list[list[str]],
-    timeout: int,
-    output_file_path: Optional[str] = None,
-    working_directory: Optional[str] = None,
+        commands: list[list[str]],
+        timeout: int,
+        output_file_path: Optional[str] = None,
+        working_directory: Optional[str] = None,
 ) -> Optional[str]:
     try:
         outputs = []
@@ -40,7 +40,7 @@ def execute_commands(
 
 class BaseRestoreDependencies(ABC):
     def __init__(
-        self, ctx: typer.Context, is_git_diff: bool, command_timeout: int, create_output_file_manually: bool = False
+            self, ctx: typer.Context, is_git_diff: bool, command_timeout: int, create_output_file_manually: bool = False
     ) -> None:
         self.ctx = ctx
         self.is_git_diff = is_git_diff
@@ -57,9 +57,11 @@ def get_manifest_file_path(self, document: Document) -> str:
 
     def try_restore_dependencies(self, document: Document) -> Optional[Document]:
         manifest_file_path = self.get_manifest_file_path(document)
-        restore_file_paths = [build_dep_tree_path(document.absolute_path, restore_file_path_item) for restore_file_path_item in self.get_lock_file_names()]
+        restore_file_paths = [build_dep_tree_path(document.absolute_path, restore_file_path_item) for
+                              restore_file_path_item in self.get_lock_file_names()]
         restore_file_path = self.get_any_restore_file_already_exist(restore_file_paths)
-        relative_restore_file_path = build_dep_tree_path(document.path, self.get_restored_lock_file_name(restore_file_path))
+        relative_restore_file_path = build_dep_tree_path(document.path,
+                                                         self.get_restored_lock_file_name(restore_file_path))
 
         if self.verify_lockfile_missing(restore_file_path):
             output = execute_commands(
@@ -76,16 +78,16 @@ def try_restore_dependencies(self, document: Document) -> Optional[Document]:
 
     def get_working_directory(self, document: Document) -> Optional[str]:
         return os.path.dirname(document.absolute_path)
-    
+
     def get_restored_lock_file_name(self, restore_file_path: str) -> str:
         return self.get_lock_file_name()
-    
+
     @staticmethod
     def get_any_restore_file_already_exist(restore_file_paths: list[str]) -> Optional[str]:
         for restore_file_path in restore_file_paths:
             if os.path.isfile(restore_file_path):
                 return restore_file_path
-        
+
         return None
 
     @staticmethod
@@ -103,7 +105,7 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
     @abstractmethod
     def get_lock_file_name(self) -> str:
         pass
-    
+
     @abstractmethod
     def get_lock_file_names(self) -> list[str]:
         pass

cycode/cli/files_collector/sca/go/restore_go_dependencies.py

@@ -43,6 +43,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return GO_RESTORE_FILE_NAME
-    
+
     def get_lock_file_names(self) -> str:
         return [self.get_lock_file_name()]

cycode/cli/files_collector/sca/maven/restore_gradle_dependencies.py

@@ -40,7 +40,7 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return BUILD_GRADLE_DEP_TREE_FILE_NAME
-    
+
     def get_lock_file_names(self) -> str:
         return [self.get_lock_file_name()]
 

cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py

@@ -33,7 +33,7 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return join_paths('target', MAVEN_CYCLONE_DEP_TREE_FILE_NAME)
-    
+
     def get_lock_file_names(self) -> str:
         return [self.get_lock_file_name()]
 

cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py

@@ -35,13 +35,13 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
                 '--no-audit',
             ]
         ]
-        
+
     def get_restored_lock_file_name(self, restore_file_path: str) -> str:
         return NPM_LOCK_FILE_NAME if restore_file_path is None else  os.path.basename(restore_file_path)
 
     def get_lock_file_name(self) -> str:
         return NPM_LOCK_FILE_NAME
-    
+
     def get_lock_file_names(self) -> str:
         return NPM_LOCK_FILE_NAMES
 

cycode/cli/files_collector/sca/nuget/restore_nuget_dependencies.py

@@ -19,6 +19,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return NUGET_LOCK_FILE_NAME
-    
+
     def get_lock_file_names(self) -> str:
         return [self.get_lock_file_name()]

cycode/cli/files_collector/sca/ruby/restore_ruby_dependencies.py

@@ -14,6 +14,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return RUBY_LOCK_FILE_NAME
-    
+
     def get_lock_file_names(self) -> str:
         return [self.get_lock_file_name()]

cycode/cli/files_collector/sca/sbt/restore_sbt_dependencies.py

@@ -14,6 +14,6 @@ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
 
     def get_lock_file_name(self) -> str:
         return SBT_LOCK_FILE_NAME
-    
+
     def get_lock_file_names(self) -> str:
         return [self.get_lock_file_name()]