CM-55551 CLI SCA Scan Fails to Detect Indirect Dependencies Due to PNPM Lock File Handling

morsa4406 · morsa4406 · commit bb936975f477 · 2025-11-23T16:15:58.000+02:00
diff --git a/cycode/cli/files_collector/sca/base_restore_dependencies.py b/cycode/cli/files_collector/sca/base_restore_dependencies.py
@@ -14,10 +14,10 @@ def build_dep_tree_path(path: str, generated_file_name: str) -> str:
 
 
 def execute_commands(
-        commands: list[list[str]],
-        timeout: int,
-        output_file_path: Optional[str] = None,
-        working_directory: Optional[str] = None,
+    commands: list[list[str]],
+    timeout: int,
+    output_file_path: Optional[str] = None,
+    working_directory: Optional[str] = None,
 ) -> Optional[str]:
     try:
         outputs = []
@@ -40,7 +40,7 @@ def execute_commands(
 
 class BaseRestoreDependencies(ABC):
     def __init__(
-            self, ctx: typer.Context, is_git_diff: bool, command_timeout: int, create_output_file_manually: bool = False
+        self, ctx: typer.Context, is_git_diff: bool, command_timeout: int, create_output_file_manually: bool = False
     ) -> None:
         self.ctx = ctx
         self.is_git_diff = is_git_diff
@@ -57,11 +57,14 @@ def get_manifest_file_path(self, document: Document) -> str:
 
     def try_restore_dependencies(self, document: Document) -> Optional[Document]:
         manifest_file_path = self.get_manifest_file_path(document)
-        restore_file_paths = [build_dep_tree_path(document.absolute_path, restore_file_path_item) for
-                              restore_file_path_item in self.get_lock_file_names()]
+        restore_file_paths = [
+            build_dep_tree_path(document.absolute_path, restore_file_path_item)
+            for restore_file_path_item in self.get_lock_file_names()
+        ]
         restore_file_path = self.get_any_restore_file_already_exist(restore_file_paths)
-        relative_restore_file_path = build_dep_tree_path(document.path,
-                                                         self.get_restored_lock_file_name(restore_file_path))
+        relative_restore_file_path = build_dep_tree_path(
+            document.path, self.get_restored_lock_file_name(restore_file_path)
+        )
 
         if self.verify_lockfile_missing(restore_file_path):
             output = execute_commands(
diff --git a/cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py b/cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py
@@ -7,12 +7,7 @@
 
 NPM_PROJECT_FILE_EXTENSIONS = ['.json']
 NPM_LOCK_FILE_NAME = 'package-lock.json'
-NPM_LOCK_FILE_NAMES = [
-    NPM_LOCK_FILE_NAME,
-    'yarn.lock',
-    'pnpm-lock.yaml',
-    'deno.lock'
-]
+NPM_LOCK_FILE_NAMES = [NPM_LOCK_FILE_NAME, 'yarn.lock', 'pnpm-lock.yaml', 'deno.lock']
 NPM_MANIFEST_FILE_NAME = 'package.json'
 
 
