Trivy marks all dependencies of subdirectories as 'dev dependency' for PNPM

[DmitriyLewen]

Discussed in https://github.com/aquasecurity/trivy/discussions/7381

^{Originally posted by SemProvoost August 25, 2024}

Description

Bug Summary: Trivy is incorrectly identifying subdirectory packages, which is listed as a dependency in the package.json of a subdirectory, as a dev-dependency.

Steps to reproduce

(Adding steps to reproduce here to allow myself of using markdown)

Project structure

/ (root directory) ├── package.json ├── pnpm-lock.yaml ├── pnpm-workspace.yaml └── subdir/ └── package.json

Root package.json content:

{
    "dependencies": {
        "await-sleep": "^0.0.1"
    }
}

Subdir package.json content:

{
    "dependencies": {
        "sleep-utils": "1.0.3"
    }
}

pnpm-workspace.yaml content:

packages:
  - "subdir/**"

pnpm-lock.yaml (as result of pnpm i on root)

lockfileVersion: '9.0'

settings:
  autoInstallPeers: true
  excludeLinksFromLockfile: false

importers:

  .:
    dependencies:
      await-sleep:
        specifier: ^0.0.1
        version: 0.0.1

  subdir:
    dependencies:
      sleep-utils:
        specifier: 1.0.3
        version: 1.0.3

packages:

  [email protected]:
    resolution: {integrity: sha512-H3X3eAxwGpeNIk/yvFOs8g7500Q1YvzrxjSC9TNgLGtjrMFxPwhDdcT34QNs2iGWpZ+5WKkMJdjDoYs+Sw+TaA==}

  [email protected]:
    resolution: {integrity: sha512-uJW7WDHISE1zJIdvoIewcdmis3pBvJhM30rni2gH7fHhV1NkTWLKw3J6CPRFdg3h+rFChFHzAgbkCKUErd4s8Q==}

snapshots:

  [email protected]: {}

  [email protected]: {}

Running Trivy

Running Trivy on the root of the project (trivy fs . -f json --include-dev-deps --list-all-pkgs) results in

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-08-25T14:59:48.762656+02:00",
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "pnpm-lock.yaml",
      "Class": "lang-pkgs",
      "Type": "pnpm",
      "Packages": [
        {
          "ID": "[email protected]",
          "Name": "await-sleep",
          "Identifier": {
            "PURL": "pkg:npm/[email protected]",
            "UID": "63283cc86327e55d"
          },
          "Version": "0.0.1",
          "Licenses": [
            "ISC"
          ],
          "Relationship": "direct",
          "Layer": {}
        },
        {
          "ID": "[email protected]",
          "Name": "sleep-utils",
          "Identifier": {
            "PURL": "pkg:npm/[email protected]",
            "UID": "c649275e081911ba"
          },
          "Version": "1.0.3",
          "Dev": true,
          "Licenses": [
            "MIT"
          ],
          "Indirect": true,
          "Relationship": "indirect",
          "Layer": {}
        }
      ]
    }
  ]
}

As you can see, the sleep-utils package is marked as "Dev": true, while it is no dev-dependency.

Desired Behavior

In my example, the sleep-utils package should not have been marked as dev-dependency

Actual Behavior

In my example, the sleep-utils package has incorrectly been marked as dev-dependency

Reproduction Steps

See 'Steps to reproduce' in the description as that field supports markdown. 😁

Target

None

Scanner

None

Output Format

JSON

Mode

None

Debug Output

Not relevant here 😁

Operating System

macOS Ventura 13.3.1

Version

0.54.1

Checklist

• [X] Run trivy clean --all
• [X] Read the troubleshooting