guacsec · ruromero · May 1, 2025 · Apr 30, 2025 · Apr 30, 2025 · Apr 30, 2025
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -29,6 +29,15 @@ jobs:
           node-version: ${{ matrix.node }}
           cache: npm
 
+      - name: Enable Corepack
+        run: corepack enable
+
+      - name: Prepare Yarn
+        run: corepack prepare yarn@4.9.1 --activate
+
+      - name: Prepare PNPM
+        run: corepack prepare pnpm@latest --activate
+
       - name: Setup Java 17
         uses: actions/setup-java@v4
         with:
@@ -51,9 +60,6 @@ jobs:
         with:
           go-version: '1.20.1'
 
-      - name: Install pnpm
-        run: npm install -g pnpm
-
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v4
 

diff --git a/.github/workflows/stage.yml b/.github/workflows/stage.yml
@@ -46,6 +46,16 @@ jobs:
           cache: npm
           registry-url: 'https://npm.pkg.github.com'
 
+      - name: Enable Corepack
+        run: corepack enable
+
+      - name: Prepare Yarn
+        run: corepack prepare yarn@4.9.1 --activate
+
+      - name: Prepare PNPM
+        run: corepack prepare pnpm@latest --activate
+
+
       - name: Setup Java 17
         uses: actions/setup-java@v4
         with:

diff --git a/README.md b/README.md
@@ -153,6 +153,7 @@ $ exhort-javascript-api component /path/to/pom.xml
 <li><a href="https://www.java.com/">Java</a> - <a href="https://maven.apache.org/">Maven</a></li>
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://www.npmjs.com/">Npm</a></li>
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://pnpm.io/">pnpm</a></li>
+<li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://classic.yarnpkg.com/">Yarn Classic</a> /  <a href="https://yarnpkg.com/">Yarn Berry</a></li>
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
 <li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
@@ -179,7 +180,7 @@ Excluding a package from any analysis can be achieved by marking the package for
 </ul>
 <ul>
 <li>
-<em>Javascript NPM </em> users can add a root (key, value) pair with value of list of names (strings) to be ignored (without versions), and key called <b>exhortignore</b> in <em>package.json</em>,  example:
+<em>Javascript</em> users can add a root (key, value) pair with value of list of names (strings) to be ignored (without versions), and key called <b>exhortignore</b> in <em>package.json</em>,  example:
 
 ```json
 {
@@ -350,6 +351,11 @@ following keys for setting custom paths for the said executables.
 <td>EXHORT_PNPM_PATH</td>
 </tr>
 <tr>
+<td><a href="https://classic.yarnpkg.com/">Yarn Classic</a> / <a href="https://yarnpkg.com/">Yarn Berry</a></td>
+<td><em>yarn</em></td>
+<td>EXHORT_YARN_PATH</td>
+</tr>
+<tr>
 <td><a href="https://go.dev/blog/using-go-modules/">Go Modules</a></td>
 <td><em>go</em></td>
 <td>EXHORT_GO_PATH</td>

diff --git a/src/cyclone_dx_sbom.js b/src/cyclone_dx_sbom.js
@@ -8,7 +8,7 @@ import {PackageURL} from "packageurl-js";
  * @return {{"bom-ref": string, name, purl: string, type, version}}
  * @private
  */
-function getComponent(component,type) {
+function getComponent(component, type) {
 	let componentObject;
 	if(component instanceof PackageURL)
 	{
@@ -88,34 +88,41 @@ export default class CycloneDxSbom {
 	}
 
 	/**
-	 * @param {component} sourceRef current target Component ( Starting from root component by clients)
-	 * @param {PackageURL} targetRef current dependency to add to Dependencies list of component sourceRef
-	 * @return Sbom
+	 * Adds a dependency relationship between two components in the SBOM
+	 * @param {PackageURL} sourceRef - The source component (parent)
+	 * @param {PackageURL} targetRef - The target component (dependency)
+	 * @return {CycloneDxSbom} The updated SBOM
 	 */
 	addDependency(sourceRef, targetRef) {
-		let componentIndex = this.getComponentIndex(sourceRef);
-		if (componentIndex < 0) {
-			this.components.push(getComponent(sourceRef, "library"))
-		}
-		let dependencyIndex = this.getDependencyIndex(sourceRef.purl)
-		if (dependencyIndex < 0) {
-			this.dependencies.push(createDependency(sourceRef.purl))
-			dependencyIndex = this.getDependencyIndex(sourceRef.purl)
-		}
+		const sourcePurl = sourceRef.toString();
+		const targetPurl = targetRef.toString();
+
+		// Ensure both components exist in the components list
+		[sourceRef, targetRef].forEach((ref, index) => {
+			const purl = index === 0 ? sourcePurl : targetPurl;
+			if (this.getComponentIndex(purl) < 0) {
+				this.components.push(getComponent(ref, "library"));
+			}
+		});
 
-		//Only if the dependency doesn't exists on the dependency list of dependency, then add it to this list.
-		if (this.dependencies[dependencyIndex].dependsOn.findIndex(dep => dep === targetRef.toString()) === -1) {
-			this.dependencies[dependencyIndex].dependsOn.push(targetRef.toString())
+		// Ensure source dependency exists
+		let sourceDepIndex = this.getDependencyIndex(sourcePurl);
+		if (sourceDepIndex < 0) {
+			this.dependencies.push(createDependency(sourcePurl));
+			sourceDepIndex = this.dependencies.length - 1;
 		}
-		if (this.getDependencyIndex(targetRef.toString()) < 0) {
-			this.dependencies.push(createDependency(targetRef.toString()))
+
+		// Add target to source's dependencies if not already present
+		if (!this.dependencies[sourceDepIndex].dependsOn.includes(targetPurl)) {
+			this.dependencies[sourceDepIndex].dependsOn.push(targetPurl);
 		}
-		let newComponent = getComponent(targetRef, "library");
-		// Only if component doesn't exists in component list, add it to the list.
-		if (this.getComponentIndex(newComponent) < 0) {
-			this.components.push(newComponent)
+
+		// Ensure target dependency exists
+		if (this.getDependencyIndex(targetPurl) < 0) {
+			this.dependencies.push(createDependency(targetPurl));
 		}
-		return this
+
+		return this;
 	}
 
 	/** @param {{}} opts - various options, settings and configuration of application.
@@ -170,8 +177,7 @@ export default class CycloneDxSbom {
 	 * @private
 	 */
 	getComponentIndex(theComponent) {
-
-		return this.components.findIndex(component => component.purl === theComponent.purl)
+		return this.components.findIndex(component => component.purl === theComponent)
 	}
 
 	/** This method gets a PackageUrl, and returns a Component of CycloneDx Sbom
@@ -190,16 +196,18 @@ export default class CycloneDxSbom {
 	filterIgnoredDeps(deps) {
 		deps.forEach(dep => {
 			let index = this.components.findIndex(component => component.name === dep);
-			if (index >= 0) {
-				this.components.splice(index, 1)
+			if (index === -1) {
+				return;
 			}
+			const depPurl = this.components[index].purl;
+			this.components.splice(index, 1)
 			index = this.dependencies.findIndex(dependency => dependency.ref.includes(dep));
-			if (index >= 0) {
-				this.dependencies.splice(index, 1)
+			if (index === -1) {
+				return;
 			}
-
+			this.dependencies.splice(index, 1)
 			this.dependencies.forEach(dependency => {
-				let indexDependsOn = dependency.dependsOn.findIndex(theDep => theDep.includes(dep));
+				let indexDependsOn = dependency.dependsOn.findIndex(theDep => theDep.includes(depPurl));
 				if (indexDependsOn > -1) {
 					dependency.dependsOn.splice(indexDependsOn, 1)
 				}

diff --git a/src/index.js b/src/index.js
@@ -7,16 +7,13 @@ import fs from 'node:fs'
 import { getCustom } from "./tools.js";
 import.meta.dirname
 import * as url from 'url';
-// const packageJson = await import ('../package.json',{ with: { type: 'json' } })
 
 export default { AnalysisReport, componentAnalysis, stackAnalysis, validateToken }
 
 export const exhortDevDefaultUrl = 'https://exhort.stage.devshift.net';
 
-
 export const exhortDefaultUrl = "https://rhda.rhcloud.com";
 
-
 function logOptionsAndEnvironmentsVariables(alongsideText,valueToBePrinted) {
 	if (process.env["EXHORT_DEBUG"] === "true") {
 		console.log(`${alongsideText}: ${valueToBePrinted} ${EOL}`)

diff --git a/src/provider.js b/src/provider.js
@@ -1,12 +1,13 @@
 import path from 'node:path'

 import golangGomodulesProvider from './providers/golang_gomodules.js'
 import Java_gradle_groovy from "./providers/java_gradle_groovy.js";
 import Java_gradle_kotlin from "./providers/java_gradle_kotlin.js";
 import Java_maven from "./providers/java_maven.js";
 import pythonPipProvider from './providers/python_pip.js'
 import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
+import Javascript_yarn from './providers/javascript_yarn.js';
 
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
 /** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided, provideStack: function(string, {}): Provided}} Provider */
@@ -15,7 +16,15 @@
  * MUST include all providers here.
  * @type {[Provider]}
  */
-export const availableProviders = [new Java_maven(), new Java_gradle_groovy(), new Java_gradle_kotlin(), new Javascript_npm(), new Javascript_pnpm(), golangGomodulesProvider, pythonPipProvider]
+export const availableProviders = [
+	new Java_maven(),
+	new Java_gradle_groovy(),
+	new Java_gradle_kotlin(),
+	new Javascript_npm(),
+	new Javascript_pnpm(),
+	new Javascript_yarn(),
+	golangGomodulesProvider,
+	pythonPipProvider]
 
 /**
  * Match a provider from a list or providers based on file type.

diff --git a/src/providers/base_java.js b/src/providers/base_java.js
@@ -46,7 +46,7 @@ export default class Base_Java {
 				let matchedScopeSrc = src.match(/:compile|:provided|:runtime|:test|:system|:import/g)
 				// only add dependency to sbom if it's not with test scope or if it's root
 				if ((matchedScope && matchedScope[0] !== ":test" && (matchedScopeSrc && matchedScopeSrc[0] !== ":test")) || (srcDepth === 0 && matchedScope && matchedScope[0] !== ":test")) {
-					sbom.addDependency(sbom.purlToComponent(from), to)
+					sbom.addDependency(from, to)
 				}
 			} else {
 				this.parseDependencyTree(lines[index - 1], this.#getDepth(lines[index - 1]), lines.slice(index), sbom)