fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)

Author: DmitriyLewen

pkg/fanal/analyzer/language/nodejs/pnpm/pnpm.go

@@ -11,6 +11,7 @@ import (
 
 	"golang.org/x/xerrors"
 
+	"github.com/aquasecurity/trivy/pkg/dependency"
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/packagejson"
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/pnpm"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
@@ -65,8 +66,11 @@ func (a pnpmAnalyzer) PostAnalyze(ctx context.Context, input analyzer.PostAnalys
 		}
 
 		// Fill licenses
-		for i, lib := range app.Packages {
-			if l, ok := licenses[lib.ID]; ok {
+		for i, pkg := range app.Packages {
+			// We use snapshots for pnpm package IDs.
+			// But to match licenses, we need to use the ID-building logic as for `package.json` files.
+			id := dependency.ID(types.NodePkg, pkg.Name, pkg.Version)
+			if l, ok := licenses[id]; ok {
 				app.Packages[i].Licenses = l
 			}
 		}

pkg/fanal/analyzer/language/nodejs/pnpm/pnpm_test.go

@@ -39,6 +39,27 @@ func Test_pnpmPkgLibraryAnalyzer_Analyze(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "V9 with node_modules",
+			dir:  "testdata/happy-v9",
+			want: &analyzer.AnalysisResult{
+				Applications: []types.Application{
+					{
+						Type:     types.Pnpm,
+						FilePath: "pnpm-lock.yaml",
+						Packages: types.Packages{
+							{
+								ID:           "[email protected]([email protected])",
+								Name:         "vue-router",
+								Version:      "4.5.1",
+								Licenses:     []string{"MIT"},
+								Relationship: types.RelationshipDirect,
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "without node_modules",
 			dir:  "testdata/no-node_modules",