Skip to content

bug(pnpm): Trivy doesn't detect licenses for packages when ID contains peer deps #9660

New issue
New issue
Closed
#9661
Closed
bug(pnpm): Trivy doesn't detect licenses for packages when ID contains peer deps#9660
#9661
Assignees
DmitriyLewen
Labels
kind/bugCategorizes issue or PR as related to a bug.scan/licenseIssues relating to license scanning
Milestone
v0.68.0
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Oct 14, 2025

Description

To create unique IDs, we started using the snapshot instead of the Trivy ID — #9330.
But package.json files (from the node_modules directory) don’t have peer dependencies in the package name.
So we can’t match the pkg.ID with the peer dependencies and license.
e.g.:
found package:

        {
          "ID": "@vue/[email protected]([email protected])",
          "Name": "@vue/server-renderer",
          "Identifier": {
            "PURL": "pkg:npm/%40vue/[email protected]",
            "UID": "d42cdcee2561bb3d"
          },
          "Version": "3.5.22",
          "Indirect": true,
          "Relationship": "indirect",
          "DependsOn": [
            "@vue/[email protected]",
            "@vue/[email protected]",
            "[email protected]"
          ]
        },

node_modules/@vue/server-renderer/package.json:



Solution


We use dependency.ID for package.json files:



  

    

      trivy/pkg/dependency/parser/nodejs/packagejson/parse.go
    

    

         Line 55
      in
      404abb3
    

  

  

    


        

          
           id = dependency.ID(ftypes.NodePkg, pkgJSON.Name, pkgJSON.Version) 
        

    

  





So we need to use the same logic to match packages when finding licenses.


Discussed in #9658
Metadata
Metadata
Assignees
Labels
kind/bugCategorizes issue or PR as related to a bug.scan/licenseIssues relating to license scanning
Type
No type
Projects
No projects
Milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions