feat: add support for pnpm

syft/pkg/cataloger/javascript/cataloger.go

@@ -29,6 +29,7 @@ func NewJavascriptLockCataloger() *common.GenericCataloger {
 	globParsers := map[string]common.ParserFn{
 		"**/package-lock.json": parsePackageLock,
 		"**/yarn.lock":         parseYarnLock,
+		"**/pnpm-lock.yaml":    parsePnpmLock,
 	}
 
 	return common.NewGenericCataloger(nil, globParsers, "javascript-lock-cataloger", addLicenses)

syft/pkg/cataloger/javascript/parse_pnpm_lock.go

@@ -0,0 +1,43 @@
+package javascript
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/common"
+	"gopkg.in/yaml.v3"
+)
+
+// integrity check
+var _ common.ParserFn = parsePnpmLock
+
+type pnpmLockYaml struct {
+	Dependencies map[string]string `json:"dependencies"`
+}
+
+func parsePnpmLock(path string, reader io.Reader) ([]*pkg.Package, []artifact.Relationship, error) {
+	bytes, err := io.ReadAll(reader)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to load pnpm-lock.yaml file: %w", err)
+	}
+
+	var pkgs []*pkg.Package
+	var lockFile pnpmLockYaml
+
+	if err := yaml.Unmarshal(bytes, &lockFile); err != nil {
+		return nil, nil, fmt.Errorf("failed to parse pnpm-lock.yaml file: %w", err)
+	}
+
+	for name, version := range lockFile.Dependencies {
+		pkgs = append(pkgs, &pkg.Package{
+			Name:     name,
+			Version:  version,
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		})
+	}
+
+	return pkgs, nil, nil
+}

syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go

@@ -0,0 +1,52 @@
+package javascript
+
+import (
+	"os"
+	"testing"
+
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/go-test/deep"
+)
+
+func fixtureP(str string) *string {
+	return &str
+}
+
+func TestParsePnpmLock(t *testing.T) {
+	expected := []*pkg.Package{
+		{
+			Name:     "nanoid",
+			Version:  "3.3.4",
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		},
+		{
+			Name:     "picocolors",
+			Version:  "1.0.0",
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		},
+		{
+			Name:     "source-map-js",
+			Version:  "1.0.2",
+			Language: pkg.JavaScript,
+			Type:     pkg.NpmPkg,
+		},
+	}
+
+	fixture, err := os.Open("test-fixtures/pnpm/pnpm-lock.yaml")
+	if err != nil {
+		t.Fatalf("failed to open fixture: %+v", err)
+	}
+
+	// TODO: no relationships are under test yet
+	actual, _, err := parsePnpmLock(fixture.Name(), fixture)
+	if err != nil {
+		t.Error(err)
+	}
+
+	differences := deep.Equal(expected, actual)
+	if differences != nil {
+		t.Errorf("returned package list differed from expectation: %+v", differences)
+	}
+}