Add PNPM package manager support

[nartuk]

Implement PNPM build info collection with dependency parsing, lock file handling, and test coverage.

Related to feature request: RTECO-366

Required for:

• Add PNPM package manager support jfrog-cli-core#1519
• Add PNPM package manager support jfrog-cli-artifactory#362
• Add PNPM package manager support jfrog-cli#3342

Notes on NPM-Identical Patterns

The following patterns are intentionally kept identical to the NPM implementation for consistency:

1. filterPnpmArgsFlags loop structure (matches filterNpmArgsFlags)
2. Module type uses entities.Npm (no separate PNPM constant)
3. Scope detection logic in getScopes (mirrors NPM behavior)

These can be addressed in a future PR that updates both NPM and PNPM together if needed.

---

• All tests passed. If this feature is not already covered by the tests, I added new tests.
• All static analysis checks passed.
• This pull request is on the dev branch.
• I used gofmt for formatting the code before submitting the pull request.
• Appropriate label is added to the PR for auto generate release notes.

---

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[nartuk]

recheck

[nartuk]

recheck

[nartuk]

recheck

[nartuk]

recheck

[nartuk]

I have read the CLA Document and I hereby sign the CLA

[naveenku-jfrog]

CalculatePnpmDependenciesList func is doing lots of tasks, i.e., dependency map calculation, initializes the cache, manages checksum calculations, and handles warning/logging logic. Please refactor this.

[nartuk]

@naveenku-jfrog thanks for the feedback!

The structure of CalculatePnpmDependenciesList intentionally mirrors the existing CalculateNpmDependenciesList (https://github.com/jfrog/build-info-go/blob/main/build/utils/npm.go#L25-L87). Both follow the same pattern of dependency map calculation, cache initialization, checksum computation, and missing-dependency warnings.

I'd prefer to keep them consistent for now, so the two package manager implementations remain easy to compare and maintain side by side. If we want to refactor this pattern (e.g., extract shared helpers), I think it makes sense to do that as a separate change that covers both NPM and PNPM together.

Happy to open a follow-up issue for that. WDYT?

[github-actions]

📗 Scan Summary

• Frogbot scanned for vulnerabilities and found 2 issues

Scan Category	Status	Security Issues
Software Composition Analysis	ℹ️ Not Scanned	-
Contextual Analysis	✅ Done	-
Static Application Security Testing (SAST)	✅ Done	2 Issues Found 2 Low
Secrets	✅ Done	-
Infrastructure as Code (IaC)	✅ Done	Not Found

---

🐸 JFrog Frogbot

[github-actions]

timeI

at build/build.go (line 224)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	Using untrusted stored URLs in HTTP redirect

Full description

Vulnerability Details

Rule ID:	go-stored-redirect

Overview

Stored Open Redirect is a vulnerability where user-controlled input
that is stored in a persistent state, such as a database, is later used
to construct redirect URLs without proper validation or sanitization.
Attackers can exploit this vulnerability to redirect users to malicious
websites, phishing pages, or other harmful content.

Vulnerable example

func redirectToStoredURL(w http.ResponseWriter, r *http.Request) {
    storedURL, _ := ioutil.ReadFile("redirect.txt")
    http.Redirect(w, r, storedURL, http.StatusFound)
}

In this example, the redirectToStoredURL function reads a URL from a file
and redirects users to that URL without validating or sanitizing it. This
can be exploited by attackers to redirect users to malicious websites.

Remediation

To mitigate Stored Open Redirect vulnerabilities, always validate and
sanitize user-controlled input before storing it in a persistent state
and before using it to construct redirect URLs:

  func redirectToStoredURL(w http.ResponseWriter, r *http.Request) {
      storedURL, _ := ioutil.ReadFile("redirect.txt")
-     http.Redirect(w, r, storedURL, http.StatusFound)
+     // Validate the stored URL before redirecting users
+     if isValidRedirectURL(storedURL) {
+         http.Redirect(w, r, storedURL, http.StatusFound)
+     }
  }
+
+  func isValidRedirectURL(urlStr string) bool {
+      // Add additional validation logic if needed
+      return true
+  }

Code Flows

Vulnerable data flow analysis result

↘️ os.ReadFile(buildFile) (at build/build.go line 203)

↘️ content (at build/build.go line 203)

↘️ content (at build/build.go line 211)

↘️ json.Unmarshal(content, &buildInfo) (at build/build.go line 211)

↘️ buildInfo (at build/build.go line 215)

↘️ append(generatedBuildsInfo, buildInfo) (at build/build.go line 215)

↘️ generatedBuildsInfo (at build/build.go line 217)

↘️ return generatedBuildsInfo, nil (at build/build.go line 217)

↘️ ([]*entities.BuildInfo, error) (at build/build.go line 184)

↘️ b.getGeneratedBuildsInfo() (at build/build.go line 170)

↘️ generatedBuildsInfo (at build/build.go line 170)

↘️ generatedBuildsInfo (at build/build.go line 176)

↘️ buildInfos (at build/build.go line 222)

↘️ buildInfos (at build/build.go line 224)

↘️ buildInfos[i] (at build/build.go line 224)

↘️ buildInfos[i].Started (at build/build.go line 224)

↘️ time.Parse(entities.TimeFormat, buildInfos[i].Started) (at build/build.go line 224)

↘️ timeI (at build/build.go line 224)

---

🐸 JFrog Frogbot

[github-actions]

timeJ

at build/build.go (line 225)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	Using untrusted stored URLs in HTTP redirect

Full description

Vulnerability Details

Rule ID:	go-stored-redirect

Overview

Stored Open Redirect is a vulnerability where user-controlled input
that is stored in a persistent state, such as a database, is later used
to construct redirect URLs without proper validation or sanitization.
Attackers can exploit this vulnerability to redirect users to malicious
websites, phishing pages, or other harmful content.

Vulnerable example

func redirectToStoredURL(w http.ResponseWriter, r *http.Request) {
    storedURL, _ := ioutil.ReadFile("redirect.txt")
    http.Redirect(w, r, storedURL, http.StatusFound)
}

In this example, the redirectToStoredURL function reads a URL from a file
and redirects users to that URL without validating or sanitizing it. This
can be exploited by attackers to redirect users to malicious websites.

Remediation

To mitigate Stored Open Redirect vulnerabilities, always validate and
sanitize user-controlled input before storing it in a persistent state
and before using it to construct redirect URLs:

  func redirectToStoredURL(w http.ResponseWriter, r *http.Request) {
      storedURL, _ := ioutil.ReadFile("redirect.txt")
-     http.Redirect(w, r, storedURL, http.StatusFound)
+     // Validate the stored URL before redirecting users
+     if isValidRedirectURL(storedURL) {
+         http.Redirect(w, r, storedURL, http.StatusFound)
+     }
  }
+
+  func isValidRedirectURL(urlStr string) bool {
+      // Add additional validation logic if needed
+      return true
+  }

Code Flows

Vulnerable data flow analysis result

↘️ os.ReadFile(buildFile) (at build/build.go line 203)

↘️ content (at build/build.go line 203)

↘️ content (at build/build.go line 211)

↘️ json.Unmarshal(content, &buildInfo) (at build/build.go line 211)

↘️ buildInfo (at build/build.go line 215)

↘️ append(generatedBuildsInfo, buildInfo) (at build/build.go line 215)

↘️ generatedBuildsInfo (at build/build.go line 217)

↘️ return generatedBuildsInfo, nil (at build/build.go line 217)

↘️ ([]*entities.BuildInfo, error) (at build/build.go line 184)

↘️ b.getGeneratedBuildsInfo() (at build/build.go line 170)

↘️ generatedBuildsInfo (at build/build.go line 170)

↘️ generatedBuildsInfo (at build/build.go line 176)

↘️ buildInfos (at build/build.go line 222)

↘️ buildInfos (at build/build.go line 225)

↘️ buildInfos[j] (at build/build.go line 225)

↘️ buildInfos[j].Started (at build/build.go line 225)

↘️ time.Parse(entities.TimeFormat, buildInfos[j].Started) (at build/build.go line 225)

↘️ timeJ (at build/build.go line 225)

---

🐸 JFrog Frogbot

[naveenku-jfrog]

1. Please try to reduce the complexities of functions.
2. Try to declare all hardcoded strings as CONST only.
3. Please fix the Frogbot failures.

[nartuk]

@naveenku-jfrog thank you for the review!

1. It's a duplicate of the existing CalculateNpmDependenciesList. I think it's better to refactor both of them simultaneously in a separate PR. More details in the comment: Add PNPM package manager support #368 (comment)
2. Done ✅
3. Both Frogbot issues (first and second) aren't related to my contribution - it's already existing issues in the codebase.