fix: ensure absolute paths can be provided on Windows (#354)

* test: add cases for absolute file paths

* fix: explicitly check for absolute paths on Windows

Author: G-Rath

__snapshots__/main_test.snap

@@ -660,6 +660,101 @@ testdata/locks-one/yarn.lock: found 1 package
   Using db npm (%% vulnerabilities, including withdrawn - last updated %%)
 
 
+---
+
+[TestRun_Lockfile_AbsolutePath/#00 - 1]
+Loaded the following OSV databases:
+  npm (%% vulnerabilities, including withdrawn - last updated %%)
+
+<rootdir>/testdata/locks-one/yarn.lock: found 1 package
+  Using db npm (%% vulnerabilities, including withdrawn - last updated %%)
+
+  no known vulnerabilities found
+
+---
+
+[TestRun_Lockfile_AbsolutePath/#00 - 2]
+
+---
+
+[TestRun_Lockfile_AbsolutePath/#01 - 1]
+Loaded the following OSV databases:
+  RubyGems (%% vulnerabilities, including withdrawn - last updated %%)
+  Packagist (%% vulnerabilities, including withdrawn - last updated %%)
+  npm (%% vulnerabilities, including withdrawn - last updated %%)
+
+<rootdir>/testdata/locks-many/Gemfile.lock: found 1 package
+  Using db RubyGems (%% vulnerabilities, including withdrawn - last updated %%)
+
+  no known vulnerabilities found
+
+<rootdir>/testdata/locks-many/composer.lock: found 1 package
+  Using db Packagist (%% vulnerabilities, including withdrawn - last updated %%)
+
+  no known vulnerabilities found
+
+<rootdir>/testdata/locks-many/yarn.lock: found 1 package
+  Using db npm (%% vulnerabilities, including withdrawn - last updated %%)
+
+  no known vulnerabilities found
+
+---
+
+[TestRun_Lockfile_AbsolutePath/#01 - 2]
+
+---
+
+[TestRun_Lockfile_AbsolutePath/#02 - 1]
+Loaded the following OSV databases:
+
+<rootdir>/testdata/locks-empty/Gemfile.lock: found 0 packages
+
+  no known vulnerabilities found
+
+<rootdir>/testdata/locks-empty/composer.lock: found 0 packages
+
+  no known vulnerabilities found
+
+<rootdir>/testdata/locks-empty/yarn.lock: found 0 packages
+
+  no known vulnerabilities found
+
+---
+
+[TestRun_Lockfile_AbsolutePath/#02 - 2]
+
+---
+
+[TestRun_Lockfile_AbsolutePath/#03 - 1]
+Loaded the following OSV databases:
+  npm (%% vulnerabilities, including withdrawn - last updated %%)
+
+<rootdir>/testdata/locks-insecure/my-package-lock.json: found 1 package
+  Using db npm (%% vulnerabilities, including withdrawn - last updated %%)
+
+  [email protected] is affected by the following vulnerabilities:
+    GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html (https://github.com/advisories/GHSA-whgm-jr23-g3j9)
+
+  1 known vulnerability found in <rootdir>/testdata/locks-insecure/my-package-lock.json
+
+---
+
+[TestRun_Lockfile_AbsolutePath/#03 - 2]
+
+---
+
+[TestRun_Lockfile_AbsolutePath/#04 - 1]
+{"results":[{"filePath":"<rootdir>/testdata/locks-one/yarn.lock","parsedAs":"yarn.lock","packages":[{"name":"balanced-match","version":"1.0.2","ecosystem":"npm","compareAs":"npm","vulnerabilities":[],"ignored":[]}]}]}
+---
+
+[TestRun_Lockfile_AbsolutePath/#04 - 2]
+Loaded the following OSV databases:
+  npm (%% vulnerabilities, including withdrawn - last updated %%)
+
+<rootdir>/testdata/locks-one/yarn.lock: found 1 package
+  Using db npm (%% vulnerabilities, including withdrawn - last updated %%)
+
+
 ---
 
 [TestRun_ParseAsGlobal/#00 - 1]

main.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"runtime"
 	"slices"
 	"strings"
 
@@ -405,6 +406,10 @@ func (files lockfileAndConfigOrErrs) adjustExtraDatabases(
 }
 
 func parseLockfilePathWithParseAs(lockfilePathWithParseAs string) (string, string) {
+	if runtime.GOOS == "windows" && filepath.IsAbs(lockfilePathWithParseAs) {
+		return "", lockfilePathWithParseAs
+	}
+
 	if !strings.Contains(lockfilePathWithParseAs, ":") {
 		return "", lockfilePathWithParseAs
 	}

main_test.go

@@ -231,6 +231,53 @@ func TestRun_Lockfile(t *testing.T) {
 	}
 }
 
+func TestRun_Lockfile_AbsolutePath(t *testing.T) {
+	t.Parallel()
+
+	testdataDir, err := filepath.Abs("./testdata")
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tests := []cliTestCase{
+		{
+			name: "",
+			args: []string{filepath.Join(testdataDir, "locks-one")},
+			exit: 0,
+		},
+		{
+			name: "",
+			args: []string{filepath.Join(testdataDir, "locks-many")},
+			exit: 0,
+		},
+		{
+			name: "",
+			args: []string{filepath.Join(testdataDir, "locks-empty")},
+			exit: 0,
+		},
+		// parse-as + known vulnerability exits with error code 1
+		{
+			name: "",
+			args: []string{"--parse-as", "package-lock.json", filepath.Join(testdataDir, "locks-insecure/my-package-lock.json")},
+			exit: 1,
+		},
+		// json results in non-json output going to stderr
+		{
+			name: "",
+			args: []string{"--json", filepath.Join(testdataDir, "locks-one")},
+			exit: 0,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			testCli(t, tt)
+		})
+	}
+}
+
 func TestRun_DBs(t *testing.T) {
 	t.Parallel()