feat(yarn2): Somewhat handle patched packages

Locators of patched packages, e.g. [1], start with "$MODULE-ID@patch:",
instead of with "$MODULE-ID@npm". This locator format is new in Yarn
version 3 or 4, and handling for it hasn't yet been implemented in ORT.

The implementation may run into one of the following types of issues:

1. The identifier ORT assigns to the package contains a colon in one of
   its components, which make a `require()` check fail.
2. The filtering of dependencies done within `resolvedDependencies()`
   accidentally filter out the package based on
   `PackageInfo.moduleName`, which returns a wrong value.

Adjust the `PackageInfo.moduleName` logic such that it treats packages
as if they weren't patched. This can be improved in a following change.

Fixes: #10949

Note: Yarn4 does not create a `node_modules` directory anymore by
      default. As `getChildModuleDirs()` does rely on that directory,
      it is necessary to configure `nodeLinker: node-modules` in the
      `.yarnrc.yml`, as done in the added test project.

[1]: `resolve@patch:resolve@npm%3A1.22.8#optional!builtin<compat/resolve>::version=1.22.8&hash=c3c19d`

Signed-off-by: Frank Viernau <[email protected]>

Author: fviernau

plugins/package-managers/node/src/funTest/assets/projects/synthetic/yarn2/dependency-with-patch-expected-output.yml

@@ -0,0 +1,212 @@
+---
+project:
+  id: "Yarn2::yarn 4 project with patched dependency:0.14.0"
+  definition_file_path: "<REPLACE_DEFINITION_FILE_PATH>"
+  declared_licenses: []
+  declared_licenses_processed: {}
+  vcs:
+    type: ""
+    url: ""
+    revision: ""
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "<REPLACE_URL_PROCESSED>"
+    revision: "<REPLACE_REVISION>"
+    path: "<REPLACE_PATH>"
+  homepage_url: ""
+  scopes:
+  - name: "dependencies"
+    dependencies:
+    - id: "NPM::resolve:1.22.8"
+      dependencies:
+      - id: "NPM::is-core-module:2.16.1"
+        dependencies:
+        - id: "NPM::hasown:2.0.2"
+          dependencies:
+          - id: "NPM::function-bind:1.1.2"
+      - id: "NPM::path-parse:1.0.7"
+      - id: "NPM::supports-preserve-symlinks-flag:1.0.0"
+packages:
+- id: "NPM::function-bind:1.1.2"
+  purl: "pkg:npm/[email protected]"
+  authors:
+  - "Raynos"
+  declared_licenses:
+  - "MIT"
+  declared_licenses_processed:
+    spdx_expression: "MIT"
+  description: "Implementation of Function.prototype.bind"
+  homepage_url: "https://github.com/Raynos/function-bind"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz"
+    hash:
+      value: "2c02d864d97f3ea6c8830c464cbd11ab6eab7a1c"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "https://github.com/Raynos/function-bind.git"
+    revision: "40197beb5f4cf89dd005f0b268256c1e4716ea81"
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/Raynos/function-bind.git"
+    revision: "40197beb5f4cf89dd005f0b268256c1e4716ea81"
+    path: ""
+- id: "NPM::hasown:2.0.2"
+  purl: "pkg:npm/[email protected]"
+  authors:
+  - "Jordan Harband"
+  declared_licenses:
+  - "MIT"
+  declared_licenses_processed:
+    spdx_expression: "MIT"
+  description: "A robust, ES3 compatible, \"has own property\" predicate."
+  homepage_url: "https://github.com/inspect-js/hasOwn#readme"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz"
+    hash:
+      value: "003eaf91be7adc372e84ec59dc37252cedb80003"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git+https://github.com/inspect-js/hasOwn.git"
+    revision: "d00d35005baf16a33d691a13f8ad627f35040742"
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/inspect-js/hasOwn.git"
+    revision: "d00d35005baf16a33d691a13f8ad627f35040742"
+    path: ""
+- id: "NPM::is-core-module:2.16.1"
+  purl: "pkg:npm/[email protected]"
+  authors:
+  - "Jordan Harband"
+  declared_licenses:
+  - "MIT"
+  declared_licenses_processed:
+    spdx_expression: "MIT"
+  description: "Is this specifier a node.js core module?"
+  homepage_url: "https://github.com/inspect-js/is-core-module"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz"
+    hash:
+      value: "2a98801a849f43e2add644fbb6bc6229b19a4ef4"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git+https://github.com/inspect-js/is-core-module.git"
+    revision: "7c4284853357b2fcd49d42010d5a2b8a8420905f"
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/inspect-js/is-core-module.git"
+    revision: "7c4284853357b2fcd49d42010d5a2b8a8420905f"
+    path: ""
+- id: "NPM::path-parse:1.0.7"
+  purl: "pkg:npm/[email protected]"
+  authors:
+  - "Javier Blanco <http://jbgutierrez.info>"
+  declared_licenses:
+  - "MIT"
+  declared_licenses_processed:
+    spdx_expression: "MIT"
+  description: "Node.js path.parse() ponyfill"
+  homepage_url: "https://github.com/jbgutierrez/path-parse#readme"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz"
+    hash:
+      value: "fbc114b60ca42b30d9daf5858e4bd68bbedb6735"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "https://github.com/jbgutierrez/path-parse.git"
+    revision: "9f1db2802ffbc572e6b447f66126697e33b0055e"
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/jbgutierrez/path-parse.git"
+    revision: "9f1db2802ffbc572e6b447f66126697e33b0055e"
+    path: ""
+- id: "NPM::resolve:1.22.8"
+  purl: "pkg:npm/[email protected]"
+  authors:
+  - "James Halliday"
+  declared_licenses:
+  - "MIT"
+  declared_licenses_processed:
+    spdx_expression: "MIT"
+  description: "resolve like require.resolve() on behalf of files asynchronously and\
+    \ synchronously"
+  homepage_url: "https://github.com/browserify/resolve#readme"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz"
+    hash:
+      value: "b6c87a9f2aa06dfab52e3d70ac8cde321fa5a48d"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git://github.com/browserify/resolve.git"
+    revision: "b8298720c6ece9d3b7231ea90bd920f266a449a8"
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/browserify/resolve.git"
+    revision: "b8298720c6ece9d3b7231ea90bd920f266a449a8"
+    path: ""
+- id: "NPM::supports-preserve-symlinks-flag:1.0.0"
+  purl: "pkg:npm/[email protected]"
+  authors:
+  - "Jordan Harband"
+  declared_licenses:
+  - "MIT"
+  declared_licenses_processed:
+    spdx_expression: "MIT"
+  description: "Determine if the current node version supports the `--preserve-symlinks`\
+    \ flag."
+  homepage_url: "https://github.com/inspect-js/node-supports-preserve-symlinks-flag#readme"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz"
+    hash:
+      value: "6eda4bd344a3c94aea376d4cc31bc77311039e09"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git+https://github.com/inspect-js/node-supports-preserve-symlinks-flag.git"
+    revision: "1f7cac19c0c298cf40b3f2f3c735477ad579ac61"
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/inspect-js/node-supports-preserve-symlinks-flag.git"
+    revision: "1f7cac19c0c298cf40b3f2f3c735477ad579ac61"
+    path: ""

plugins/package-managers/node/src/funTest/assets/projects/synthetic/yarn2/dependency-with-patch/.yarnrc.yml

@@ -0,0 +1 @@
+nodeLinker: node-modules

plugins/package-managers/node/src/funTest/assets/projects/synthetic/yarn2/dependency-with-patch/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "yarn 4 project with patched dependency",
+  "version": "0.14.0",
+  "packageManager": "[email protected]+sha512.955259c0370ab8c06d013faa7d5e7addb6914251029695675f54e04c917ea6b092c379ba8d3521556d90b3874e5037759467072f01d2295341ead43cc259f14b",
+  "dependencies": {
+    "resolve": "1.22.8"
+  }
+}

plugins/package-managers/node/src/funTest/assets/projects/synthetic/yarn2/dependency-with-patch/yarn.lock

@@ -0,0 +1,79 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 8
+  cacheKey: 10c0
+
+"function-bind@npm:^1.1.2":
+  version: 1.1.2
+  resolution: "function-bind@npm:1.1.2"
+  checksum: d8680ee1e5fcd4c197e4ac33b2b4dce03c71f4d91717292785703db200f5c21f977c568d28061226f9b5900cbcd2c84463646134fd5337e7925e0942bc3f46d5
+  languageName: node
+  linkType: hard
+
+"hasown@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "hasown@npm:2.0.2"
+  dependencies:
+    function-bind: "npm:^1.1.2"
+  checksum: 3769d434703b8ac66b209a4cca0737519925bbdb61dd887f93a16372b14694c63ff4e797686d87c90f08168e81082248b9b028bad60d4da9e0d1148766f56eb9
+  languageName: node
+  linkType: hard
+
+"is-core-module@npm:^2.13.0":
+  version: 2.16.1
+  resolution: "is-core-module@npm:2.16.1"
+  dependencies:
+    hasown: "npm:^2.0.2"
+  checksum: 898443c14780a577e807618aaae2b6f745c8538eca5c7bc11388a3f2dc6de82b9902bcc7eb74f07be672b11bbe82dd6a6edded44a00cb3d8f933d0459905eedd
+  languageName: node
+  linkType: hard
+
+"path-parse@npm:^1.0.7":
+  version: 1.0.7
+  resolution: "path-parse@npm:1.0.7"
+  checksum: 11ce261f9d294cc7a58d6a574b7f1b935842355ec66fba3c3fd79e0f036462eaf07d0aa95bb74ff432f9afef97ce1926c720988c6a7451d8a584930ae7de86e1
+  languageName: node
+  linkType: hard
+
+"resolve@npm:1.22.8":
+  version: 1.22.8
+  resolution: "resolve@npm:1.22.8"
+  dependencies:
+    is-core-module: "npm:^2.13.0"
+    path-parse: "npm:^1.0.7"
+    supports-preserve-symlinks-flag: "npm:^1.0.0"
+  bin:
+    resolve: bin/resolve
+  checksum: 07e179f4375e1fd072cfb72ad66d78547f86e6196c4014b31cb0b8bb1db5f7ca871f922d08da0fbc05b94e9fd42206f819648fa3b5b873ebbc8e1dc68fec433a
+  languageName: node
+  linkType: hard
+
+"resolve@patch:resolve@npm%3A1.22.8#optional!builtin<compat/resolve>":
+  version: 1.22.8
+  resolution: "resolve@patch:resolve@npm%3A1.22.8#optional!builtin<compat/resolve>::version=1.22.8&hash=c3c19d"
+  dependencies:
+    is-core-module: "npm:^2.13.0"
+    path-parse: "npm:^1.0.7"
+    supports-preserve-symlinks-flag: "npm:^1.0.0"
+  bin:
+    resolve: bin/resolve
+  checksum: 0446f024439cd2e50c6c8fa8ba77eaa8370b4180f401a96abf3d1ebc770ac51c1955e12764cde449fde3fff480a61f84388e3505ecdbab778f4bef5f8212c729
+  languageName: node
+  linkType: hard
+
+"supports-preserve-symlinks-flag@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "supports-preserve-symlinks-flag@npm:1.0.0"
+  checksum: 6c4032340701a9950865f7ae8ef38578d8d7053f5e10518076e6554a9381fa91bd9c6850193695c141f32b21f979c985db07265a758867bac95de05f7d8aeb39
+  languageName: node
+  linkType: hard
+
+"yarn 4 project with patched dependency@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "yarn 4 project with patched dependency@workspace:."
+  dependencies:
+    resolve: "npm:1.22.8"
+  languageName: unknown
+  linkType: soft

plugins/package-managers/node/src/funTest/kotlin/yarn2/Yarn2FunTest.kt

@@ -61,4 +61,15 @@ class Yarn2FunTest : StringSpec({
 
         result.toYaml() should matchExpectedResult(expectedResultFile, definitionFile)
     }
+
+    "Resolve dependencies for a Yarn 4 project with a dependency with a patch" {
+        val definitionFile = getAssetFile("projects/synthetic/yarn2/dependency-with-patch/package.json")
+        val expectedResultFile = getAssetFile("projects/synthetic/yarn2/dependency-with-patch-expected-output.yml")
+
+        val result = Yarn2Factory
+            .create(corepackEnabled = true)
+            .resolveSingleProject(definitionFile, resolveScopes = true)
+
+        result.toYaml() should matchExpectedResult(expectedResultFile, definitionFile)
+    }
 })

plugins/package-managers/node/src/main/kotlin/yarn2/Yarn2DependencyHandler.kt

@@ -83,7 +83,13 @@ internal class Yarn2DependencyHandler(
 
 internal val PackageInfo.isProject: Boolean get() = value.substringAfterLast("@").startsWith("workspace:")
 
-internal val PackageInfo.moduleName: String get() = value.substringBeforeLast("@")
+internal val PackageInfo.moduleName: String get() {
+    val firstComponent = value.substringBefore(":")
+    // TODO: Handle patched packages different than non-patched ones.
+    // Patch packages have locators as e.g. the following, where the first component ends with "@patch".
+    // resolve@patch:resolve@npm%3A1.22.8#optional!builtin<compat/resolve>::version=1.22.8&hash=c3c19d
+    return firstComponent.substringBeforeLast("@")
+}
 
 internal val PackageInfo.moduleId: String get() = buildString {
     append(moduleName)

plugins/package-managers/node/src/test/kotlin/NodePackageManagerDetectionTest.kt

@@ -276,6 +276,7 @@ class NodePackageManagerDetectionTest : WordSpec({
             val filteredFiles = NodePackageManagerDetection(definitionFiles).filterApplicable(YARN2)
 
             filteredFiles.map { it.relativeTo(projectDir).invariantSeparatorsPath } should containExactlyInAnyOrder(
+                "yarn2/dependency-with-patch/package.json",
                 "yarn2/project-with-lockfile/package.json",
                 "yarn2/workspaces/package.json"
             )