feat: add support for yarn package manager

Author: soul2zimate

README.md

@@ -42,7 +42,7 @@ vulnerability report.
 **Prerequisites**
 
 - For Maven projects, analyzing a `pom.xml` file, you must have the `mvn` binary in your IDE's `PATH` environment.
-- For Node projects, analyzing a `package.json` file, you must have one of the corresponding package manager `npm` or `pnpm`, `node` binaries in your IDE's `PATH`
+- For Node projects, analyzing a `package.json` file, you must have one of the corresponding package manager `npm`, `pnpm` or `yarn`, `node` binaries in your IDE's `PATH`
   environment.
 - For Golang projects, analyzing a `go.mod` file, you must have the `go` binary in your IDE's `PATH` environment.
 - For Python projects, analyzing a `requirements.txt` file, you must have the `python3` and `pip3` binaries in your
@@ -86,9 +86,9 @@ according to your preferences.
   executables.
 
 - **Node** :
-  <br >Set the full path of the Node executable, which allows Exhort to locate and run one of the corresponding `npm` or `pnpm` command to resolve
+  <br >Set the full path of the Node executable, which allows Exhort to locate and run one of the corresponding `npm`, `pnpm` or `yarn` command to resolve
   dependencies for Node projects.
-  <br >Path of the directory containing the `node` executable is required by one of the corresponding `npm` or `pnpm` executable.
+  <br >Path of the directory containing the `node` executable is required by one of the corresponding `npm`, `pnpm` or `yarn` executable.
   <br >If the paths are not provided, your IDE's `PATH` environment will be used to locate the executables.
 
 - **Golang** :

src/main/java/org/jboss/tools/intellij/componentanalysis/yarn/YarnCAAnnotator.java

@@ -0,0 +1,103 @@
+/*******************************************************************************
+ * Copyright (c) 2025 Red Hat, Inc.
+ * Distributed under license by Red Hat, Inc. All rights reserved.
+ * This program is made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v20.html
+ *
+ * Contributors:
+ * Red Hat, Inc. - initial API and implementation
+ ******************************************************************************/
+
+package org.jboss.tools.intellij.componentanalysis.yarn;
+
+import com.intellij.json.psi.JsonArray;
+import com.intellij.json.psi.JsonObject;
+import com.intellij.json.psi.JsonProperty;
+import com.intellij.json.psi.JsonStringLiteral;
+import com.intellij.json.psi.JsonValue;
+import com.intellij.psi.PsiElement;
+import com.intellij.psi.PsiFile;
+import com.redhat.exhort.api.v4.DependencyReport;
+import org.jboss.tools.intellij.componentanalysis.CAAnnotator;
+import org.jboss.tools.intellij.componentanalysis.CAIntentionAction;
+import org.jboss.tools.intellij.componentanalysis.CAUpdateManifestIntentionAction;
+import org.jboss.tools.intellij.componentanalysis.Dependency;
+import org.jboss.tools.intellij.componentanalysis.VulnerabilitySource;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+public class YarnCAAnnotator extends CAAnnotator {
+
+    @Override
+    protected String getInspectionShortName() {
+        return YarnCAInspection.SHORT_NAME;
+    }
+
+    @Override
+    protected Map<Dependency, List<PsiElement>> getDependencies(PsiFile file) {
+        if ("package.json".equals(file.getName())) {
+            Set<String> ignored = Arrays.stream(file.getChildren())
+                    .filter(e -> e instanceof JsonObject)
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(e -> e instanceof JsonProperty && "exhortignore".equals(((JsonProperty) e).getName()))
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(e -> e instanceof JsonArray)
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(c -> c instanceof JsonStringLiteral)
+                    .map(c -> ((JsonStringLiteral) c).getValue())
+                    .collect(Collectors.toSet());
+
+            Map<Dependency, List<PsiElement>> resultMap = new HashMap<>();
+            Arrays.stream(file.getChildren())
+                    .filter(e -> e instanceof JsonObject)
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(e -> e instanceof JsonProperty && "dependencies".equals(((JsonProperty) e).getName()))
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(e -> e instanceof JsonObject)
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(c -> c instanceof JsonProperty && !ignored.contains(((JsonProperty) c).getName()))
+                    .forEach(c -> {
+                        String name = ((JsonProperty) c).getName();
+                        int index = name.lastIndexOf("/");
+                        String namespace = null;
+                        if (index > 0) {
+                            namespace = name.substring(0, index);
+                            name = name.substring(index + 1);
+                        } else if (index == 0) {
+                            name = name.substring(index + 1);
+                        }
+                        JsonValue value = ((JsonProperty) c).getValue();
+                        String version = value instanceof JsonStringLiteral
+                                ? ((JsonStringLiteral) value).getValue()
+                                : null;
+                        Dependency dp = new Dependency("yarn", namespace, name, version);
+                        resultMap.computeIfAbsent(dp, k -> new LinkedList<>()).add(c);
+                    });
+            return resultMap;
+        }
+        return Collections.emptyMap();
+    }
+
+    @Override
+    protected CAIntentionAction createQuickFix(PsiElement element, VulnerabilitySource source, DependencyReport report) {
+        return new YarnCAIntentionAction(element, source, report);
+    }
+
+    @Override
+    protected CAUpdateManifestIntentionAction patchManifest(PsiElement element, DependencyReport report) {
+        return null;
+    }
+
+    @Override
+    protected boolean isQuickFixApplicable(PsiElement element) {
+        return element instanceof JsonProperty && ((JsonProperty) element).getValue() instanceof JsonStringLiteral;
+    }
+}

src/main/java/org/jboss/tools/intellij/componentanalysis/yarn/YarnCAInspection.java

@@ -0,0 +1,47 @@
+/*******************************************************************************
+ * Copyright (c) 2025 Red Hat, Inc.
+ * Distributed under license by Red Hat, Inc. All rights reserved.
+ * This program is made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v20.html
+ *
+ * Contributors:
+ * Red Hat, Inc. - initial API and implementation
+ ******************************************************************************/
+
+package org.jboss.tools.intellij.componentanalysis.yarn;
+
+import com.intellij.codeHighlighting.HighlightDisplayLevel;
+import com.intellij.codeInspection.LocalInspectionTool;
+import org.jetbrains.annotations.Nls;
+import org.jetbrains.annotations.NonNls;
+import org.jetbrains.annotations.NotNull;
+
+public class YarnCAInspection extends LocalInspectionTool {
+
+    @NonNls
+    public static final String SHORT_NAME = "YarnCAInspection";
+
+    @Override
+    @NotNull
+    public String getGroupDisplayName() {
+        return "Imports and dependencies";
+    }
+
+    @Override
+    public @Nls(capitalization = Nls.Capitalization.Sentence) String @NotNull [] getGroupPath() {
+        return new String[]{"JavaScript and TypeScript"};
+    }
+
+    @Override
+    @NotNull
+    public String getShortName() {
+        return SHORT_NAME;
+    }
+
+    @Override
+    @NotNull
+    public HighlightDisplayLevel getDefaultLevel() {
+        return HighlightDisplayLevel.ERROR;
+    }
+}

src/main/java/org/jboss/tools/intellij/componentanalysis/yarn/YarnCAIntentionAction.java

@@ -0,0 +1,51 @@
+/*******************************************************************************
+ * Copyright (c) 2025 Red Hat, Inc.
+ * Distributed under license by Red Hat, Inc. All rights reserved.
+ * This program is made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v20.html
+ *
+ * Contributors:
+ * Red Hat, Inc. - initial API and implementation
+ ******************************************************************************/
+
+package org.jboss.tools.intellij.componentanalysis.yarn;
+
+import com.intellij.codeInsight.intention.FileModifier;
+import com.intellij.json.psi.JsonElementGenerator;
+import com.intellij.json.psi.JsonProperty;
+import com.intellij.json.psi.JsonStringLiteral;
+import com.intellij.openapi.editor.Editor;
+import com.intellij.openapi.project.Project;
+import com.intellij.psi.PsiElement;
+import com.intellij.psi.PsiFile;
+import com.redhat.exhort.api.v4.DependencyReport;
+import org.jboss.tools.intellij.componentanalysis.CAIntentionAction;
+import org.jboss.tools.intellij.componentanalysis.VulnerabilitySource;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+public final class YarnCAIntentionAction extends CAIntentionAction {
+    YarnCAIntentionAction(PsiElement element, VulnerabilitySource source, DependencyReport report) {
+        super(element, source, report);
+    }
+
+    @Override
+    protected void updateVersion(@NotNull Project project, Editor editor, PsiFile file, String version) {
+        JsonStringLiteral value = (JsonStringLiteral) ((JsonProperty) element).getValue();
+        if (value != null) {
+            JsonStringLiteral newValue = new JsonElementGenerator(project).createStringLiteral(version);
+            value.replace(newValue);
+        }
+    }
+
+    @Override
+    protected @Nullable FileModifier createCAIntentionActionInCopy(PsiElement element) {
+        return new YarnCAIntentionAction(element, this.source, this.report);
+    }
+
+    @Override
+    public boolean isAvailable(@NotNull Project project, Editor editor, PsiFile file) {
+        return file != null && "package.json".equals(file.getName());
+    }
+}

src/main/java/org/jboss/tools/intellij/exhort/ApiService.java

@@ -149,6 +149,11 @@ private void setRequestProperties(final String manifestName) {
         } else {
             System.clearProperty("EXHORT_NPM_PATH");
         }
+        if (settings.yarnPath != null && !settings.yarnPath.isBlank()) {
+            System.setProperty("EXHORT_YARN_PATH", settings.yarnPath);
+        } else {
+            System.clearProperty("EXHORT_YARN_PATH");
+        }
         if (settings.nodePath != null && !settings.nodePath.isBlank()) {
             System.setProperty("NODE_HOME", settings.nodePath);
         } else {

src/main/java/org/jboss/tools/intellij/settings/ApiSettingsComponent.java

@@ -16,13 +16,12 @@
 import com.intellij.openapi.ui.TextFieldWithBrowseButton;
 import com.intellij.ui.components.JBCheckBox;
 import com.intellij.ui.components.JBLabel;
-import com.intellij.ui.components.JBRadioButton;
 import com.intellij.ui.components.JBTextField;
 import com.intellij.util.ui.FormBuilder;
 import org.jetbrains.annotations.NotNull;
 
-import javax.swing.*;
-import java.awt.*;
+import javax.swing.JComponent;
+import javax.swing.JPanel;
 
 public class ApiSettingsComponent {
 
@@ -34,6 +33,8 @@ public class ApiSettingsComponent {
             + "<br>Specifies absolute path of <b>npm</b> executable.</html>";
     private final static String pnpmPathLabel = "<html>Pnpm > Executable: <b>Path</b>"
             + "<br>Specifies absolute path of <b>pnpm</b> executable.</html>";
+    private final static String yarnPathLabel = "<html>Yarn > Executable: <b>Path</b>"
+            + "<br>Specifies absolute path of <b>yarn</b> executable.</html>";
     private final static String nodePathLabel = "<html>Node > Directory: <b>Path</b>"
             + "<br>Specifies absolute path of the <i>directory</i> containing <b>node</b> executable.</html>";
     private final static String goPathLabel = "<html>Go > Executable: <b>Path</b>"
@@ -75,6 +76,7 @@ public class ApiSettingsComponent {
     private final TextFieldWithBrowseButton javaPathText;
     private final TextFieldWithBrowseButton npmPathText;
     private final TextFieldWithBrowseButton pnpmPathText;
+    private final TextFieldWithBrowseButton yarnPathText;
     private final TextFieldWithBrowseButton nodePathText;
     private final TextFieldWithBrowseButton goPathText;
     private final JBCheckBox goMatchManifestVersionsCheck;
@@ -133,6 +135,15 @@ public ApiSettingsComponent() {
                 TextComponentAccessor.TEXT_FIELD_WHOLE_TEXT
         );
 
+        yarnPathText = new TextFieldWithBrowseButton();
+        yarnPathText.addBrowseFolderListener(
+                null,
+                null,
+                null,
+                FileChooserDescriptorFactory.createSingleFileDescriptor(),
+                TextComponentAccessor.TEXT_FIELD_WHOLE_TEXT
+        );
+
         nodePathText = new TextFieldWithBrowseButton();
         nodePathText.addBrowseFolderListener(
                 null,
@@ -253,6 +264,8 @@ public ApiSettingsComponent() {
                 .addVerticalGap(10)
                 .addLabeledComponent(new JBLabel(pnpmPathLabel), pnpmPathText, 1, true)
                 .addVerticalGap(10)
+                .addLabeledComponent(new JBLabel(yarnPathLabel), yarnPathText, 1, true)
+                .addVerticalGap(10)
                 .addLabeledComponent(new JBLabel(nodePathLabel), nodePathText, 1, true)
                 .addSeparator(10)
                 .addVerticalGap(10)
@@ -339,6 +352,14 @@ public void setPnpmPathText(@NotNull String text) {
         pnpmPathText.setText(text);
     }
 
+    public String getYarnPathText() {
+        return yarnPathText.getText();
+    }
+
+    public void setYarnPathText(@NotNull String text) {
+        yarnPathText.setText(text);
+    }
+
     @NotNull
     public String getNodePathText() {
         return nodePathText.getText();

src/main/java/org/jboss/tools/intellij/settings/ApiSettingsConfigurable.java

@@ -14,7 +14,7 @@
 import com.intellij.openapi.util.NlsContexts;
 import org.jetbrains.annotations.Nullable;
 
-import javax.swing.*;
+import javax.swing.JComponent;
 
 public class ApiSettingsConfigurable implements com.intellij.openapi.options.Configurable {
 
@@ -43,6 +43,7 @@ public boolean isModified() {
         modified |= !settingsComponent.getJavaPathText().equals(settings.javaPath);
         modified |= !settingsComponent.getNpmPathText().equals(settings.npmPath);
         modified |= !settingsComponent.getPnpmPathText().equals(settings.pnpmPath);
+        modified |= !settingsComponent.getYarnPathText().equals(settings.yarnPath);
         modified |= !settingsComponent.getNodePathText().equals(settings.nodePath);
         modified |= !settingsComponent.getGoPathText().equals(settings.goPath);
         modified |= settingsComponent.getGoMatchManifestVersionsCheck() != settings.goMatchManifestVersions;
@@ -70,6 +71,7 @@ public void apply() {
         settings.javaPath = settingsComponent.getJavaPathText();
         settings.npmPath = settingsComponent.getNpmPathText();
         settings.pnpmPath = settingsComponent.getPnpmPathText();
+        settings.yarnPath = settingsComponent.getYarnPathText();
         settings.nodePath = settingsComponent.getNodePathText();
         settings.goPath = settingsComponent.getGoPathText();
         settings.goMatchManifestVersions = settingsComponent.getGoMatchManifestVersionsCheck();
@@ -96,6 +98,7 @@ public void reset() {
         settingsComponent.setJavaPathText(settings.javaPath != null ? settings.javaPath : "");
         settingsComponent.setNpmPathText(settings.npmPath != null ? settings.npmPath : "");
         settingsComponent.setPnpmPathText(settings.pnpmPath != null ? settings.pnpmPath : "");
+        settingsComponent.setYarnPathText(settings.yarnPath != null ? settings.yarnPath : "");
         settingsComponent.setNodePathText(settings.nodePath != null ? settings.nodePath : "");
         settingsComponent.setGoPathText(settings.goPath != null ? settings.goPath : "");
         settingsComponent.setGoMatchManifestVersionsCheck(settings.goMatchManifestVersions);

src/main/java/org/jboss/tools/intellij/settings/ApiSettingsState.java

@@ -40,6 +40,7 @@ public final class ApiSettingsState implements PersistentStateComponent<ApiSetti
 
     public String npmPath;
     public String pnpmPath;
+    public String yarnPath;
     public String nodePath;
 
     public String goPath;

src/main/resources/META-INF/plugin.xml

@@ -21,7 +21,7 @@
 <p>
     <b>IMPORTANT:</b>
     <br>Currently, Dependency Analytics only supports projects that use Maven (<code>mvn</code>), and Node
-    (<code>npm</code> or <code>pnpm</code>), Golang (<code>go mod</code>) and Python (<code>pip</code>) ecosystems, and base images in
+    (<code>npm</code>, <code>pnpm</code> or <code>yarn</code>), Golang (<code>go mod</code>) and Python (<code>pip</code>) ecosystems, and base images in
     <code>Dockerfile</code>.
     <br>In future releases, Red Hat plans to support other programming languages.
 <p>
@@ -33,7 +33,7 @@
     <li>For Maven projects, analyzing a <code>pom.xml</code> file, you must have the <code>mvn</code> binary in your
         IDE's <code>PATH</code> environment.
     </li>
-    <li>For Node projects, analyzing a <code>package.json</code> file, you must have one of the corresponding package manager <code>npm</code> or <code>pnpm</code> and
+    <li>For Node projects, analyzing a <code>package.json</code> file, you must have one of the corresponding package manager <code>npm</code>, <code>pnpm</code> or <code>yarn</code> and
         <code>node</code> binaries in your IDE's <code>PATH</code> environment.
     </li>
     <li>For Golang projects, analyzing a <code>go.mod</code> file, you must have the <code>go</code> binary in your
@@ -99,9 +99,9 @@
     </li>
     <li>
         <b>Node</b>:
-        <br>Set the full path of the Node executable, which allows Exhort to locate and execute one of the corresponding <code>npm</code> or <code>pnpm</code> command
+        <br>Set the full path of the Node executable, which allows Exhort to locate and execute one of the corresponding <code>npm</code>, <code>pnpm</code> or <code>yarn</code> command
         to resolve dependencies for Node projects.
-        <br>Path of the directory containing the <code>node</code> executable is required by one of the corresponding package manager <code>npm</code> or <code>pnpm</code>
+        <br>Path of the directory containing the <code>node</code> executable is required by one of the corresponding package manager <code>npm</code>, <code>pnpm</code> or <code>yarn</code>
         executable.
         <br>If the paths are not provided, your IDE's <code>PATH</code> environment will be used to locate the
         executables.
@@ -459,6 +459,13 @@
         <externalAnnotator language="JSON"
                            implementationClass="org.jboss.tools.intellij.componentanalysis.pnpm.PnpmCAAnnotator"/>
 
+        <localInspection language="JSON" shortName="YarnCAInspection"
+                         displayName="Red Hat Dependency Analytics component analysis"
+                         groupPath="JavaScript and TypeScript" groupName="Imports and dependencies"
+                         enabledByDefault="true" level="ERROR"
+                         implementationClass="org.jboss.tools.intellij.componentanalysis.yarn.YarnCAInspection"/>
+        <externalAnnotator language="JSON"
+                           implementationClass="org.jboss.tools.intellij.componentanalysis.yarn.YarnCAAnnotator"/>
         <fileType name="rhda-requirements"
                   language="rhda-requirements"
                   fileNames="requirements.txt"