feat: Add support for pnpm package manager (#180)

* feat: add support for pnpm package manager

* chore: resolving dependencies from local maven repository

Author: soul2zimate

README.md

@@ -42,7 +42,7 @@ vulnerability report.
 **Prerequisites**
 
 - For Maven projects, analyzing a `pom.xml` file, you must have the `mvn` binary in your IDE's `PATH` environment.
-- For Node projects, analyzing a `package.json` file, you must have the `npm` and `node` binaries in your IDE's `PATH`
+- For Node projects, analyzing a `package.json` file, you must have one of the corresponding package manager `npm` or `pnpm`, `node` binaries in your IDE's `PATH`
   environment.
 - For Golang projects, analyzing a `go.mod` file, you must have the `go` binary in your IDE's `PATH` environment.
 - For Python projects, analyzing a `requirements.txt` file, you must have the `python3` and `pip3` binaries in your
@@ -86,9 +86,9 @@ according to your preferences.
   executables.
 
 - **Node** :
-  <br >Set the full path of the Node executable, which allows Exhort to locate and run the `npm` command to resolve
+  <br >Set the full path of the Node executable, which allows Exhort to locate and run one of the corresponding `npm` or `pnpm` command to resolve
   dependencies for Node projects.
-  <br >Path of the directory containing the `node` executable is required by the `npm` executable.
+  <br >Path of the directory containing the `node` executable is required by one of the corresponding `npm` or `pnpm` executable.
   <br >If the paths are not provided, your IDE's `PATH` environment will be used to locate the executables.
 
 - **Golang** :

build.gradle

@@ -25,6 +25,7 @@ repositories {
             password = exhortRepoToken
         }
     }
+    mavenLocal()
 }
 
 // Include the generated files in the source set

src/main/java/org/jboss/tools/intellij/componentanalysis/pnpm/PnpmCAAnnotator.java

@@ -0,0 +1,103 @@
+/*******************************************************************************
+ * Copyright (c) 2025 Red Hat, Inc.
+ * Distributed under license by Red Hat, Inc. All rights reserved.
+ * This program is made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v20.html
+ *
+ * Contributors:
+ * Red Hat, Inc. - initial API and implementation
+ ******************************************************************************/
+
+package org.jboss.tools.intellij.componentanalysis.pnpm;
+
+import com.intellij.json.psi.JsonArray;
+import com.intellij.json.psi.JsonObject;
+import com.intellij.json.psi.JsonProperty;
+import com.intellij.json.psi.JsonStringLiteral;
+import com.intellij.json.psi.JsonValue;
+import com.intellij.psi.PsiElement;
+import com.intellij.psi.PsiFile;
+import com.redhat.exhort.api.v4.DependencyReport;
+import org.jboss.tools.intellij.componentanalysis.CAAnnotator;
+import org.jboss.tools.intellij.componentanalysis.CAIntentionAction;
+import org.jboss.tools.intellij.componentanalysis.CAUpdateManifestIntentionAction;
+import org.jboss.tools.intellij.componentanalysis.Dependency;
+import org.jboss.tools.intellij.componentanalysis.VulnerabilitySource;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+public class PnpmCAAnnotator extends CAAnnotator {
+
+    @Override
+    protected String getInspectionShortName() {
+        return PnpmCAInspection.SHORT_NAME;
+    }
+
+    @Override
+    protected Map<Dependency, List<PsiElement>> getDependencies(PsiFile file) {
+        if ("package.json".equals(file.getName())) {
+            Set<String> ignored = Arrays.stream(file.getChildren())
+                    .filter(e -> e instanceof JsonObject)
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(e -> e instanceof JsonProperty && "exhortignore".equals(((JsonProperty) e).getName()))
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(e -> e instanceof JsonArray)
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(c -> c instanceof JsonStringLiteral)
+                    .map(c -> ((JsonStringLiteral) c).getValue())
+                    .collect(Collectors.toSet());
+
+            Map<Dependency, List<PsiElement>> resultMap = new HashMap<>();
+            Arrays.stream(file.getChildren())
+                    .filter(e -> e instanceof JsonObject)
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(e -> e instanceof JsonProperty && "dependencies".equals(((JsonProperty) e).getName()))
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(e -> e instanceof JsonObject)
+                    .flatMap(e -> Arrays.stream(e.getChildren()))
+                    .filter(c -> c instanceof JsonProperty && !ignored.contains(((JsonProperty) c).getName()))
+                    .forEach(c -> {
+                        String name = ((JsonProperty) c).getName();
+                        int index = name.lastIndexOf("/");
+                        String namespace = null;
+                        if (index > 0) {
+                            namespace = name.substring(0, index);
+                            name = name.substring(index + 1);
+                        } else if (index == 0) {
+                            name = name.substring(index + 1);
+                        }
+                        JsonValue value = ((JsonProperty) c).getValue();
+                        String version = value instanceof JsonStringLiteral
+                                ? ((JsonStringLiteral) value).getValue()
+                                : null;
+                        Dependency dp = new Dependency("npm", namespace, name, version);
+                        resultMap.computeIfAbsent(dp, k -> new LinkedList<>()).add(c);
+                    });
+            return resultMap;
+        }
+        return Collections.emptyMap();
+    }
+
+    @Override
+    protected CAIntentionAction createQuickFix(PsiElement element, VulnerabilitySource source, DependencyReport report) {
+        return new PnpmCAIntentionAction(element, source, report);
+    }
+
+    @Override
+    protected CAUpdateManifestIntentionAction patchManifest(PsiElement element, DependencyReport report) {
+        return null;
+    }
+
+    @Override
+    protected boolean isQuickFixApplicable(PsiElement element) {
+        return element instanceof JsonProperty && ((JsonProperty) element).getValue() instanceof JsonStringLiteral;
+    }
+}

src/main/java/org/jboss/tools/intellij/componentanalysis/pnpm/PnpmCAInspection.java

@@ -0,0 +1,47 @@
+/*******************************************************************************
+ * Copyright (c) 2025 Red Hat, Inc.
+ * Distributed under license by Red Hat, Inc. All rights reserved.
+ * This program is made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v20.html
+ *
+ * Contributors:
+ * Red Hat, Inc. - initial API and implementation
+ ******************************************************************************/
+
+package org.jboss.tools.intellij.componentanalysis.pnpm;
+
+import com.intellij.codeHighlighting.HighlightDisplayLevel;
+import com.intellij.codeInspection.LocalInspectionTool;
+import org.jetbrains.annotations.Nls;
+import org.jetbrains.annotations.NonNls;
+import org.jetbrains.annotations.NotNull;
+
+public class PnpmCAInspection extends LocalInspectionTool {
+
+    @NonNls
+    public static final String SHORT_NAME = "PnpmCAInspection";
+
+    @Override
+    @NotNull
+    public String getGroupDisplayName() {
+        return "Imports and dependencies";
+    }
+
+    @Override
+    public @Nls(capitalization = Nls.Capitalization.Sentence) String @NotNull [] getGroupPath() {
+        return new String[]{"JavaScript and TypeScript"};
+    }
+
+    @Override
+    @NotNull
+    public String getShortName() {
+        return SHORT_NAME;
+    }
+
+    @Override
+    @NotNull
+    public HighlightDisplayLevel getDefaultLevel() {
+        return HighlightDisplayLevel.ERROR;
+    }
+}

src/main/java/org/jboss/tools/intellij/componentanalysis/pnpm/PnpmCAIntentionAction.java

@@ -0,0 +1,51 @@
+/*******************************************************************************
+ * Copyright (c) 2025 Red Hat, Inc.
+ * Distributed under license by Red Hat, Inc. All rights reserved.
+ * This program is made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v20.html
+ *
+ * Contributors:
+ * Red Hat, Inc. - initial API and implementation
+ ******************************************************************************/
+
+package org.jboss.tools.intellij.componentanalysis.pnpm;
+
+import com.intellij.codeInsight.intention.FileModifier;
+import com.intellij.json.psi.JsonElementGenerator;
+import com.intellij.json.psi.JsonProperty;
+import com.intellij.json.psi.JsonStringLiteral;
+import com.intellij.openapi.editor.Editor;
+import com.intellij.openapi.project.Project;
+import com.intellij.psi.PsiElement;
+import com.intellij.psi.PsiFile;
+import com.redhat.exhort.api.v4.DependencyReport;
+import org.jboss.tools.intellij.componentanalysis.CAIntentionAction;
+import org.jboss.tools.intellij.componentanalysis.VulnerabilitySource;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+public final class PnpmCAIntentionAction extends CAIntentionAction {
+    PnpmCAIntentionAction(PsiElement element, VulnerabilitySource source, DependencyReport report) {
+        super(element, source, report);
+    }
+
+    @Override
+    protected void updateVersion(@NotNull Project project, Editor editor, PsiFile file, String version) {
+        JsonStringLiteral value = (JsonStringLiteral) ((JsonProperty) element).getValue();
+        if (value != null) {
+            JsonStringLiteral newValue = new JsonElementGenerator(project).createStringLiteral(version);
+            value.replace(newValue);
+        }
+    }
+
+    @Override
+    protected @Nullable FileModifier createCAIntentionActionInCopy(PsiElement element) {
+        return new PnpmCAIntentionAction(element, this.source, this.report);
+    }
+
+    @Override
+    public boolean isAvailable(@NotNull Project project, Editor editor, PsiFile file) {
+        return file != null && "package.json".equals(file.getName());
+    }
+}

src/main/java/org/jboss/tools/intellij/exhort/ApiService.java

@@ -154,6 +154,11 @@ private void setRequestProperties(final String manifestName) {
         } else {
             System.clearProperty("NODE_HOME");
         }
+        if (settings.pnpmPath != null && !settings.pnpmPath.isBlank()) {
+            System.setProperty("EXHORT_PNPM_PATH", settings.pnpmPath);
+        } else {
+            System.clearProperty("EXHORT_PNPM_PATH");
+        }
         if (settings.goPath != null && !settings.goPath.isBlank()) {
             System.setProperty("EXHORT_GO_PATH", settings.goPath);
         } else {

src/main/java/org/jboss/tools/intellij/settings/ApiSettingsComponent.java

@@ -32,6 +32,8 @@ public class ApiSettingsComponent {
             + "<br>Specifies absolute path of Java installation directory.</html>";
     private final static String npmPathLabel = "<html>Npm > Executable: <b>Path</b>"
             + "<br>Specifies absolute path of <b>npm</b> executable.</html>";
+    private final static String pnpmPathLabel = "<html>Pnpm > Executable: <b>Path</b>"
+            + "<br>Specifies absolute path of <b>pnpm</b> executable.</html>";
     private final static String nodePathLabel = "<html>Node > Directory: <b>Path</b>"
             + "<br>Specifies absolute path of the <i>directory</i> containing <b>node</b> executable.</html>";
     private final static String goPathLabel = "<html>Go > Executable: <b>Path</b>"
@@ -72,6 +74,7 @@ public class ApiSettingsComponent {
     private final TextFieldWithBrowseButton mvnPathText;
     private final TextFieldWithBrowseButton javaPathText;
     private final TextFieldWithBrowseButton npmPathText;
+    private final TextFieldWithBrowseButton pnpmPathText;
     private final TextFieldWithBrowseButton nodePathText;
     private final TextFieldWithBrowseButton goPathText;
     private final JBCheckBox goMatchManifestVersionsCheck;
@@ -121,6 +124,15 @@ public ApiSettingsComponent() {
                 TextComponentAccessor.TEXT_FIELD_WHOLE_TEXT
         );
 
+        pnpmPathText = new TextFieldWithBrowseButton();
+        pnpmPathText.addBrowseFolderListener(
+                null,
+                null,
+                null,
+                FileChooserDescriptorFactory.createSingleFileDescriptor(),
+                TextComponentAccessor.TEXT_FIELD_WHOLE_TEXT
+        );
+
         nodePathText = new TextFieldWithBrowseButton();
         nodePathText.addBrowseFolderListener(
                 null,
@@ -239,6 +251,8 @@ public ApiSettingsComponent() {
                 .addVerticalGap(10)
                 .addLabeledComponent(new JBLabel(npmPathLabel), npmPathText, 1, true)
                 .addVerticalGap(10)
+                .addLabeledComponent(new JBLabel(pnpmPathLabel), pnpmPathText, 1, true)
+                .addVerticalGap(10)
                 .addLabeledComponent(new JBLabel(nodePathLabel), nodePathText, 1, true)
                 .addSeparator(10)
                 .addVerticalGap(10)
@@ -316,6 +330,15 @@ public void setNpmPathText(@NotNull String text) {
         npmPathText.setText(text);
     }
 
+    @NotNull
+    public String getPnpmPathText() {
+        return pnpmPathText.getText();
+    }
+
+    public void setPnpmPathText(@NotNull String text) {
+        pnpmPathText.setText(text);
+    }
+
     @NotNull
     public String getNodePathText() {
         return nodePathText.getText();

src/main/java/org/jboss/tools/intellij/settings/ApiSettingsConfigurable.java

@@ -42,6 +42,7 @@ public boolean isModified() {
         boolean modified = !settingsComponent.getMvnPathText().equals(settings.mvnPath);
         modified |= !settingsComponent.getJavaPathText().equals(settings.javaPath);
         modified |= !settingsComponent.getNpmPathText().equals(settings.npmPath);
+        modified |= !settingsComponent.getPnpmPathText().equals(settings.pnpmPath);
         modified |= !settingsComponent.getNodePathText().equals(settings.nodePath);
         modified |= !settingsComponent.getGoPathText().equals(settings.goPath);
         modified |= settingsComponent.getGoMatchManifestVersionsCheck() != settings.goMatchManifestVersions;
@@ -68,6 +69,7 @@ public void apply() {
         settings.mvnPath = settingsComponent.getMvnPathText();
         settings.javaPath = settingsComponent.getJavaPathText();
         settings.npmPath = settingsComponent.getNpmPathText();
+        settings.pnpmPath = settingsComponent.getPnpmPathText();
         settings.nodePath = settingsComponent.getNodePathText();
         settings.goPath = settingsComponent.getGoPathText();
         settings.goMatchManifestVersions = settingsComponent.getGoMatchManifestVersionsCheck();
@@ -93,6 +95,7 @@ public void reset() {
         settingsComponent.setMvnPathText(settings.mvnPath != null ? settings.mvnPath : "");
         settingsComponent.setJavaPathText(settings.javaPath != null ? settings.javaPath : "");
         settingsComponent.setNpmPathText(settings.npmPath != null ? settings.npmPath : "");
+        settingsComponent.setPnpmPathText(settings.pnpmPath != null ? settings.pnpmPath : "");
         settingsComponent.setNodePathText(settings.nodePath != null ? settings.nodePath : "");
         settingsComponent.setGoPathText(settings.goPath != null ? settings.goPath : "");
         settingsComponent.setGoMatchManifestVersionsCheck(settings.goMatchManifestVersions);

src/main/java/org/jboss/tools/intellij/settings/ApiSettingsState.java

@@ -39,6 +39,7 @@ public final class ApiSettingsState implements PersistentStateComponent<ApiSetti
     public String javaPath;
 
     public String npmPath;
+    public String pnpmPath;
     public String nodePath;
 
     public String goPath;

src/main/resources/META-INF/plugin.xml

@@ -21,7 +21,7 @@
 <p>
     <b>IMPORTANT:</b>
     <br>Currently, Dependency Analytics only supports projects that use Maven (<code>mvn</code>), and Node
-    (<code>npm</code>), Golang (<code>go mod</code>) and Python (<code>pip</code>) ecosystems, and base images in
+    (<code>npm</code> or <code>pnpm</code>), Golang (<code>go mod</code>) and Python (<code>pip</code>) ecosystems, and base images in
     <code>Dockerfile</code>.
     <br>In future releases, Red Hat plans to support other programming languages.
 <p>
@@ -33,7 +33,7 @@
     <li>For Maven projects, analyzing a <code>pom.xml</code> file, you must have the <code>mvn</code> binary in your
         IDE's <code>PATH</code> environment.
     </li>
-    <li>For Node projects, analyzing a <code>package.json</code> file, you must have the <code>npm</code> and
+    <li>For Node projects, analyzing a <code>package.json</code> file, you must have one of the corresponding package manager <code>npm</code> or <code>pnpm</code> and
         <code>node</code> binaries in your IDE's <code>PATH</code> environment.
     </li>
     <li>For Golang projects, analyzing a <code>go.mod</code> file, you must have the <code>go</code> binary in your
@@ -99,9 +99,9 @@
     </li>
     <li>
         <b>Node</b>:
-        <br>Set the full path of the Node executable, which allows Exhort to locate and execute <code>npm</code> command
+        <br>Set the full path of the Node executable, which allows Exhort to locate and execute one of the corresponding <code>npm</code> or <code>pnpm</code> command
         to resolve dependencies for Node projects.
-        <br>Path of the directory containing the <code>node</code> executable is required by the <code>npm</code>
+        <br>Path of the directory containing the <code>node</code> executable is required by one of the corresponding package manager <code>npm</code> or <code>pnpm</code>
         executable.
         <br>If the paths are not provided, your IDE's <code>PATH</code> environment will be used to locate the
         executables.
@@ -451,6 +451,14 @@
         <externalAnnotator language="JSON"
                            implementationClass="org.jboss.tools.intellij.componentanalysis.npm.NpmCAAnnotator"/>
 
+        <localInspection language="JSON" shortName="PnpmCAInspection"
+                         displayName="Red Hat Dependency Analytics component analysis"
+                         groupPath="JavaScript and TypeScript" groupName="Imports and dependencies"
+                         enabledByDefault="true" level="ERROR"
+                         implementationClass="org.jboss.tools.intellij.componentanalysis.pnpm.PnpmCAInspection"/>
+        <externalAnnotator language="JSON"
+                           implementationClass="org.jboss.tools.intellij.componentanalysis.pnpm.PnpmCAAnnotator"/>
+
         <fileType name="rhda-requirements"
                   language="rhda-requirements"
                   fileNames="requirements.txt"