fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (aquasecurity#6102)

Author: DmitriyLewen

pkg/fanal/analyzer/language/nodejs/yarn/testdata/project-with-workspace-in-subdir/foo/bar/generators/package.json

@@ -0,0 +1,7 @@
+{
+    "name": "@test/bar-generators",
+    "version": "0.0.1",
+    "dependencies": {
+        "hoek": "6.1.3"
+    }
+}

pkg/fanal/analyzer/language/nodejs/yarn/testdata/project-with-workspace-in-subdir/foo/package.json

@@ -0,0 +1,10 @@
+{
+    "name": "@test/foo",
+    "version": "1.0.0",
+    "repository": "ssh://[email protected]/test.git/foo",
+    "workspaces": [
+        "bar/*"
+    ],
+    "main": "index.js",
+    "license": "MIT"
+}

pkg/fanal/analyzer/language/nodejs/yarn/testdata/project-with-workspace-in-subdir/foo/yarn.lock

@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+[email protected]:
+  version "6.1.3"
+  resolved "https://registry.yarnpkg.com/hoek/-/hoek-6.1.3.tgz#73b7d33952e01fe27a38b0457294b79dd8da242c"
+  integrity sha512-YXXAAhmF9zpQbC7LEcREFtXfGq5K1fmd+4PHkBq8NUqmzW3G+Dq10bI/i0KucLRwss3YYFQ0fSfoxBZYiGUqtQ==

pkg/fanal/analyzer/language/nodejs/yarn/yarn.go

@@ -268,7 +268,7 @@ func (a yarnAnalyzer) parsePackageJsonDependencies(fsys fs.FS, filePath string)
 	devDependencies := rootPkg.DevDependencies
 
 	if len(rootPkg.Workspaces) > 0 {
-		pkgs, err := a.traverseWorkspaces(fsys, rootPkg.Workspaces)
+		pkgs, err := a.traverseWorkspaces(fsys, path.Dir(filePath), rootPkg.Workspaces)
 		if err != nil {
 			return nil, nil, xerrors.Errorf("traverse workspaces error: %w", err)
 		}
@@ -281,7 +281,7 @@ func (a yarnAnalyzer) parsePackageJsonDependencies(fsys fs.FS, filePath string)
 	return dependencies, devDependencies, nil
 }
 
-func (a yarnAnalyzer) traverseWorkspaces(fsys fs.FS, workspaces []string) ([]packagejson.Package, error) {
+func (a yarnAnalyzer) traverseWorkspaces(fsys fs.FS, dir string, workspaces []string) ([]packagejson.Package, error) {
 	var pkgs []packagejson.Package
 
 	required := func(path string, _ fs.DirEntry) bool {
@@ -298,6 +298,9 @@ func (a yarnAnalyzer) traverseWorkspaces(fsys fs.FS, workspaces []string) ([]pac
 	}
 
 	for _, workspace := range workspaces {
+		// We need to add the path to the `package.json` file
+		// to properly get the pattern to search in `fs`
+		workspace = path.Join(dir, workspace)
 		matches, err := fs.Glob(fsys, workspace)
 		if err != nil {
 			return nil, err

pkg/fanal/analyzer/language/nodejs/yarn/yarn_test.go

@@ -127,6 +127,31 @@ func Test_yarnLibraryAnalyzer_Analyze(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Project with workspace placed in sub dir",
+			dir:  "testdata/project-with-workspace-in-subdir",
+			want: &analyzer.AnalysisResult{
+				Applications: []types.Application{
+					{
+						Type:     types.Yarn,
+						FilePath: "foo/yarn.lock",
+						Libraries: types.Packages{
+							{
+								ID:      "[email protected]",
+								Name:    "hoek",
+								Version: "6.1.3",
+								Locations: []types.Location{
+									{
+										StartLine: 5,
+										EndLine:   8,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "no package.json",
 			dir:  "testdata/no-packagejson",