refactor(pnpm): Make Pnpm separate from Npm

Stop inheriting from `Npm` and rely entirely on the output of `pnpm`
commands to figure out the necessary information. For example, do not
re-construct the dependency from the file structure within
`node_modules`, but rely on `pnpm list` instead. This reduces
complexity and makes the implementation easy to understand, maintain or
change.

From the diff of the expected result files it becomes aparent that this
change contains the following fixes:

1. project-with-lockfile: `htmlparser2` now dependends on
   `domutils 1.7.0` instead of `domutils 1.5.1`, which is inline with
   the dependency tree output by `pnpm list`
2. workspaces: The cyclic reference from the workspace root project to
   itself is now included.
3. babel: A lot of changes in the dependency tree which thereby aligns
   with the output of `pnpm list`. Comparing the new behavior with the
   one from `NPM` for the babel project show that the differences
   become very small. These differences can be explained either by
   the two package managers indeed behaving differently or by a bug in
   ORT's `NPM` implementation. The latter seems likely and should be
   investigated. For example, by re-writing `Npm` to obtain all
   information solely from `npm` CLI output.

Also note that it is good to drop the `--shamefully-hoist` command line
option, because it is not needed and its use is discouraged. Omitting
it may also reduce the amount of warnings.

Signed-off-by: Frank Viernau <[email protected]>

plugins/package-managers/node/src/funTest/assets/projects/synthetic/pnpm/project-with-lockfile-expected-output.yml

@@ -47,7 +47,7 @@ project:
         - id: "NPM::domhandler:2.4.2"
           dependencies:
           - id: "NPM::domelementtype:1.3.1"
-        - id: "NPM::domutils:1.5.1"
+        - id: "NPM::domutils:1.7.0"
           dependencies:
           - id: "NPM::dom-serializer:0.1.1"
             dependencies:
@@ -477,6 +477,36 @@ packages:
     url: "https://github.com/FB55/domutils.git"
     revision: "7d4bd16cd36ffce62362ef91616806ea27e30d95"
     path: ""
+- id: "NPM::domutils:1.7.0"
+  purl: "pkg:npm/[email protected]"
+  authors:
+  - "Felix Boehm"
+  declared_licenses:
+  - "BSD-2-Clause"
+  declared_licenses_processed:
+    spdx_expression: "BSD-2-Clause"
+  description: "utilities for working with htmlparser2's dom"
+  homepage_url: "https://github.com/FB55/domutils#readme"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/domutils/-/domutils-1.7.0.tgz"
+    hash:
+      value: "56ea341e834e06e6748af7a1cb25da67ea9f8c2a"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git://github.com/FB55/domutils.git"
+    revision: "34f193ca17d11a98d9310b1965efe5f73d32d79f"
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/FB55/domutils.git"
+    revision: "34f193ca17d11a98d9310b1965efe5f73d32d79f"
+    path: ""
 - id: "NPM::eachr:3.3.0"
   purl: "pkg:npm/[email protected]"
   authors:

plugins/package-managers/node/src/funTest/assets/projects/synthetic/pnpm/workspaces-expected-output.yml

@@ -89,6 +89,14 @@ analyzer:
         - id: "NPM::json-stable-stringify:1.0.1"
           dependencies:
           - id: "NPM::jsonify:0.0.0"
+        - id: "PNPM::pnpm-workspaces:1.0.1"
+          linkage: "PROJECT_DYNAMIC"
+          dependencies:
+          - id: "NPM::json-stable-stringify:1.0.1"
+            dependencies:
+            - id: "NPM::jsonify:0.0.0"
+          - id: "PNPM::pnpm-workspaces:1.0.1"
+            linkage: "PROJECT_DYNAMIC"
     - id: "PNPM::testing-pnpm-package-a:1.0.2"
       definition_file_path: "plugins/package-managers/node/src/funTest/assets/projects/synthetic/pnpm/workspaces/src/packages/package-a/package.json"
       authors:

plugins/package-managers/node/src/main/kotlin/Npm.kt

@@ -603,7 +603,7 @@ internal fun parsePackage(
     return module
 }
 
-private fun parseProject(packageJsonFile: File, analysisRoot: File, managerName: String): Project {
+internal fun parseProject(packageJsonFile: File, analysisRoot: File, managerName: String): Project {
     Npm.logger.debug { "Parsing project info from '$packageJsonFile'." }
 
     val packageJson = parsePackageJson(packageJsonFile)

plugins/package-managers/node/src/main/kotlin/pnpm/ModuleInfo.kt

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2024 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.node.pnpm
+
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.Json
+
+private val JSON = Json { ignoreUnknownKeys = true }
+
+internal fun parsePnpmList(json: String): List<ModuleInfo> = JSON.decodeFromString(json)
+
+@Serializable
+internal data class ModuleInfo(
+    val name: String,
+    val version: String,
+    val path: String,
+    val private: Boolean,
+    val dependencies: Map<String, Dependency> = emptyMap(),
+    val devDependencies: Map<String, Dependency> = emptyMap(),
+    val optionalDependencies: Map<String, Dependency> = emptyMap()
+) {
+    @Serializable
+    data class Dependency(
+        val from: String,
+        val version: String,
+        val resolved: String? = null,
+        val path: String,
+        val dependencies: Map<String, Dependency> = emptyMap(),
+        val optionalDependencies: Map<String, Dependency> = emptyMap()
+    )
+}

plugins/package-managers/node/src/main/kotlin/pnpm/Pnpm.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2019 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ * Copyright (C) 2024 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,14 +21,24 @@ package org.ossreviewtoolkit.plugins.packagemanagers.node.pnpm
 
 import java.io.File
 
+import org.apache.logging.log4j.kotlin.logger
+
 import org.ossreviewtoolkit.analyzer.AbstractPackageManagerFactory
+import org.ossreviewtoolkit.analyzer.PackageManager
+import org.ossreviewtoolkit.analyzer.PackageManagerResult
+import org.ossreviewtoolkit.model.DependencyGraph
+import org.ossreviewtoolkit.model.ProjectAnalyzerResult
 import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
 import org.ossreviewtoolkit.model.config.RepositoryConfiguration
-import org.ossreviewtoolkit.plugins.packagemanagers.node.Npm
+import org.ossreviewtoolkit.model.utils.DependencyGraphBuilder
+import org.ossreviewtoolkit.plugins.packagemanagers.node.PackageJson
+import org.ossreviewtoolkit.plugins.packagemanagers.node.parsePackageJson
+import org.ossreviewtoolkit.plugins.packagemanagers.node.parseProject
 import org.ossreviewtoolkit.plugins.packagemanagers.node.utils.NodePackageManager
 import org.ossreviewtoolkit.plugins.packagemanagers.node.utils.NpmDetection
+import org.ossreviewtoolkit.utils.common.CommandLineTool
 import org.ossreviewtoolkit.utils.common.Os
-import org.ossreviewtoolkit.utils.common.realFile
+import org.ossreviewtoolkit.utils.common.stashDirectories
 
 import org.semver4j.RangesList
 import org.semver4j.RangesListFactory
@@ -41,7 +51,7 @@ class Pnpm(
     analysisRoot: File,
     analyzerConfig: AnalyzerConfiguration,
     repoConfig: RepositoryConfiguration
-) : Npm(name, analysisRoot, analyzerConfig, repoConfig) {
+) : PackageManager(name, analysisRoot, analyzerConfig, repoConfig), CommandLineTool {
     class Factory : AbstractPackageManagerFactory<Pnpm>("PNPM") {
         override val globsForDefinitionFiles = listOf("package.json", "pnpm-lock.yaml")
 
@@ -52,35 +62,116 @@ class Pnpm(
         ) = Pnpm(type, analysisRoot, analyzerConfig, repoConfig)
     }
 
-    override fun hasLockfile(projectDir: File) = NodePackageManager.PNPM.hasLockfile(projectDir)
+    private val handler = PnpmDependencyHandler(this)
+    private val graphBuilder by lazy { DependencyGraphBuilder(handler) }
+    private val packageDetailsCache = mutableMapOf<String, PackageJson>()
+
+    override fun resolveDependencies(definitionFile: File, labels: Map<String, String>): List<ProjectAnalyzerResult> =
+        stashDirectories(definitionFile.resolveSibling("node_modules")).use {
+            resolveDependencies(definitionFile)
+        }
+
+    private fun resolveDependencies(definitionFile: File): List<ProjectAnalyzerResult> {
+        val workingDir = definitionFile.parentFile
+        installDependencies(workingDir)
+
+        val workspaceModuleDirs = getWorkspaceModuleDirs(workingDir)
+        handler.setWorkspaceModuleDirs(workspaceModuleDirs)
+
+        val moduleInfosForScope = Scope.entries.associateWith { scope -> listModules(workingDir, scope) }
+
+        return workspaceModuleDirs.map { projectDir ->
+            val project = parseProject(projectDir.resolve("package.json"), analysisRoot, managerName)
+
+            val scopeNames = Scope.entries.mapTo(mutableSetOf()) { scope ->
+                val scopeName = scope.toString()
+                val qualifiedScopeName = DependencyGraph.qualifyScope(project, scope.toString())
+                val moduleInfo = moduleInfosForScope.getValue(scope).single { it.path == projectDir.absolutePath }
 
-    override fun File.isWorkspaceDir() = realFile() in findWorkspaceSubmodules(analysisRoot)
+                moduleInfo.getScopeDependencies(scope).forEach { dependency ->
+                    graphBuilder.addDependency(qualifiedScopeName, dependency)
+                }
 
-    override fun loadWorkspaceSubmodules(moduleDir: File): Set<File> {
-        val process = run(moduleDir, "list", "--recursive", "--depth=-1", "--parseable")
+                scopeName
+            }
 
-        return process.stdout.lines().filter { it.isNotEmpty() }.mapTo(mutableSetOf()) { File(it) }
+            ProjectAnalyzerResult(
+                project = project.copy(scopeNames = scopeNames),
+                packages = emptySet(),
+                issues = emptyList()
+            )
+        }
     }
 
     override fun command(workingDir: File?) = if (Os.isWindows) "pnpm.cmd" else "pnpm"
 
+    private fun getWorkspaceModuleDirs(workingDir: File): Set<File> {
+        val json = run(workingDir, "list", "--json", "--only-projects", "--recursive").stdout
+
+        return parsePnpmList(json).mapTo(mutableSetOf()) { File(it.path) }
+    }
+
+    private fun listModules(workingDir: File, scope: Scope): List<ModuleInfo> {
+        val scopeOption = when (scope) {
+            Scope.DEPENDENCIES -> "--prod"
+            Scope.DEV_DEPENDENCIES -> "--dev"
+        }
+
+        val json = run(workingDir, "list", "--json", "--recursive", "--depth", "10000", scopeOption).stdout
+
+        return parsePnpmList(json)
+    }
+
+    override fun createPackageManagerResult(projectResults: Map<File, List<ProjectAnalyzerResult>>) =
+        PackageManagerResult(projectResults, graphBuilder.build(), graphBuilder.packages())
+
     override fun getVersionRequirement(): RangesList = RangesListFactory.create("5.* - 9.*")
 
     override fun mapDefinitionFiles(definitionFiles: List<File>) =
         NpmDetection(definitionFiles).filterApplicable(NodePackageManager.PNPM)
 
-    override fun runInstall(workingDir: File) =
+    private fun installDependencies(workingDir: File) =
         run(
             "install",
             "--ignore-pnpmfile",
             "--ignore-scripts",
             "--frozen-lockfile", // Use the existing lockfile instead of updating an outdated one.
-            "--shamefully-hoist", // Build a similar node_modules structure as NPM and Yarn does.
             workingDir = workingDir
         )
 
     override fun beforeResolution(definitionFiles: List<File>) =
         // We do not actually depend on any features specific to a PNPM version, but we still want to stick to a
         // fixed major version to be sure to get consistent results.
         checkVersion()
+
+    internal fun getRemotePackageDetails(workingDir: File, packageName: String): PackageJson? {
+        packageDetailsCache[packageName]?.let { return it }
+
+        return runCatching {
+            val process = run(workingDir, "info", "--json", packageName)
+
+            parsePackageJson(process.stdout)
+        }.onFailure { e ->
+            logger.warn { "Error getting details for $packageName in directory $workingDir: ${e.message.orEmpty()}" }
+        }.getOrNull()?.also {
+            packageDetailsCache[packageName] = it
+        }
+    }
 }
+
+private enum class Scope(val descriptor: String) {
+    DEPENDENCIES("dependencies"),
+    DEV_DEPENDENCIES("devDependencies");
+
+    override fun toString(): String = descriptor
+}
+
+private fun ModuleInfo.getScopeDependencies(scope: Scope) =
+    when (scope) {
+        Scope.DEPENDENCIES -> buildList {
+            addAll(dependencies.values)
+            addAll(optionalDependencies.values)
+        }
+
+        Scope.DEV_DEPENDENCIES -> devDependencies.values.toList()
+    }

plugins/package-managers/node/src/main/kotlin/pnpm/PnpmDependencyHandler.kt

@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2024 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.node.pnpm
+
+import java.io.File
+
+import org.ossreviewtoolkit.model.Identifier
+import org.ossreviewtoolkit.model.Issue
+import org.ossreviewtoolkit.model.Package
+import org.ossreviewtoolkit.model.PackageLinkage
+import org.ossreviewtoolkit.model.utils.DependencyHandler
+import org.ossreviewtoolkit.plugins.packagemanagers.node.PackageJson
+import org.ossreviewtoolkit.plugins.packagemanagers.node.parsePackage
+import org.ossreviewtoolkit.plugins.packagemanagers.node.parsePackageJson
+import org.ossreviewtoolkit.plugins.packagemanagers.node.pnpm.ModuleInfo.Dependency
+import org.ossreviewtoolkit.utils.common.realFile
+
+internal class PnpmDependencyHandler(private val pnpm: Pnpm) : DependencyHandler<Dependency> {
+    private val workspaceModuleDirs = mutableSetOf<File>()
+    private val packageJsonCache = mutableMapOf<File, PackageJson>()
+
+    private fun Dependency.isProject(): Boolean =
+        isInstalled && workingDir.realFile().absoluteFile in workspaceModuleDirs
+
+    fun setWorkspaceModuleDirs(dirs: Collection<File>) {
+        workspaceModuleDirs.apply {
+            clear()
+            addAll(dirs)
+        }
+    }
+
+    override fun identifierFor(dependency: Dependency): Identifier {
+        val type = pnpm.managerName.takeIf { dependency.isProject() } ?: "NPM"
+        val namespace = dependency.from.substringBeforeLast("/", "")
+        val name = dependency.from.substringAfterLast("/")
+        val version = if (dependency.isProject()) {
+            readPackageJson(dependency.packageJsonFile).version.orEmpty()
+        } else {
+            dependency.version.takeUnless { it.startsWith("link:") || it.startsWith("file:") }.orEmpty()
+        }
+
+        return Identifier(type, namespace, name, version)
+    }
+
+    override fun dependenciesFor(dependency: Dependency): List<Dependency> =
+        (dependency.dependencies + dependency.optionalDependencies).values.filter { it.isInstalled }.toList()
+
+    override fun linkageFor(dependency: Dependency): PackageLinkage =
+        PackageLinkage.DYNAMIC.takeUnless { dependency.isProject() } ?: PackageLinkage.PROJECT_DYNAMIC
+
+    override fun createPackage(dependency: Dependency, issues: MutableCollection<Issue>): Package? =
+        dependency.takeUnless { it.isProject() || !it.isInstalled }?.let {
+            parsePackage(
+                workingDir = it.workingDir,
+                packageJsonFile = it.packageJsonFile,
+                getRemotePackageDetails = pnpm::getRemotePackageDetails
+            )
+        }
+
+    private fun readPackageJson(packageJsonFile: File): PackageJson =
+        packageJsonCache.getOrPut(packageJsonFile.realFile()) { parsePackageJson(packageJsonFile) }
+}
+
+private val Dependency.workingDir: File get() = File(path)
+
+private val Dependency.packageJsonFile: File get() = File(path, "package.json")
+
+/**
+ * pnpm install skips optional dependencies which are not compatible with the environment. In this case the path
+ * property points to a non-existing directory. For example, the fsevents package gets skipped under Linux. One could
+ * install such dependencies too, with the --force option, but the documentation says that this also forces updating the
+ * lockfile. Maybe, this can be mitigated by also using --frozen-lockfile. However, the documentation does not explain
+ * how the combination of these two options works.
+ */
+private val Dependency.isInstalled: Boolean get() = workingDir.exists()