jfrog · attiasas · Dec 15, 2024 · Oct 9, 2024 · Oct 10, 2024 · Oct 10, 2024
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -51,7 +51,7 @@ jobs:
       - name: Install dotnet
         uses: actions/setup-dotnet@v3
         with:
-          dotnet-version: '6.x'
+          dotnet-version: 6.0.425
       - name: Setup Python3
         uses: actions/setup-python@v4
         with:

diff --git a/cli/docs/flags.go b/cli/docs/flags.go
@@ -2,9 +2,10 @@ package docs
 
 import (
 	"fmt"
-	"github.com/jfrog/jfrog-cli-security/commands/git"
 	"strings"
 
+	"github.com/jfrog/jfrog-cli-security/commands/git"
+
 	"github.com/jfrog/jfrog-cli-core/v2/common/cliutils"
 	pluginsCommon "github.com/jfrog/jfrog-cli-core/v2/plugins/common"
 	"github.com/jfrog/jfrog-cli-core/v2/plugins/components"
@@ -114,6 +115,7 @@ const (
 	useWrapperAudit              = auditPrefix + UseWrapper
 	ExcludeTestDeps              = "exclude-test-deps"
 	DepType                      = "dep-type"
+	MaxTreeDepth                 = "max-tree-depth"
 	ThirdPartyContextualAnalysis = "third-party-contextual-analysis"
 	RequirementsFile             = "requirements-file"
 	WorkingDirs                  = "working-dirs"
@@ -238,17 +240,18 @@ var flagsMap = map[string]components.Flag{
 		"List of exclusions separated by semicolons, utilized to skip sub-projects from undergoing an audit. These exclusions may incorporate the * and ? wildcards.",
 		components.WithStrDefaultValue(strings.Join(utils.DefaultScaExcludePatterns, ";")),
 	),
-	Mvn:     components.NewBoolFlag(Mvn, "Set to true to request audit for a Maven project."),
-	Gradle:  components.NewBoolFlag(Gradle, "Set to true to request audit for a Gradle project."),
-	Npm:     components.NewBoolFlag(Npm, "Set to true to request audit for a npm project."),
-	Pnpm:    components.NewBoolFlag(Pnpm, "Set to true to request audit for a Pnpm project."),
-	Yarn:    components.NewBoolFlag(Yarn, "Set to true to request audit for a Yarn project."),
-	Nuget:   components.NewBoolFlag(Nuget, "Set to true to request audit for a .NET project."),
-	Pip:     components.NewBoolFlag(Pip, "Set to true to request audit for a Pip project."),
-	Pipenv:  components.NewBoolFlag(Pipenv, "Set to true to request audit for a Pipenv project."),
-	Poetry:  components.NewBoolFlag(Poetry, "Set to true to request audit for a Poetry project."),
-	Go:      components.NewBoolFlag(Go, "Set to true to request audit for a Go project."),
-	DepType: components.NewStringFlag(DepType, "[npm] Defines npm dependencies type. Possible values are: all, devOnly and prodOnly."),
+	Mvn:          components.NewBoolFlag(Mvn, "Set to true to request audit for a Maven project."),
+	Gradle:       components.NewBoolFlag(Gradle, "Set to true to request audit for a Gradle project."),
+	Npm:          components.NewBoolFlag(Npm, "Set to true to request audit for a npm project."),
+	Pnpm:         components.NewBoolFlag(Pnpm, "Set to true to request audit for a Pnpm project."),
+	Yarn:         components.NewBoolFlag(Yarn, "Set to true to request audit for a Yarn project."),
+	Nuget:        components.NewBoolFlag(Nuget, "Set to true to request audit for a .NET project."),
+	Pip:          components.NewBoolFlag(Pip, "Set to true to request audit for a Pip project."),
+	Pipenv:       components.NewBoolFlag(Pipenv, "Set to true to request audit for a Pipenv project."),
+	Poetry:       components.NewBoolFlag(Poetry, "Set to true to request audit for a Poetry project."),
+	Go:           components.NewBoolFlag(Go, "Set to true to request audit for a Go project."),
+	DepType:      components.NewStringFlag(DepType, "[npm] Defines npm dependencies type. Possible values are: all, devOnly and prodOnly."),
+	MaxTreeDepth: components.NewStringFlag(MaxTreeDepth, "[pnpm] Max depth of the generated dependencies tree for SCA scan.", components.WithStrDefaultValue("Infinity")),
 	ThirdPartyContextualAnalysis: components.NewBoolFlag(
 		ThirdPartyContextualAnalysis,
 		"[npm] when set, the Contextual Analysis scan also uses the code of the project dependencies to determine the applicability of the vulnerability.",

diff --git a/cli/scancommands.go b/cli/scancommands.go
@@ -495,6 +495,7 @@ func CreateAuditCmd(c *components.Context) (*audit.AuditCommand, error) {
 		SetInsecureTls(c.GetBoolFlagValue(flags.InsecureTls)).
 		SetNpmScope(c.GetStringFlagValue(flags.DepType)).
 		SetPipRequirementsFile(c.GetStringFlagValue(flags.RequirementsFile)).
+		SetMaxTreeDepth(c.GetStringFlagValue(flags.MaxTreeDepth)).
 		SetExclusions(pluginsCommon.GetStringsArrFlagValue(c, flags.Exclusions))
 	return auditCmd, err
 }

diff --git a/commands/audit/sca/pnpm/pnpm.go b/commands/audit/sca/pnpm/pnpm.go
@@ -119,13 +119,16 @@ func installProjectIfNeeded(pnpmExecPath, workingDir string) (dirForDependencies
 		err = fmt.Errorf("failed copying project to temp dir: %w", err)
 		return
 	}
-	err = getPnpmCmd(pnpmExecPath, dirForDependenciesCalculation, "install", npm.IgnoreScriptsFlag).GetCmd().Run()
+	output, err := getPnpmCmd(pnpmExecPath, dirForDependenciesCalculation, "install", npm.IgnoreScriptsFlag).GetCmd().CombinedOutput()
+	if err != nil {
+		err = fmt.Errorf("failed to install project: %w\n%s", err, string(output))
+	}
 	return
 }
 
 // Run 'pnpm ls ...' command (project must be installed) and parse the returned result to create a dependencies trees for the projects.
 func calculateDependencies(executablePath, workingDir string, params utils.AuditParams) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) {
-	lsArgs := append([]string{"--depth", "Infinity", "--json", "--long"}, params.Args()...)
+	lsArgs := append([]string{"--depth", params.MaxTreeDepth(), "--json", "--long"}, params.Args()...)
 	npmLsCmdContent, err := getPnpmCmd(executablePath, workingDir, "ls", lsArgs...).RunWithOutput()
 	if err != nil {
 		return

diff --git a/utils/auditbasicparams.go b/utils/auditbasicparams.go
@@ -27,6 +27,8 @@ type AuditParams interface {
 	InstallCommandName() string
 	InstallCommandArgs() []string
 	SetNpmScope(depType string) *AuditBasicParams
+	SetMaxTreeDepth(maxTreeDepth string) *AuditBasicParams
+	MaxTreeDepth() string
 	OutputFormat() format.OutputFormat
 	DepsRepo() string
 	SetDepsRepo(depsRepo string) *AuditBasicParams
@@ -54,6 +56,7 @@ type AuditBasicParams struct {
 	ignoreConfigFile                 bool
 	isMavenDepTreeInstalled          bool
 	isCurationCmd                    bool
+	maxTreeDepth                     string
 	pipRequirementsFile              string
 	depsRepo                         string
 	installCommandName               string
@@ -109,6 +112,15 @@ func (abp *AuditBasicParams) UseJas() bool {
 	return abp.useJas
 }
 
+func (abp *AuditBasicParams) MaxTreeDepth() string {
+	return abp.maxTreeDepth
+}
+
+func (abp *AuditBasicParams) SetMaxTreeDepth(maxTreeDepth string) *AuditBasicParams {
+	abp.maxTreeDepth = maxTreeDepth
+	return abp
+}
+
 func (abp *AuditBasicParams) PipRequirementsFile() string {
 	return abp.pipRequirementsFile
 }