chore: add parsing utilities

Signed-off-by: Swarit Pandey <swarit@stepsecurity.io>

Author: swarit-stepsecurity

go.mod

@@ -3,3 +3,5 @@ module github.com/step-security/dev-machine-guard
 go 1.24
 
 require golang.org/x/sys v0.33.0
+
+require gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -1,2 +1,5 @@
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

internal/detector/lockfile.go

@@ -4,6 +4,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"strings"
+
+	"gopkg.in/yaml.v3"
 )
 
 // LockfilePackage represents a single resolved package from a lockfile.
@@ -200,3 +202,208 @@ func GlobalNodeModulesDir(prefix, goos string) string {
 		return prefix + "/lib/node_modules"
 	}
 }
+
+// ---------- yarn.lock v1 parsing ----------
+//
+// Yarn v1 lockfile uses a custom format (not JSON or YAML):
+//
+//   "react@^19.0.0", "react@^19.2.5":
+//     version "19.2.5"
+//     resolved "https://registry.yarnpkg.com/react/-/react-19.2.5.tgz#..."
+//     integrity sha512-...
+//     dependencies:
+//       scheduler "^0.27.0"
+//
+// Each block starts with a non-indented header of name@range(s), followed by
+// indented key-value pairs. We extract version from each block.
+
+// ParseYarnLockV1 parses a yarn.lock v1 file and returns resolved packages.
+func ParseYarnLockV1(data []byte) (*LockfileResult, error) {
+	content := string(data)
+	lines := strings.Split(content, "\n")
+
+	var pkgs []LockfilePackage
+	var currentName string
+
+	for _, line := range lines {
+		// Skip comments and empty lines
+		if strings.HasPrefix(line, "#") || strings.TrimSpace(line) == "" {
+			continue
+		}
+
+		// Non-indented line = new block header
+		if len(line) > 0 && line[0] != ' ' && line[0] != '\t' {
+			currentName = extractYarnV1PackageName(line)
+			continue
+		}
+
+		// Indented line inside a block — look for "version"
+		trimmed := strings.TrimSpace(line)
+		if currentName != "" && strings.HasPrefix(trimmed, "version ") {
+			version := strings.TrimPrefix(trimmed, "version ")
+			version = strings.Trim(version, `"`)
+			pkgs = append(pkgs, LockfilePackage{
+				Name:    currentName,
+				Version: version,
+			})
+			currentName = "" // only take first version per block
+		}
+	}
+
+	return &LockfileResult{
+		Source:          "lockfile",
+		LockfileFormat:  "yarn-v1",
+		LockfileVersion: 1,
+		Packages:        pkgs,
+	}, nil
+}
+
+// extractYarnV1PackageName extracts the package name from a yarn.lock v1 header line.
+// Header formats:
+//
+//	"react@^19.0.0":
+//	react@^19.0.0:
+//	"react-dom@^19.2.5", "react-dom@^19.0.0":
+//	"@babel/core@^7.0.0":
+func extractYarnV1PackageName(header string) string {
+	// Take the first entry (before any comma)
+	if idx := strings.Index(header, ","); idx >= 0 {
+		header = header[:idx]
+	}
+	header = strings.TrimSpace(header)
+	header = strings.Trim(header, `":`)
+
+	// Find the @ that separates name from version range
+	// For scoped packages (@scope/name@range), skip the leading @
+	searchFrom := 0
+	if strings.HasPrefix(header, "@") {
+		searchFrom = 1
+	}
+	atIdx := strings.Index(header[searchFrom:], "@")
+	if atIdx < 0 {
+		return ""
+	}
+	return header[:searchFrom+atIdx]
+}
+
+// ---------- pnpm-lock.yaml parsing ----------
+//
+// pnpm-lock.yaml (v5/v6/v9) structure:
+//
+//   lockfileVersion: '9.0'
+//   importers:
+//     .:
+//       dependencies:
+//         fastify:
+//           specifier: ^5.8.4
+//           version: 5.8.4
+//   packages:
+//     '@fastify/ajv-compiler@4.0.5':
+//       resolution: {integrity: sha512-...}
+//     fastify@5.8.4:
+//       resolution: {integrity: sha512-...}
+//   snapshots:
+//     fastify@5.8.4:
+//       dependencies:
+//         ...
+
+// pnpmLockfile is the top-level structure of pnpm-lock.yaml.
+type pnpmLockfile struct {
+	LockfileVersion string                       `yaml:"lockfileVersion"`
+	Packages        map[string]pnpmPackageEntry  `yaml:"packages"`
+	Importers       map[string]pnpmImporterEntry `yaml:"importers"`
+}
+
+type pnpmPackageEntry struct {
+	Resolution map[string]string `yaml:"resolution"`
+	Dev        bool              `yaml:"dev"`
+}
+
+type pnpmImporterEntry struct {
+	Dependencies    map[string]pnpmDepRef `yaml:"dependencies"`
+	DevDependencies map[string]pnpmDepRef `yaml:"devDependencies"`
+}
+
+type pnpmDepRef struct {
+	Specifier string `yaml:"specifier"`
+	Version   string `yaml:"version"`
+}
+
+// ParsePnpmLock parses a pnpm-lock.yaml file and returns resolved packages.
+func ParsePnpmLock(data []byte) (*LockfileResult, error) {
+	var lock pnpmLockfile
+	if err := yaml.Unmarshal(data, &lock); err != nil {
+		return nil, fmt.Errorf("parse pnpm-lock.yaml: %w", err)
+	}
+
+	var pkgs []LockfilePackage
+
+	// Build a set of dev dependency names from importers for tagging
+	devDeps := make(map[string]bool)
+	for _, imp := range lock.Importers {
+		for name := range imp.DevDependencies {
+			devDeps[name] = true
+		}
+	}
+
+	// Parse packages map — keys are "name@version" or "@scope/name@version"
+	for key := range lock.Packages {
+		name, version := parsePnpmPackageKey(key)
+		if name == "" || version == "" {
+			continue
+		}
+		pkgs = append(pkgs, LockfilePackage{
+			Name:    name,
+			Version: version,
+			Dev:     devDeps[name],
+		})
+	}
+
+	// Determine lockfile version number
+	lockVer := 0
+	if strings.HasPrefix(lock.LockfileVersion, "9") {
+		lockVer = 9
+	} else if strings.HasPrefix(lock.LockfileVersion, "6") {
+		lockVer = 6
+	} else if strings.HasPrefix(lock.LockfileVersion, "5") {
+		lockVer = 5
+	}
+
+	return &LockfileResult{
+		Source:          "lockfile",
+		LockfileFormat:  fmt.Sprintf("pnpm-v%s", lock.LockfileVersion),
+		LockfileVersion: lockVer,
+		Packages:        pkgs,
+	}, nil
+}
+
+// parsePnpmPackageKey extracts name and version from a pnpm packages key.
+// Keys look like "express@4.18.2" or "@fastify/ajv-compiler@4.0.5"
+// or "/express@4.18.2" (older lockfile versions use leading slash).
+func parsePnpmPackageKey(key string) (name, version string) {
+	// Strip leading slash (pnpm v5/v6 format)
+	key = strings.TrimPrefix(key, "/")
+
+	// For scoped packages: @scope/name@version
+	// Find the last @ that separates name from version
+	if strings.HasPrefix(key, "@") {
+		// Scoped package: find @ after the first /
+		slashIdx := strings.Index(key, "/")
+		if slashIdx < 0 {
+			return "", ""
+		}
+		atIdx := strings.LastIndex(key[slashIdx:], "@")
+		if atIdx < 0 {
+			return "", ""
+		}
+		atIdx += slashIdx
+		return key[:atIdx], key[atIdx+1:]
+	}
+
+	// Unscoped package: name@version
+	atIdx := strings.LastIndex(key, "@")
+	if atIdx <= 0 {
+		return "", ""
+	}
+	return key[:atIdx], key[atIdx+1:]
+}