cycode 3.10.2.dev1__tar.gz → 3.10.3__tar.gz

{cycode-3.10.2.dev1 → cycode-3.10.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cycode
-Version: 3.10.2.dev1
+Version: 3.10.3
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 License-Expression: MIT
 License-File: LICENCE
@@ -710,15 +710,33 @@ In the previous example, if you wanted to only scan a branch named `dev`, you co
 > [!NOTE]
 > This option is only available to SCA scans.
 
-We use the sbt-dependency-lock plugin to restore the lock file for SBT projects.
-To disable lock restore in use `--no-restore` option.
+When running an SCA scan, Cycode CLI automatically attempts to restore (generate) a dependency lockfile for each supported manifest file it finds. This allows scanning transitive dependencies, not just the ones listed directly in the manifest. To skip this step and scan only direct dependencies, use the `--no-restore` flag.
 
-Prerequisites:
-* `sbt-dependency-lock` plugin: Install the plugin by adding the following line to `project/plugins.sbt`:
+The following ecosystems support automatic lockfile restoration:
 
-  ```text
-  addSbtPlugin("software.purpledragon" % "sbt-dependency-lock" % "1.5.1")
-  ```
+| Ecosystem | Manifest file | Lockfile generated | Tool invoked (when lockfile is absent) |
+|---|---|---|---|
+| npm | `package.json` | `package-lock.json` | `npm install --package-lock-only --ignore-scripts --no-audit` |
+| Yarn | `package.json` | `yarn.lock` | `yarn install --ignore-scripts` |
+| pnpm | `package.json` | `pnpm-lock.yaml` | `pnpm install --ignore-scripts` |
+| Deno | `deno.json` / `deno.jsonc` | `deno.lock` | *(read existing lockfile only)* |
+| Go | `go.mod` | `go.mod.graph` | `go list -m -json all` + `go mod graph` |
+| Maven | `pom.xml` | `bcde.mvndeps` | `mvn dependency:tree` |
+| Gradle | `build.gradle` / `build.gradle.kts` | `gradle-dependencies-generated.txt` | `gradle dependencies -q --console plain` |
+| SBT | `build.sbt` | `build.sbt.lock` | `sbt dependencyLockWrite` |
+| NuGet | `*.csproj` | `packages.lock.json` | `dotnet restore --use-lock-file` |
+| Ruby | `Gemfile` | `Gemfile.lock` | `bundle --quiet` |
+| Poetry | `pyproject.toml` | `poetry.lock` | `poetry lock` |
+| Pipenv | `Pipfile` | `Pipfile.lock` | `pipenv lock` |
+| PHP Composer | `composer.json` | `composer.lock` | `composer update --no-cache --no-install --no-scripts --ignore-platform-reqs` |
+
+If a lockfile already exists alongside the manifest, Cycode reads it directly without running any install command.
+
+**SBT prerequisite:** The `sbt-dependency-lock` plugin must be installed. Add the following line to `project/plugins.sbt`:
+
+```text
+addSbtPlugin("software.purpledragon" % "sbt-dependency-lock" % "1.5.1")
+```
 
 ### Repository Scan
 
@@ -1351,9 +1369,11 @@ For example:\
 
 The `path` subcommand supports the following additional options:
 
-| Option                  | Description                                                                                                                      |
-|-------------------------|----------------------------------------------------------------------------------------------------------------------------------|
-| `--maven-settings-file` | For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when building the dependency tree |
+| Option                      | Description                                                                                                                         |
+|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
+| `--no-restore`              | Skip lockfile restoration and scan direct dependencies only. See [Lock Restore Option](#lock-restore-option) for details.           |
+| `--gradle-all-sub-projects` | Run the Gradle restore command for all sub-projects (use from the root of a multi-project Gradle build).                           |
+| `--maven-settings-file`     | For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when building the dependency tree. |
 
 # Import Command
 

{cycode-3.10.2.dev1 → cycode-3.10.3}/README.md

@@ -668,15 +668,33 @@ In the previous example, if you wanted to only scan a branch named `dev`, you co
 > [!NOTE]
 > This option is only available to SCA scans.
 
-We use the sbt-dependency-lock plugin to restore the lock file for SBT projects.
-To disable lock restore in use `--no-restore` option.
-
-Prerequisites:
-* `sbt-dependency-lock` plugin: Install the plugin by adding the following line to `project/plugins.sbt`:
-
-  ```text
-  addSbtPlugin("software.purpledragon" % "sbt-dependency-lock" % "1.5.1")
-  ```
+When running an SCA scan, Cycode CLI automatically attempts to restore (generate) a dependency lockfile for each supported manifest file it finds. This allows scanning transitive dependencies, not just the ones listed directly in the manifest. To skip this step and scan only direct dependencies, use the `--no-restore` flag.
+
+The following ecosystems support automatic lockfile restoration:
+
+| Ecosystem | Manifest file | Lockfile generated | Tool invoked (when lockfile is absent) |
+|---|---|---|---|
+| npm | `package.json` | `package-lock.json` | `npm install --package-lock-only --ignore-scripts --no-audit` |
+| Yarn | `package.json` | `yarn.lock` | `yarn install --ignore-scripts` |
+| pnpm | `package.json` | `pnpm-lock.yaml` | `pnpm install --ignore-scripts` |
+| Deno | `deno.json` / `deno.jsonc` | `deno.lock` | *(read existing lockfile only)* |
+| Go | `go.mod` | `go.mod.graph` | `go list -m -json all` + `go mod graph` |
+| Maven | `pom.xml` | `bcde.mvndeps` | `mvn dependency:tree` |
+| Gradle | `build.gradle` / `build.gradle.kts` | `gradle-dependencies-generated.txt` | `gradle dependencies -q --console plain` |
+| SBT | `build.sbt` | `build.sbt.lock` | `sbt dependencyLockWrite` |
+| NuGet | `*.csproj` | `packages.lock.json` | `dotnet restore --use-lock-file` |
+| Ruby | `Gemfile` | `Gemfile.lock` | `bundle --quiet` |
+| Poetry | `pyproject.toml` | `poetry.lock` | `poetry lock` |
+| Pipenv | `Pipfile` | `Pipfile.lock` | `pipenv lock` |
+| PHP Composer | `composer.json` | `composer.lock` | `composer update --no-cache --no-install --no-scripts --ignore-platform-reqs` |
+
+If a lockfile already exists alongside the manifest, Cycode reads it directly without running any install command.
+
+**SBT prerequisite:** The `sbt-dependency-lock` plugin must be installed. Add the following line to `project/plugins.sbt`:
+
+```text
+addSbtPlugin("software.purpledragon" % "sbt-dependency-lock" % "1.5.1")
+```
 
 ### Repository Scan
 
@@ -1309,9 +1327,11 @@ For example:\
 
 The `path` subcommand supports the following additional options:
 
-| Option                  | Description                                                                                                                      |
-|-------------------------|----------------------------------------------------------------------------------------------------------------------------------|
-| `--maven-settings-file` | For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when building the dependency tree |
+| Option                      | Description                                                                                                                         |
+|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
+| `--no-restore`              | Skip lockfile restoration and scan direct dependencies only. See [Lock Restore Option](#lock-restore-option) for details.           |
+| `--gradle-all-sub-projects` | Run the Gradle restore command for all sub-projects (use from the root of a multi-project Gradle build).                           |
+| `--maven-settings-file`     | For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when building the dependency tree. |
 
 # Import Command
 

cycode-3.10.3/cycode/__init__.py

@@ -0,0 +1 @@
+__version__ = '3.10.3'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

{cycode-3.10.2.dev1 → cycode-3.10.3}/cycode/cli/apps/report/sbom/path/path_command.py

@@ -1,11 +1,17 @@
 import time
 from pathlib import Path
-from typing import Annotated, Optional
+from typing import Annotated
 
 import typer
 
 from cycode.cli import consts
 from cycode.cli.apps.report.sbom.common import create_sbom_report, send_report_feedback
+from cycode.cli.apps.sca_options import (
+    GradleAllSubProjectsOption,
+    MavenSettingsFileOption,
+    NoRestoreOption,
+    apply_sca_restore_options_to_context,
+)
 from cycode.cli.exceptions.handle_report_sbom_errors import handle_report_exception
 from cycode.cli.files_collector.path_documents import get_relevant_documents
 from cycode.cli.files_collector.sca.sca_file_collector import add_sca_dependencies_tree_documents_if_needed
@@ -14,8 +20,6 @@ from cycode.cli.utils.get_api_client import get_report_cycode_client
 from cycode.cli.utils.progress_bar import SbomReportProgressBarSection
 from cycode.cli.utils.scan_utils import is_cycodeignore_allowed_by_scan_config
 
-_SCA_RICH_HELP_PANEL = 'SCA options'
-
 
 def path_command(
     ctx: typer.Context,
@@ -23,18 +27,11 @@ def path_command(
         Path,
         typer.Argument(exists=True, resolve_path=True, help='Path to generate SBOM report for.', show_default=False),
     ],
-    maven_settings_file: Annotated[
-        Optional[Path],
-        typer.Option(
-            '--maven-settings-file',
-            show_default=False,
-            help='When specified, Cycode will use this settings.xml file when building the maven dependency tree.',
-            dir_okay=False,
-            rich_help_panel=_SCA_RICH_HELP_PANEL,
-        ),
-    ] = None,
+    no_restore: NoRestoreOption = False,
+    gradle_all_sub_projects: GradleAllSubProjectsOption = False,
+    maven_settings_file: MavenSettingsFileOption = None,
 ) -> None:
-    ctx.obj['maven_settings_file'] = maven_settings_file
+    apply_sca_restore_options_to_context(ctx, no_restore, gradle_all_sub_projects, maven_settings_file)
 
     client = get_report_cycode_client(ctx)
     report_parameters = ctx.obj['report_parameters']

cycode-3.10.3/cycode/cli/apps/sca_options.py

@@ -0,0 +1,47 @@
+from pathlib import Path
+from typing import Annotated, Optional
+
+import typer
+
+_SCA_RICH_HELP_PANEL = 'SCA options'
+
+NoRestoreOption = Annotated[
+    bool,
+    typer.Option(
+        '--no-restore',
+        help='When specified, Cycode will not run restore command. Will scan direct dependencies [b]only[/]!',
+        rich_help_panel=_SCA_RICH_HELP_PANEL,
+    ),
+]
+
+GradleAllSubProjectsOption = Annotated[
+    bool,
+    typer.Option(
+        '--gradle-all-sub-projects',
+        help='When specified, Cycode will run gradle restore command for all sub projects. '
+        'Should run from root project directory [b]only[/]!',
+        rich_help_panel=_SCA_RICH_HELP_PANEL,
+    ),
+]
+
+MavenSettingsFileOption = Annotated[
+    Optional[Path],
+    typer.Option(
+        '--maven-settings-file',
+        show_default=False,
+        help='When specified, Cycode will use this settings.xml file when building the maven dependency tree.',
+        dir_okay=False,
+        rich_help_panel=_SCA_RICH_HELP_PANEL,
+    ),
+]
+
+
+def apply_sca_restore_options_to_context(
+    ctx: typer.Context,
+    no_restore: bool,
+    gradle_all_sub_projects: bool,
+    maven_settings_file: Optional[Path],
+) -> None:
+    ctx.obj['no_restore'] = no_restore
+    ctx.obj['gradle_all_sub_projects'] = gradle_all_sub_projects
+    ctx.obj['maven_settings_file'] = maven_settings_file

{cycode-3.10.2.dev1 → cycode-3.10.3}/cycode/cli/apps/scan/scan_command.py

@@ -5,6 +5,12 @@ from typing import Annotated, Optional
 import click
 import typer
 
+from cycode.cli.apps.sca_options import (
+    GradleAllSubProjectsOption,
+    MavenSettingsFileOption,
+    NoRestoreOption,
+    apply_sca_restore_options_to_context,
+)
 from cycode.cli.apps.scan.remote_url_resolver import _try_get_git_remote_url
 from cycode.cli.cli_types import ExportTypeOption, ScanTypeOption, ScaScanTypeOption, SeverityOption
 from cycode.cli.consts import (
@@ -72,33 +78,9 @@ def scan_command(
             rich_help_panel=_SCA_RICH_HELP_PANEL,
         ),
     ] = False,
-    no_restore: Annotated[
-        bool,
-        typer.Option(
-            '--no-restore',
-            help='When specified, Cycode will not run restore command. Will scan direct dependencies [b]only[/]!',
-            rich_help_panel=_SCA_RICH_HELP_PANEL,
-        ),
-    ] = False,
-    gradle_all_sub_projects: Annotated[
-        bool,
-        typer.Option(
-            '--gradle-all-sub-projects',
-            help='When specified, Cycode will run gradle restore command for all sub projects. '
-            'Should run from root project directory [b]only[/]!',
-            rich_help_panel=_SCA_RICH_HELP_PANEL,
-        ),
-    ] = False,
-    maven_settings_file: Annotated[
-        Optional[Path],
-        typer.Option(
-            '--maven-settings-file',
-            show_default=False,
-            help='When specified, Cycode will use this settings.xml file when building the maven dependency tree.',
-            dir_okay=False,
-            rich_help_panel=_SCA_RICH_HELP_PANEL,
-        ),
-    ] = None,
+    no_restore: NoRestoreOption = False,
+    gradle_all_sub_projects: GradleAllSubProjectsOption = False,
+    maven_settings_file: MavenSettingsFileOption = None,
     export_type: Annotated[
         ExportTypeOption,
         typer.Option(
@@ -152,10 +134,8 @@ def scan_command(
     ctx.obj['sync'] = sync
     ctx.obj['severity_threshold'] = severity_threshold
     ctx.obj['monitor'] = monitor
-    ctx.obj['maven_settings_file'] = maven_settings_file
     ctx.obj['report'] = report
-    ctx.obj['gradle_all_sub_projects'] = gradle_all_sub_projects
-    ctx.obj['no_restore'] = no_restore
+    apply_sca_restore_options_to_context(ctx, no_restore, gradle_all_sub_projects, maven_settings_file)
 
     scan_client = get_scan_cycode_client(ctx)
     ctx.obj['client'] = scan_client

{cycode-3.10.2.dev1 → cycode-3.10.3}/cycode/cli/cli_types.py

@@ -46,6 +46,7 @@ class SbomFormatOption(StrEnum):
     SPDX_2_2 = 'spdx-2.2'
     SPDX_2_3 = 'spdx-2.3'
     CYCLONEDX_1_4 = 'cyclonedx-1.4'
+    CYCLONEDX_1_6 = 'cyclonedx-1.6'
 
 
 class SbomOutputFormatOption(StrEnum):

{cycode-3.10.2.dev1 → cycode-3.10.3}/cycode/cli/files_collector/sca/base_restore_dependencies.py

@@ -1,5 +1,5 @@
-import os
 from abc import ABC, abstractmethod
+from pathlib import Path
 from typing import Optional
 
 import typer
@@ -32,6 +32,9 @@ def execute_commands(
         },
     )
 
+    if not commands:
+        return None
+
     try:
         outputs = []
 
@@ -106,22 +109,43 @@ class BaseRestoreDependencies(ABC):
         )
         return Document(relative_restore_file_path, restore_file_content, self.is_git_diff)
 
+    def get_manifest_dir(self, document: Document) -> Optional[str]:
+        """Return the directory containing the manifest file, resolving monitor-mode paths.
+
+        Uses the same path resolution as get_manifest_file_path() to ensure consistency.
+        Falls back to document.absolute_path when the resolved manifest path is ambiguous.
+        """
+        manifest_file_path = self.get_manifest_file_path(document)
+        if manifest_file_path:
+            parent = Path(manifest_file_path).parent
+            # Skip '.' (no parent) and filesystem root (its own parent)
+            if parent != Path('.') and parent != parent.parent:
+                return str(parent)
+
+        base = document.absolute_path or document.path
+        if base:
+            parent = Path(base).parent
+            if parent != Path('.') and parent != parent.parent:
+                return str(parent)
+
+        return None
+
     def get_working_directory(self, document: Document) -> Optional[str]:
-        return os.path.dirname(document.absolute_path)
+        return str(Path(document.absolute_path).parent)
 
     def get_restored_lock_file_name(self, restore_file_path: str) -> str:
         return self.get_lock_file_name()
 
     def get_any_restore_file_already_exist(self, document: Document, restore_file_paths: list[str]) -> str:
         for restore_file_path in restore_file_paths:
-            if os.path.isfile(restore_file_path):
+            if Path(restore_file_path).is_file():
                 return restore_file_path
 
         return build_dep_tree_path(document.absolute_path, self.get_lock_file_name())
 
     @staticmethod
     def verify_restore_file_already_exist(restore_file_path: str) -> bool:
-        return os.path.isfile(restore_file_path)
+        return Path(restore_file_path).is_file()
 
     @abstractmethod
     def is_project(self, document: Document) -> bool:

{cycode-3.10.2.dev1 → cycode-3.10.3}/cycode/cli/files_collector/sca/go/restore_go_dependencies.py

@@ -1,4 +1,4 @@
-import os
+from pathlib import Path
 from typing import Optional
 
 import typer
@@ -20,13 +20,13 @@ class RestoreGoDependencies(BaseRestoreDependencies):
         super().__init__(ctx, is_git_diff, command_timeout, create_output_file_manually=True)
 
     def try_restore_dependencies(self, document: Document) -> Optional[Document]:
-        manifest_exists = os.path.isfile(self.get_working_directory(document) + os.sep + BUILD_GO_FILE_NAME)
-        lock_exists = os.path.isfile(self.get_working_directory(document) + os.sep + BUILD_GO_LOCK_FILE_NAME)
+        manifest_exists = (Path(self.get_working_directory(document)) / BUILD_GO_FILE_NAME).is_file()
+        lock_exists = (Path(self.get_working_directory(document)) / BUILD_GO_LOCK_FILE_NAME).is_file()
 
         if not manifest_exists or not lock_exists:
             logger.info('No manifest go.mod file found' if not manifest_exists else 'No manifest go.sum file found')
 
-        manifest_files_exists = manifest_exists & lock_exists
+        manifest_files_exists = manifest_exists and lock_exists
 
         if not manifest_files_exists:
             return None

cycode-3.10.3/cycode/cli/files_collector/sca/npm/restore_deno_dependencies.py

@@ -0,0 +1,46 @@
+from pathlib import Path
+from typing import Optional
+
+import typer
+
+from cycode.cli.files_collector.sca.base_restore_dependencies import BaseRestoreDependencies, build_dep_tree_path
+from cycode.cli.models import Document
+from cycode.cli.utils.path_utils import get_file_content
+from cycode.logger import get_logger
+
+logger = get_logger('Deno Restore Dependencies')
+
+DENO_MANIFEST_FILE_NAMES = ('deno.json', 'deno.jsonc')
+DENO_LOCK_FILE_NAME = 'deno.lock'
+
+
+class RestoreDenoDependencies(BaseRestoreDependencies):
+    def __init__(self, ctx: typer.Context, is_git_diff: bool, command_timeout: int) -> None:
+        super().__init__(ctx, is_git_diff, command_timeout)
+
+    def is_project(self, document: Document) -> bool:
+        return Path(document.path).name in DENO_MANIFEST_FILE_NAMES
+
+    def try_restore_dependencies(self, document: Document) -> Optional[Document]:
+        manifest_dir = self.get_manifest_dir(document)
+        if not manifest_dir:
+            return None
+
+        lockfile_path = Path(manifest_dir) / DENO_LOCK_FILE_NAME
+        if not lockfile_path.is_file():
+            logger.debug('No deno.lock found alongside deno.json, skipping deno restore, %s', {'path': document.path})
+            return None
+
+        content = get_file_content(str(lockfile_path))
+        relative_path = build_dep_tree_path(document.path, DENO_LOCK_FILE_NAME)
+        logger.debug('Using existing deno.lock, %s', {'path': str(lockfile_path)})
+        return Document(relative_path, content, self.is_git_diff)
+
+    def get_commands(self, manifest_file_path: str) -> list[list[str]]:
+        return []
+
+    def get_lock_file_name(self) -> str:
+        return DENO_LOCK_FILE_NAME
+
+    def get_lock_file_names(self) -> list[str]:
+        return [DENO_LOCK_FILE_NAME]

cycode-3.10.3/cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py

@@ -0,0 +1,67 @@
+from pathlib import Path
+
+import typer
+
+from cycode.cli.files_collector.sca.base_restore_dependencies import BaseRestoreDependencies
+from cycode.cli.models import Document
+from cycode.logger import get_logger
+
+logger = get_logger('NPM Restore Dependencies')
+
+NPM_MANIFEST_FILE_NAME = 'package.json'
+NPM_LOCK_FILE_NAME = 'package-lock.json'
+# These lockfiles indicate another package manager owns the project — NPM should not run
+_ALTERNATIVE_LOCK_FILES = ('yarn.lock', 'pnpm-lock.yaml', 'deno.lock')
+
+
+class RestoreNpmDependencies(BaseRestoreDependencies):
+    def __init__(self, ctx: typer.Context, is_git_diff: bool, command_timeout: int) -> None:
+        super().__init__(ctx, is_git_diff, command_timeout)
+
+    def is_project(self, document: Document) -> bool:
+        """Match only package.json files that are not managed by Yarn or pnpm.
+
+        Yarn and pnpm projects are handled by their dedicated handlers, which run before
+        this one in the handler list. This handler is the npm fallback.
+        """
+        if Path(document.path).name != NPM_MANIFEST_FILE_NAME:
+            return False
+
+        manifest_dir = self.get_manifest_dir(document)
+        if manifest_dir:
+            for lock_file in _ALTERNATIVE_LOCK_FILES:
+                if (Path(manifest_dir) / lock_file).is_file():
+                    logger.debug(
+                        'Skipping npm restore: alternative lockfile detected, %s',
+                        {'path': document.path, 'lockfile': lock_file},
+                    )
+                    return False
+
+        return True
+
+    def get_commands(self, manifest_file_path: str) -> list[list[str]]:
+        return [
+            [
+                'npm',
+                'install',
+                '--prefix',
+                self.prepare_manifest_file_path_for_command(manifest_file_path),
+                '--package-lock-only',
+                '--ignore-scripts',
+                '--no-audit',
+            ]
+        ]
+
+    def get_lock_file_name(self) -> str:
+        return NPM_LOCK_FILE_NAME
+
+    def get_lock_file_names(self) -> list[str]:
+        return [NPM_LOCK_FILE_NAME]
+
+    @staticmethod
+    def prepare_manifest_file_path_for_command(manifest_file_path: str) -> str:
+        if manifest_file_path.endswith(NPM_MANIFEST_FILE_NAME):
+            parent = Path(manifest_file_path).parent
+            dir_path = str(parent)
+            return dir_path if dir_path and dir_path != '.' else ''
+        return manifest_file_path

cycode-3.10.3/cycode/cli/files_collector/sca/npm/restore_pnpm_dependencies.py

@@ -0,0 +1,70 @@
+import json
+from pathlib import Path
+from typing import Optional
+
+import typer
+
+from cycode.cli.files_collector.sca.base_restore_dependencies import BaseRestoreDependencies, build_dep_tree_path
+from cycode.cli.models import Document
+from cycode.cli.utils.path_utils import get_file_content
+from cycode.logger import get_logger
+
+logger = get_logger('Pnpm Restore Dependencies')
+
+PNPM_MANIFEST_FILE_NAME = 'package.json'
+PNPM_LOCK_FILE_NAME = 'pnpm-lock.yaml'
+
+
+def _indicates_pnpm(package_json_content: Optional[str]) -> bool:
+    """Return True if package.json content signals that this project uses pnpm."""
+    if not package_json_content:
+        return False
+    try:
+        data = json.loads(package_json_content)
+    except (json.JSONDecodeError, ValueError):
+        return False
+
+    package_manager = data.get('packageManager', '')
+    if isinstance(package_manager, str) and package_manager.startswith('pnpm'):
+        return True
+
+    engines = data.get('engines', {})
+    return isinstance(engines, dict) and 'pnpm' in engines
+
+
+class RestorePnpmDependencies(BaseRestoreDependencies):
+    def __init__(self, ctx: typer.Context, is_git_diff: bool, command_timeout: int) -> None:
+        super().__init__(ctx, is_git_diff, command_timeout)
+
+    def is_project(self, document: Document) -> bool:
+        if Path(document.path).name != PNPM_MANIFEST_FILE_NAME:
+            return False
+
+        manifest_dir = self.get_manifest_dir(document)
+        if manifest_dir and (Path(manifest_dir) / PNPM_LOCK_FILE_NAME).is_file():
+            return True
+
+        return _indicates_pnpm(document.content)
+
+    def try_restore_dependencies(self, document: Document) -> Optional[Document]:
+        manifest_dir = self.get_manifest_dir(document)
+        lockfile_path = Path(manifest_dir) / PNPM_LOCK_FILE_NAME if manifest_dir else None
+
+        if lockfile_path and lockfile_path.is_file():
+            # Lockfile already exists — read it directly without running pnpm
+            content = get_file_content(str(lockfile_path))
+            relative_path = build_dep_tree_path(document.path, PNPM_LOCK_FILE_NAME)
+            logger.debug('Using existing pnpm-lock.yaml, %s', {'path': str(lockfile_path)})
+            return Document(relative_path, content, self.is_git_diff)
+
+        # Lockfile absent but pnpm is indicated in package.json — generate it
+        return super().try_restore_dependencies(document)
+
+    def get_commands(self, manifest_file_path: str) -> list[list[str]]:
+        return [['pnpm', 'install', '--ignore-scripts']]
+
+    def get_lock_file_name(self) -> str:
+        return PNPM_LOCK_FILE_NAME
+
+    def get_lock_file_names(self) -> list[str]:
+        return [PNPM_LOCK_FILE_NAME]

cycode-3.10.3/cycode/cli/files_collector/sca/npm/restore_yarn_dependencies.py

@@ -0,0 +1,70 @@
+import json
+from pathlib import Path
+from typing import Optional
+
+import typer
+
+from cycode.cli.files_collector.sca.base_restore_dependencies import BaseRestoreDependencies, build_dep_tree_path
+from cycode.cli.models import Document
+from cycode.cli.utils.path_utils import get_file_content
+from cycode.logger import get_logger
+
+logger = get_logger('Yarn Restore Dependencies')
+
+YARN_MANIFEST_FILE_NAME = 'package.json'
+YARN_LOCK_FILE_NAME = 'yarn.lock'
+
+
+def _indicates_yarn(package_json_content: Optional[str]) -> bool:
+    """Return True if package.json content signals that this project uses Yarn."""
+    if not package_json_content:
+        return False
+    try:
+        data = json.loads(package_json_content)
+    except (json.JSONDecodeError, ValueError):
+        return False
+
+    package_manager = data.get('packageManager', '')
+    if isinstance(package_manager, str) and package_manager.startswith('yarn'):
+        return True
+
+    engines = data.get('engines', {})
+    return isinstance(engines, dict) and 'yarn' in engines
+
+
+class RestoreYarnDependencies(BaseRestoreDependencies):
+    def __init__(self, ctx: typer.Context, is_git_diff: bool, command_timeout: int) -> None:
+        super().__init__(ctx, is_git_diff, command_timeout)
+
+    def is_project(self, document: Document) -> bool:
+        if Path(document.path).name != YARN_MANIFEST_FILE_NAME:
+            return False
+
+        manifest_dir = self.get_manifest_dir(document)
+        if manifest_dir and (Path(manifest_dir) / YARN_LOCK_FILE_NAME).is_file():
+            return True
+
+        return _indicates_yarn(document.content)
+
+    def try_restore_dependencies(self, document: Document) -> Optional[Document]:
+        manifest_dir = self.get_manifest_dir(document)
+        lockfile_path = Path(manifest_dir) / YARN_LOCK_FILE_NAME if manifest_dir else None
+
+        if lockfile_path and lockfile_path.is_file():
+            # Lockfile already exists — read it directly without running yarn
+            content = get_file_content(str(lockfile_path))
+            relative_path = build_dep_tree_path(document.path, YARN_LOCK_FILE_NAME)
+            logger.debug('Using existing yarn.lock, %s', {'path': str(lockfile_path)})
+            return Document(relative_path, content, self.is_git_diff)
+
+        # Lockfile absent but yarn is indicated in package.json — generate it
+        return super().try_restore_dependencies(document)
+
+    def get_commands(self, manifest_file_path: str) -> list[list[str]]:
+        return [['yarn', 'install', '--ignore-scripts']]
+
+    def get_lock_file_name(self) -> str:
+        return YARN_LOCK_FILE_NAME
+
+    def get_lock_file_names(self) -> list[str]:
+        return [YARN_LOCK_FILE_NAME]