feat(nodejs): add a bun.lock analyzer

[sneaky-potato]

Description

This PR adds an analyzer for bun.lock file; thereby adding support to scan repositories developed using bun

Run trivy fs . in a repository containing bun.lock file to generate a summary report of vulnerabilities. You may also use trivy fs . --include-dev-deps to include scanned information about development dependencies.

$ ./trivy -q fs ./pkg/fanal/analyzer/language/nodejs/bun/testdata/happy -f json --list-all-pkgs | jq '.Results[].Packages[]'                                       
{
  "ID": "[email protected]",
  "Name": "typescript",
  "Identifier": {
    "PURL": "pkg:npm/[email protected]",
    "UID": "4aa84f523f4d97b2"
  },
  "Version": "5.8.3",
  "Licenses": [
    "Apache-2.0"
  ],
  "Relationship": "direct",
  "Layer": {},
  "Locations": [
    {
      "StartLine": 24,
      "EndLine": 24
    }
  ]
}
{
  "ID": "[email protected]",
  "Name": "zod",
  "Identifier": {
    "PURL": "pkg:npm/[email protected]",
    "UID": "12b7c6a46de41c88"
  },
  "Version": "3.24.4",
  "Licenses": [
    "MIT"
  ],
  "Relationship": "direct",
  "Layer": {},
  "Locations": [
    {
      "StartLine": 28,
      "EndLine": 28
    }
  ]
}

Related issues

• Close feat(nodejs): add a bun.lock analyzer #8840

Related PRs

• feat(nodejs): add bun.lock parser #8851

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[DmitriyLewen]

Hello @sneaky-potato
Thanks for your work!

Don't forget to update docs and purl package.
Also will be great if you add testcase in repo_test.go for bun.lock file.

[Copilot]

Pull Request Overview

This PR introduces support for analyzing bun.lock files for vulnerability scanning by adding a dedicated analyzer for Bun.

• Added support for ftypes.Bun in package URL handling and vulnerability detection.
• Implemented a new bun analyzer with accompanying test cases and integration test fixtures.
• Updated various constants, imports, and routing logic to accommodate Bun analysis.

Reviewed Changes

Copilot reviewed 28 out of 28 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/purl/purl_test.go	Added a new test case for converting bun package URLs.
pkg/purl/purl.go	Extended URL handling to include ftypes.Bun.
pkg/fanal/types/const.go	Defined a new constant for bun.lock filenames.
pkg/fanal/analyzer/language/nodejs/bun/bun_test.go	Added tests for the bun analyzer functionality.
pkg/fanal/analyzer/language/nodejs/bun/bun.go	Implemented the bun analyzer including file parsing logic.
pkg/fanal/analyzer/const.go	Added a new analyzer type constant for bun.
pkg/fanal/analyzer/all/import.go	Included the new bun analyzer in the analyzer registry.
pkg/detector/library/driver.go	Updated vulnerability detection to recognize Bun.
integration/testdata/fixtures/repo/bun/package.json	Added fixture package.json for Bun-based repositories.
integration/testdata/bun.json.golden	Introduced a new golden file for Bun test results.
integration/repo_test.go	Included integration test case for the Bun analyzer.

[DmitriyLewen]

@sneaky-potato left small comments.

Can you also add a small example of how these changes work in the PR description?
We'll include this example in the release notes.

[DmitriyLewen]

Sorry, looks like I didn't hit the submit button...

[DmitriyLewen]

LGTM

Left small comments

[DmitriyLewen]

@sneaky-potato Thanks a lot for your contribution.
LGTM

[knqyf263]

Thanks for your great contribution!