feat: override pnpm audit registry parameter (#8158)

fdlk · web-flow · commit 5a5990e8bdd0 · 2025-12-02T06:16:46.000-05:00
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzer.java
@@ -60,6 +60,11 @@ public class PnpmAuditAnalyzer extends AbstractNpmAnalyzer {
      */
     public static final String PNPM_PACKAGE_LOCK = "pnpm-lock.yaml";
 
+    /**
+     * The default registry parameter to pass to the pnpm audit execution.
+     */
+    public static final String DEFAULT_REGISTRY = "https://registry.npmjs.org/";
+
     /**
      * Filter that detects files named "pnpm-lock.yaml"
      */
@@ -202,9 +207,9 @@ private JSONObject fetchPnpmAuditJson(Dependency dependency, boolean skipDevDepe
             }
             // pnpm audit returns a json compliant with NpmAuditParser
             args.add("--json");
-            // ensure we are using the right registry despite .npmrc
+            // ensure we are using the right registry despite .npmrc, but allow override
             args.add("--registry");
-            args.add("https://registry.npmjs.org/");
+            args.add(getSettings().getString(Settings.KEYS.ANALYZER_PNPM_AUDIT_REGISTRY, DEFAULT_REGISTRY));
             final ProcessBuilder builder = new ProcessBuilder(args);
             builder.directory(folder);
             // Workaround 64k limitation of InputStream, redirect stdout to a file that we will read later
diff --git a/core/src/main/resources/dependencycheck.properties b/core/src/main/resources/dependencycheck.properties
@@ -118,6 +118,7 @@ analyzer.node.package.enabled=true
 analyzer.node.audit.enabled=true
 analyzer.yarn.audit.enabled=true
 analyzer.pnpm.audit.enabled=true
+analyzer.pnpm.audit.registry=https://registry.npmjs.org/
 analyzer.golang.dep.enabled=true
 analyzer.retirejs.enabled=true
 analyzer.retirejs.repo.validforhours=24
diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -428,6 +428,10 @@ public static final class KEYS {
          * The properties key for whether the Pnpm Audit analyzer is enabled.
          */
         public static final String ANALYZER_PNPM_AUDIT_ENABLED = "analyzer.pnpm.audit.enabled";
+        /**
+         * The properties key for the Pnpm registry url.
+         */
+        public static final String ANALYZER_PNPM_AUDIT_REGISTRY = "analyzer.pnpm.audit.registry";
         /**
          * The properties key for supplying the URL to the Node Audit API.
          */
