Support for scanning renv lockfiles for the R language

[dijitali]

Following the addition of CRAN for the R language to the OSV database (google/osv.dev#1477), it would be helpful if this CLI supported scanning renv lockfiles.

A workaround at present is to parse the lockfile with jq and generate a custom lockfile:

jq '{
    results: [
      {
        packages: [
          .Packages | to_entries[] | {
            package: {
              name: .key,
              version: .value.Version,
              ecosystem: "CRAN"
            }
          }
        ]
      }
    ]
  }' renv.lock > osv-renv-lock.json

osv-scanner --lockfile osv-scanner:./osv-renv-lock.json

[G-Rath]

I'd actually been looking into this a few weeks ago; would you mind providing some example lockfiles for fixtures? I can dig these out from open source projects, but if you know of any special cases that would be worth having tests for that'd be great to hear (e.g. the NPM ecosystem supports the same package multiple times with different versions and peer dependencies, ruby supports different OSs, Go has replace, etc; it doesn't look like renv has that kind of complexity, but would be good to confirm that with folks who actually use the tool!)

Also for future me: https://rstudio.github.io/renv/articles/lockfile.html

[dijitali]

I'm not too familiar with any special cases but perhaps a good foundation would be the renv project's tests?

For example:
https://github.com/rstudio/renv/blob/main/tests/testthat/test-lockfile.R

Other than that, I'm aware there are changes in the works for things like dev dependencies (rstudio/renv#1695). But actually from a quick look, it sounds like this isn't something osv-scanner supports yet either (#332).