bibliothecary 10.2.4 → 11.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/CHANGELOG.md +13 -0
- data/lib/bibliothecary/dependency.rb +0 -6
- data/lib/bibliothecary/multi_parsers/dependencies_csv.rb +0 -7
- data/lib/bibliothecary/parsers/maven.rb +62 -36
- data/lib/bibliothecary/parsers/npm.rb +0 -2
- data/lib/bibliothecary/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 78844f8813583a84df76e0ad0c72f9b8136b47d82aec8194e3e6766049ba721b
|
|
4
|
+
data.tar.gz: bb84e383f0bbded7361d7efbf4550f100d08281a294def960c95ddb1dca4f97c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f537a3fd368046789baf28c758b8f60d8832b7601f2ae78211a78d4d583ee7ddc4d4729f1ca3387e92958756586a6c1608099a4849db70c9e0a2a3b7405ff564
|
|
7
|
+
data.tar.gz: 8b9d7e93affe8df9d4e898bf4c128f912f16dd2e1c61ba7dfde0163690df91c173ed0a75c48717a702ddb45dfff2053527b5730c3d76738e7bf51b2344d09cff
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
3.
|
|
1
|
+
3.2.5
|
data/CHANGELOG.md
CHANGED
|
@@ -13,6 +13,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
13
13
|
|
|
14
14
|
### Removed
|
|
15
15
|
|
|
16
|
+
|
|
17
|
+
## [11.0.1] - 2024-12-20
|
|
18
|
+
|
|
19
|
+
### Changed
|
|
20
|
+
|
|
21
|
+
- Alow retrieving maven versions from parent poms
|
|
22
|
+
|
|
23
|
+
## [11.0.0] - 2024-11-22
|
|
24
|
+
|
|
25
|
+
### Changed
|
|
26
|
+
|
|
27
|
+
- Removed lockfile_requirement from Bibliothecary::Dependency
|
|
28
|
+
|
|
16
29
|
## [10.2.4] - 2024-11-06
|
|
17
30
|
|
|
18
31
|
### Changed
|
|
@@ -16,8 +16,6 @@ module Bibliothecary
|
|
|
16
16
|
# where it did not match the resolved name. This can be used for features like aliasing.
|
|
17
17
|
# @attr_reader [String] original_requirement The original requirement used to require the dependency,
|
|
18
18
|
# for cases where it did not match the resolved name. This can be used for features like aliasing.
|
|
19
|
-
# @attr_reader [String] lockfile_requirement The requirement found in the lockfile, e.g. "1.0.0" or "^1.0.0". This is
|
|
20
|
-
# only returned from the yarn.lock parser and may not be used by downstream users. TODO: should this be deprecated?
|
|
21
19
|
# @source [String] source An optional string to store the location of the manifest that contained this
|
|
22
20
|
# dependency, e.g. "src/package.json".
|
|
23
21
|
class Dependency
|
|
@@ -25,7 +23,6 @@ module Bibliothecary
|
|
|
25
23
|
:name,
|
|
26
24
|
:requirement,
|
|
27
25
|
:original_requirement,
|
|
28
|
-
:lockfile_requirement,
|
|
29
26
|
:platform,
|
|
30
27
|
:type,
|
|
31
28
|
:direct,
|
|
@@ -42,7 +39,6 @@ module Bibliothecary
|
|
|
42
39
|
name:,
|
|
43
40
|
requirement:,
|
|
44
41
|
original_requirement: nil,
|
|
45
|
-
lockfile_requirement: nil,
|
|
46
42
|
platform: nil,
|
|
47
43
|
type: nil,
|
|
48
44
|
direct: nil,
|
|
@@ -56,8 +52,6 @@ module Bibliothecary
|
|
|
56
52
|
@platform = platform
|
|
57
53
|
@requirement = requirement || "*"
|
|
58
54
|
@original_requirement = original_requirement
|
|
59
|
-
# TODO: maybe deprecate this field? Is it possible to replace it with original_requirement?
|
|
60
|
-
@lockfile_requirement = lockfile_requirement
|
|
61
55
|
@type = type
|
|
62
56
|
@direct = direct
|
|
63
57
|
@deprecated = deprecated
|
|
@@ -37,13 +37,6 @@ module Bibliothecary
|
|
|
37
37
|
/^name$/i,
|
|
38
38
|
],
|
|
39
39
|
},
|
|
40
|
-
# Lockfiles have exact versions.
|
|
41
|
-
"lockfile_requirement" => {
|
|
42
|
-
match: [
|
|
43
|
-
/^(lockfile |)requirement$/i,
|
|
44
|
-
/^version$/i,
|
|
45
|
-
],
|
|
46
|
-
},
|
|
47
40
|
# Manifests have versions that can have operators.
|
|
48
41
|
# However, since Bibliothecary only currently supports analyzing a
|
|
49
42
|
# single file as a single thing (either manifest or lockfile)
|
|
@@ -294,48 +294,74 @@ module Bibliothecary
|
|
|
294
294
|
parse_pom_manifest(file_contents, {}, options: options)
|
|
295
295
|
end
|
|
296
296
|
|
|
297
|
-
# parent_properties is used by Libraries:
|
|
298
|
-
# https://github.com/librariesio/libraries.io/blob/e970925aade2596a03268b6e1be785eba8502c62/app/models/package_manager/maven.rb#L129
|
|
299
297
|
def self.parse_pom_manifest(file_contents, parent_properties = {}, options: {}) # rubocop:disable Lint/UnusedMethodArgument
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
310
|
-
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
|
|
314
|
-
|
|
315
|
-
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
|
|
325
|
-
|
|
298
|
+
parse_pom_manifests([file_contents], parent_properties)
|
|
299
|
+
end
|
|
300
|
+
|
|
301
|
+
# @param files [Array<String>] Ordered array of strings containing the
|
|
302
|
+
# pom.xml bodies. The first element should be the child file.
|
|
303
|
+
# @param merged_properties [Hash]
|
|
304
|
+
def self.parse_pom_manifests(files, merged_properties)
|
|
305
|
+
documents = files.map do |file|
|
|
306
|
+
doc = Ox.parse(file)
|
|
307
|
+
doc.respond_to?("project") ? doc.project : doc
|
|
308
|
+
end
|
|
309
|
+
|
|
310
|
+
mergedDependencyManagements = {}
|
|
311
|
+
documents.each do |document|
|
|
312
|
+
document.locate("dependencyManagement/dependencies/dependency").each do |dep|
|
|
313
|
+
groupId = extract_pom_dep_info(document, dep, "groupId", merged_properties)
|
|
314
|
+
artifactId = extract_pom_dep_info(document, dep, "artifactId", merged_properties)
|
|
315
|
+
key = "#{groupId}:#{artifactId}"
|
|
316
|
+
mergedDependencyManagements[key] ||=
|
|
317
|
+
{
|
|
318
|
+
groupId: groupId,
|
|
319
|
+
artifactId: artifactId,
|
|
320
|
+
version: extract_pom_dep_info(document, dep, "version", merged_properties),
|
|
321
|
+
scope: extract_pom_dep_info(document, dep, "scope", merged_properties),
|
|
322
|
+
}
|
|
323
|
+
end
|
|
324
|
+
end
|
|
325
|
+
|
|
326
|
+
dep_hashes = {}
|
|
327
|
+
documents.each do |document|
|
|
328
|
+
document.locate("dependencies/dependency").each do |dep|
|
|
329
|
+
groupId = extract_pom_dep_info(document, dep, "groupId", merged_properties)
|
|
330
|
+
artifactId = extract_pom_dep_info(document, dep, "artifactId", merged_properties)
|
|
331
|
+
key = "#{groupId}:#{artifactId}"
|
|
332
|
+
unless dep_hashes.key?(key)
|
|
333
|
+
dep_hashes[key] = {
|
|
334
|
+
name: key,
|
|
335
|
+
requirement: nil,
|
|
336
|
+
type: nil,
|
|
337
|
+
optional: nil,
|
|
338
|
+
}
|
|
326
339
|
end
|
|
340
|
+
dep_hash = dep_hashes[key]
|
|
341
|
+
|
|
342
|
+
dep_hash[:requirement] ||= extract_pom_dep_info(document, dep, "version", merged_properties)
|
|
343
|
+
dep_hash[:type] ||= extract_pom_dep_info(document, dep, "scope", merged_properties)
|
|
327
344
|
|
|
328
|
-
dep_hash = {
|
|
329
|
-
name: "#{groupId}:#{artifactId}",
|
|
330
|
-
requirement: version,
|
|
331
|
-
type: scope || "runtime",
|
|
332
|
-
}
|
|
333
345
|
# optional field is, itself, optional, and will be either "true" or "false"
|
|
334
|
-
optional = extract_pom_dep_info(
|
|
335
|
-
dep_hash[:optional]
|
|
336
|
-
|
|
346
|
+
optional = extract_pom_dep_info(document, dep, "optional", merged_properties)
|
|
347
|
+
if dep_hash[:optional].nil? && !optional.nil?
|
|
348
|
+
dep_hash[:optional] = optional == "true"
|
|
349
|
+
end
|
|
350
|
+
end
|
|
351
|
+
end
|
|
352
|
+
|
|
353
|
+
# Anything that wasn't covered by a dependency version, get from the
|
|
354
|
+
# dependencyManagements
|
|
355
|
+
dep_hashes.each do |key, dep_hash|
|
|
356
|
+
if (dependencyManagement = mergedDependencyManagements[key])
|
|
357
|
+
dep_hash[:requirement] ||= dependencyManagement[:version]
|
|
358
|
+
dep_hash[:type] ||= dependencyManagement[:scope]
|
|
337
359
|
end
|
|
360
|
+
|
|
361
|
+
dep_hash[:type] ||= "runtime"
|
|
338
362
|
end
|
|
363
|
+
|
|
364
|
+
dep_hashes.map{|key, dep_hash| Dependency.new(**dep_hash)}
|
|
339
365
|
end
|
|
340
366
|
|
|
341
367
|
def self.parse_gradle(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
|
|
@@ -142,7 +142,6 @@ module Bibliothecary
|
|
|
142
142
|
Dependency.new(
|
|
143
143
|
name: dep[:name],
|
|
144
144
|
requirement: dep[:version],
|
|
145
|
-
lockfile_requirement: dep[:requirement],
|
|
146
145
|
type: dep[:type],
|
|
147
146
|
local: dep[:requirement]&.start_with?("file:"),
|
|
148
147
|
)
|
|
@@ -173,7 +172,6 @@ module Bibliothecary
|
|
|
173
172
|
Dependency.new(
|
|
174
173
|
name: name,
|
|
175
174
|
requirement: metadata["version"],
|
|
176
|
-
lockfile_requirement: metadata.fetch("from", "").split("@").last,
|
|
177
175
|
type: "runtime",
|
|
178
176
|
),
|
|
179
177
|
] + transform_tree_to_array(metadata.fetch("dependencies", {}))
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: bibliothecary
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 11.0.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andrew Nesbitt
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-12-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: tomlrb
|
|
@@ -313,7 +313,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
313
313
|
- !ruby/object:Gem::Version
|
|
314
314
|
version: '0'
|
|
315
315
|
requirements: []
|
|
316
|
-
rubygems_version: 3.
|
|
316
|
+
rubygems_version: 3.4.19
|
|
317
317
|
signing_key:
|
|
318
318
|
specification_version: 4
|
|
319
319
|
summary: Find and parse manifests
|