bibliothecary 13.0.2 → 14.0.0

data/lib/bibliothecary/parsers/maven.rb

@@ -139,15 +139,17 @@ module Bibliothecary
 
       def self.parse_ivy_manifest(file_contents, options: {})
         manifest = Ox.parse file_contents
-        manifest.dependencies.locate("dependency").map do |dependency|
+        dependencies = manifest.dependencies.locate("dependency").map do |dependency|
           attrs = dependency.attributes
           Dependency.new(
             name: "#{attrs[:org]}:#{attrs[:name]}",
             requirement: attrs[:rev],
             type: "runtime",
-            source: options.fetch(:filename, nil)
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.ivy_report?(file_contents)
@@ -172,7 +174,7 @@ module Bibliothecary
         type = info.attributes[:conf]
         type = "unknown" if type.nil?
         modules = doc.locate("ivy-report/dependencies/module")
-        modules.map do |mod|
+        dependencies = modules.map do |mod|
           attrs = mod.attributes
           org = attrs[:organisation]
           name = attrs[:name]
@@ -184,15 +186,17 @@ module Bibliothecary
             name: "#{org}:#{name}",
             requirement: version,
             type: type,
-            source: options.fetch(:filename, nil)
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end.compact
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_gradle_resolved(file_contents, options: {})
         current_type = nil
 
-        file_contents.split("\n").map do |line|
+        dependencies = file_contents.split("\n").map do |line|
           current_type_match = GRADLE_TYPE_REGEXP.match(line)
           current_type = current_type_match.captures[0] if current_type_match
 
@@ -232,7 +236,8 @@ module Bibliothecary
               name: dep[-3..-2].join(":"),
               requirement: dep[-1],
               type: current_type,
-              source: options.fetch(:filename, nil)
+              source: options.fetch(:filename, nil),
+              platform: platform_name
             )
           elsif dep.count == 5
             # get name from renamed package resolution "org:name -> renamed_org:name:version"
@@ -242,7 +247,8 @@ module Bibliothecary
               name: dep[-3..-2].join(":"),
               requirement: dep[-1],
               type: current_type,
-              source: options.fetch(:filename, nil)
+              source: options.fetch(:filename, nil),
+              platform: platform_name
             )
           else
             # get name from version conflict resolution ("org:name:version -> version") and no-resolution ("org:name:version")
@@ -250,21 +256,24 @@ module Bibliothecary
               name: dep[0..1].join(":"),
               requirement: dep[-1],
               type: current_type,
-              source: options.fetch(:filename, nil)
+              source: options.fetch(:filename, nil),
+              platform: platform_name
             )
           end
         end
           .compact
           .uniq { |item| [item.name, item.requirement, item.type, item.original_name, item.original_requirement] }
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_maven_resolved(file_contents, options: {})
-        file_contents
+        dependencies = file_contents
           .gsub(ANSI_MATCHER, "")
           .split("\n")
           .map { |line| parse_resolved_dep_line(line, options: options) }
           .compact
           .uniq
+        ParserResult.new(dependencies: dependencies)
       end
 
       # Return each item in the ascii art tree with a depth of that item,
@@ -318,19 +327,20 @@ module Bibliothecary
 
         projects_to_exclude = {}
 
-        if keep_subprojects
-          # traditional behavior: we only exclude the root project, and only if we parsed multiple lines
-          (root_name, root_version, _root_type) = parse_maven_tree_dependency(items.shift[1])
-          unless items.empty?
-            projects_to_exclude[root_name] = Set.new
-            projects_to_exclude[root_name].add(root_version)
-          end
+        (root_name, root_version, _root_type) = parse_maven_tree_dependency(items[0][1])
+
+        # traditional behavior: we only exclude the root project, and only if we parsed multiple lines
+        if keep_subprojects && !items.empty?
+          items.shift
+          projects_to_exclude[root_name] = Set.new
+          projects_to_exclude[root_name].add(root_version)
         end
 
         unique_items = items.map do |(depth, item)|
           # new behavior: we exclude root and subprojects (depth 0 items)
           (name, version, type) = parse_maven_tree_dependency(item)
           if depth == 0 && !keep_subprojects
+
             # record and then remove the depth 0
             projects_to_exclude[name] ||= Set.new
             projects_to_exclude[name].add(version)
@@ -340,7 +350,7 @@ module Bibliothecary
           end
         end.compact.uniq
 
-        unique_items
+        dependencies = unique_items
           # drop the projects and subprojects
           .reject { |(name, version, _type)| projects_to_exclude[name]&.include?(version) }
           .map do |(name, version, type)|
@@ -348,14 +358,20 @@ module Bibliothecary
               name: name,
               requirement: version,
               type: type,
-              source: options.fetch(:filename, nil)
+              source: options.fetch(:filename, nil),
+              platform: platform_name
             )
           end
+        ParserResult.new(
+          project_name: root_name,
+          dependencies: dependencies
+        )
       end
 
       def self.parse_maven_tree_dot(file_contents, options: {})
         # Project could be either the root project or a sub-module.
         project = file_contents.match(MAVEN_DOT_PROJECT_REGEXP)[1]
+        project_name, _project_version, _project_type = parse_maven_tree_dependency(project)
         relationships = file_contents.scan(MAVEN_DOT_RELATIONSHIP_REGEXP)
 
         direct_names_to_versions = relationships.each.with_object({}) do |(parent, child), obj|
@@ -366,17 +382,25 @@ module Bibliothecary
           obj[name].add(version)
         end
 
-        relationships.map do |(_parent, child)|
+        deps = relationships.map do |(_parent, child)|
           child_name, child_version, child_type = parse_maven_tree_dependency(child)
 
           Dependency.new(
             name: child_name,
             requirement: child_version,
+            platform: platform_name,
             type: child_type,
             direct: direct_names_to_versions[child_name]&.include?(child_version) || false,
             source: options.fetch(:filename, nil)
           )
         end.uniq
+
+        # TODO: should we change every method to return this, or just allow both to be
+        # returned to an analysis? (I'm leaning towards former)
+        ParserResult.new(
+          dependencies: deps,
+          project_name: project_name
+        )
       end
 
       def self.parse_resolved_dep_line(line, options: {})
@@ -392,12 +416,14 @@ module Bibliothecary
           name: dep_parts[0, 2].join(":"),
           requirement: dep_parts[3],
           type: dep_parts[4].split("--").first.strip,
-          source: options.fetch(:filename, nil)
+          source: options.fetch(:filename, nil),
+          platform: platform_name
         )
       end
 
       def self.parse_standalone_pom_manifest(file_contents, options: {})
-        parse_pom_manifest(file_contents, {}, options:)
+        dependencies = parse_pom_manifest(file_contents, {}, options:)
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_pom_manifest(file_contents, parent_properties = {}, options: {})
@@ -438,6 +464,7 @@ module Bibliothecary
             unless dep_hashes.key?(key)
               dep_hashes[key] = {
                 name: key,
+                platform: platform_name,
                 requirement: nil,
                 type: nil,
                 optional: nil,
@@ -472,7 +499,7 @@ module Bibliothecary
       end
 
       def self.parse_gradle(file_contents, options: {})
-        file_contents
+        dependencies = file_contents
           .scan(GRADLE_GROOVY_SIMPLE_REGEXP) # match 'implementation "group:artifactId:version"'
           .reject { |(_type, group, artifact_id, _version)| group.nil? || artifact_id.nil? } # remove any matches with missing group/artifactId
           .map do |(type, group, artifact_id, version)|
@@ -480,13 +507,15 @@ module Bibliothecary
               name: [group, artifact_id].join(":"),
               requirement: version,
               type: type,
-              source: options.fetch(:filename, nil)
+              source: options.fetch(:filename, nil),
+              platform: platform_name
             )
           end
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_gradle_kts(file_contents, options: {})
-        file_contents
+        dependencies = file_contents
           .scan(GRADLE_KOTLIN_SIMPLE_REGEXP) # match 'implementation("group:artifactId:version")'
           .reject { |(_type, group, artifact_id, _version)| group.nil? || artifact_id.nil? } # remove any matches with missing group/artifactId
           .map do |(type, group, artifact_id, version)|
@@ -494,9 +523,11 @@ module Bibliothecary
               name: [group, artifact_id].join(":"),
               requirement: version,
               type: type,
-              source: options.fetch(:filename, nil)
+              source: options.fetch(:filename, nil),
+              platform: platform_name
             )
           end
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.gradle_dependency_name(group, name)
@@ -612,11 +643,14 @@ module Bibliothecary
           dep.delete(:fields)
         end
 
-        squished.map do |dep_kvs|
+        dependencies = squished.map do |dep_kvs|
           Dependency.new(
-            **dep_kvs, source: options.fetch(:filename, nil)
+            **dep_kvs,
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_sbt_deps(type, lines)

data/lib/bibliothecary/parsers/npm.rb

@@ -50,14 +50,15 @@ module Bibliothecary
       def self.parse_package_lock(file_contents, options: {})
         manifest = JSON.parse(file_contents)
         # https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json#lockfileversion
-        if manifest["lockfileVersion"].to_i <= 1
-          # lockfileVersion 1 uses the "dependencies" object
-          parse_package_lock_v1(manifest, options.fetch(:filename, nil))
-        else
-          # lockfileVersion 2 has backwards-compatability by including both "packages" and the legacy "dependencies" object
-          # lockfileVersion 3 has no backwards-compatibility and only includes the "packages" object
-          parse_package_lock_v2(manifest, options.fetch(:filename, nil))
-        end
+        dependencies = if manifest["lockfileVersion"].to_i <= 1
+                         # lockfileVersion 1 uses the "dependencies" object
+                         parse_package_lock_v1(manifest, options.fetch(:filename, nil))
+                       else
+                         # lockfileVersion 2 has backwards-compatability by including both "packages" and the legacy "dependencies" object
+                         # lockfileVersion 3 has no backwards-compatibility and only includes the "packages" object
+                         parse_package_lock_v2(manifest, options.fetch(:filename, nil))
+                       end
+        ParserResult.new(dependencies: dependencies)
       end
 
       class << self
@@ -98,7 +99,8 @@ module Bibliothecary
               original_requirement: original_name.nil? ? nil : dep["version"],
               type: dep.fetch("dev", false) || dep.fetch("devOptional", false) ? "development" : "runtime",
               local: dep.fetch("link", false),
-              source: source
+              source: source,
+              platform: platform_name
             )
           end
       end
@@ -118,14 +120,15 @@ module Bibliothecary
             name: name,
             requirement: version,
             type: type,
-            source: source
+            source: source,
+            platform: platform_name
           )] + child_dependencies
         end
       end
 
       def self.parse_manifest(file_contents, options: {})
         # on ruby 3.2 we suddenly get this JSON error, so detect and return early: "package.json: unexpected token at ''"
-        return [] if file_contents.empty?
+        return ParserResult.new(dependencies: []) if file_contents.empty?
 
         manifest = JSON.parse(file_contents)
 
@@ -150,7 +153,8 @@ module Bibliothecary
               original_requirement: original_name.nil? ? nil : requirement,
               type: "runtime",
               local: requirement.start_with?("file:"),
-              source: options.fetch(:filename, nil)
+              source: options.fetch(:filename, nil),
+              platform: platform_name
             )
           end
 
@@ -162,11 +166,12 @@ module Bibliothecary
               requirement: requirement,
               type: "development",
               local: requirement.start_with?("file:"),
-              source: options.fetch(:filename, nil)
+              source: options.fetch(:filename, nil),
+              platform: platform_name
             )
           end
 
-        dependencies
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_yarn_lock(file_contents, options: {})
@@ -176,7 +181,7 @@ module Bibliothecary
                      parse_v1_yarn_lock(file_contents, options.fetch(:filename, nil))
                    end
 
-        dep_hash.map do |dep|
+        dependencies = dep_hash.map do |dep|
           Dependency.new(
             name: dep[:name],
             original_name: dep[:original_name],
@@ -184,9 +189,11 @@ module Bibliothecary
             original_requirement: dep[:original_requirement],
             type: "runtime", # lockfile doesn't tell us more about the type of dep
             local: dep[:requirements]&.first&.start_with?("file:"),
-            source: options.fetch(:filename, nil)
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end
+        ParserResult.new(dependencies: dependencies)
       end
 
       # Returns a hash representation of the deps in yarn.lock, eg:
@@ -285,7 +292,8 @@ module Bibliothecary
               original_name: original_name,
               original_requirement: original_requirement,
               type: is_dev ? "development" : "runtime",
-              source: source
+              source: source,
+              platform: platform_name
             )
           end
       end
@@ -321,7 +329,8 @@ module Bibliothecary
               original_name: original_name,
               original_requirement: original_requirement,
               type: is_dev ? "development" : "runtime",
-              source: source
+              source: source,
+              platform: platform_name
             )
           end
       end
@@ -369,7 +378,8 @@ module Bibliothecary
               original_name: original_name,
               original_requirement: original_requirement,
               type: is_dev ? "development" : "runtime",
-              source: source
+              source: source,
+              platform: platform_name
             )
           end
       end
@@ -382,20 +392,22 @@ module Bibliothecary
         parsed = YAML.load(contents)
         lockfile_version = parsed["lockfileVersion"].to_i
 
-        case lockfile_version
-        when 5
-          parse_v5_pnpm_lock(parsed, options.fetch(:filename, nil))
-        when 6
-          parse_v6_pnpm_lock(parsed, options.fetch(:filename, nil))
-        else # v9+
-          parse_v9_pnpm_lock(parsed, options.fetch(:filename, nil))
-        end
+        dependencies = case lockfile_version
+                       when 5
+                         parse_v5_pnpm_lock(parsed, options.fetch(:filename, nil))
+                       when 6
+                         parse_v6_pnpm_lock(parsed, options.fetch(:filename, nil))
+                       else # v9+
+                         parse_v9_pnpm_lock(parsed, options.fetch(:filename, nil))
+                       end
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_ls(file_contents, options: {})
         manifest = JSON.parse(file_contents)
 
-        transform_tree_to_array(manifest.fetch("dependencies", {}), options.fetch(:filename, nil))
+        dependencies = transform_tree_to_array(manifest.fetch("dependencies", {}), options.fetch(:filename, nil))
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_bun_lock(file_contents, options: {})
@@ -408,7 +420,7 @@ module Bibliothecary
 
         dev_deps = manifest.dig("workspaces", "", "devDependencies")&.keys&.to_set
 
-        manifest.fetch("packages", []).map do |name, info|
+        dependencies = manifest.fetch("packages", []).map do |name, info|
           info_name, _, version = info.first.rpartition("@")
           is_local = version&.start_with?("file:")
           is_alias = info_name != name
@@ -420,9 +432,11 @@ module Bibliothecary
             original_requirement: is_alias ? version : nil,
             type: dev_deps&.include?(name) ? "development" : "runtime",
             local: is_local,
-            source: source
+            source: source,
+            platform: platform_name
           )
         end
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.lockfile_preference_order(file_infos)
@@ -444,7 +458,8 @@ module Bibliothecary
               name: name,
               requirement: metadata["version"],
               type: "runtime",
-              source: source
+              source: source,
+              platform: platform_name
             ),
           ] + transform_tree_to_array(metadata.fetch("dependencies", {}), source)
         end.flatten(1)

data/lib/bibliothecary/parsers/nuget.rb

@@ -52,15 +52,17 @@ module Bibliothecary
 
       def self.parse_project_lock_json(file_contents, options: {})
         manifest = JSON.parse file_contents
-        manifest.fetch("libraries", []).map do |name, _requirement|
+        dependencies = manifest.fetch("libraries", []).map do |name, _requirement|
           dep = name.split("/")
           Dependency.new(
             name: dep[0],
             requirement: dep[1],
             type: "runtime",
-            source: options.fetch(:filename, nil)
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_packages_lock_json(file_contents, options: {})
@@ -77,7 +79,8 @@ module Bibliothecary
                 # so fallback to requested is pure paranoia
                 requirement: details.fetch("resolved", details.fetch("requested", "*")),
                 type: "runtime",
-                source: options.fetch(:filename, nil)
+                source: options.fetch(:filename, nil),
+                platform: platform_name
               )
             end
         end
@@ -88,23 +91,25 @@ module Bibliothecary
 
           # Note, frameworks can be empty, so remove empty ones and then return the last sorted item if any
           frameworks.delete_if { |_k, v| v.empty? }
-          return frameworks[frameworks.keys.max] unless frameworks.empty?
+          return ParserResult.new(dependencies: frameworks[frameworks.keys.max]) unless frameworks.empty?
         end
-        []
+        ParserResult.new(dependencies: [])
       end
 
       def self.parse_packages_config(file_contents, options: {})
         manifest = Ox.parse file_contents
-        manifest.packages.locate("package").map do |dependency|
+        dependencies = manifest.packages.locate("package").map do |dependency|
           Dependency.new(
             name: dependency.id,
             requirement: (dependency.version if dependency.respond_to? "version"),
             type: dependency.respond_to?("developmentDependency") && dependency.developmentDependency == "true" ? "development" : "runtime",
-            source: options.fetch(:filename, nil)
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end
+        ParserResult.new(dependencies: dependencies)
       rescue StandardError
-        []
+        ParserResult.new(dependencies: [])
       end
 
       def self.parse_csproj(file_contents, options: {})
@@ -138,7 +143,8 @@ module Bibliothecary
               name: dependency.Include,
               requirement: requirement,
               type: type,
-              source: options.fetch(:filename, nil)
+              source: options.fetch(:filename, nil),
+              platform: platform_name
             )
           end
 
@@ -154,27 +160,31 @@ module Bibliothecary
               name: name,
               requirement: vals["Version"] || "*",
               type: "runtime",
-              source: options.fetch(:filename, nil)
+              source: options.fetch(:filename, nil),
+              platform: platform_name
             )
           end
 
-        packages.uniq(&:name)
+        dependencies = packages.uniq(&:name)
+        ParserResult.new(dependencies: dependencies)
       rescue StandardError
-        []
+        ParserResult.new(dependencies: [])
       end
 
       def self.parse_nuspec(file_contents, options: {})
         manifest = Ox.parse file_contents
-        manifest.package.metadata.dependencies.locate("dependency").map do |dependency|
+        dependencies = manifest.package.metadata.dependencies.locate("dependency").map do |dependency|
           Dependency.new(
             name: dependency.id,
             requirement: dependency.attributes[:version],
             type: dependency.respond_to?("developmentDependency") && dependency.developmentDependency == "true" ? "development" : "runtime",
-            source: options.fetch(:filename, nil)
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end
+        ParserResult.new(dependencies: dependencies)
       rescue StandardError
-        []
+        ParserResult.new(dependencies: [])
       end
 
       def self.parse_paket_lock(file_contents, options: {})
@@ -185,11 +195,13 @@ module Bibliothecary
             name: match[:name].strip,
             requirement: match[:version],
             type: "runtime",
-            source: options.fetch(:filename, nil)
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end
         # we only have to enforce uniqueness by name because paket ensures that there is only the single version globally in the project
-        packages.uniq(&:name)
+        dependencies = packages.uniq(&:name)
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_project_assets_json(file_contents, options: {})
@@ -205,7 +217,8 @@ module Bibliothecary
                 name: name_split[0],
                 requirement: name_split[1],
                 type: "runtime",
-                source: options.fetch(:filename, nil)
+                source: options.fetch(:filename, nil),
+                platform: platform_name
               )
             end
         end
@@ -216,9 +229,9 @@ module Bibliothecary
 
           # Note, frameworks can be empty, so remove empty ones and then return the last sorted item if any
           frameworks.delete_if { |_k, v| v.empty? }
-          return frameworks[frameworks.keys.max] unless frameworks.empty?
+          return ParserResult.new(dependencies: frameworks[frameworks.keys.max]) unless frameworks.empty?
         end
-        []
+        ParserResult.new(dependencies: [])
       end
     end
   end

data/lib/bibliothecary/parsers/packagist.rb

@@ -26,7 +26,7 @@ module Bibliothecary
 
       def self.parse_lockfile(file_contents, options: {})
         manifest = JSON.parse file_contents
-        manifest.fetch("packages", []).map do |dependency|
+        dependencies = manifest.fetch("packages", []).map do |dependency|
           requirement = dependency["version"]
 
           # Store Drupal version if Drupal, but include the original manifest version for reference
@@ -40,7 +40,8 @@ module Bibliothecary
             requirement: requirement,
             type: "runtime",
             original_requirement: original_requirement,
-            source: options.fetch(:filename, nil)
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end + manifest.fetch("packages-dev", []).map do |dependency|
           requirement = dependency["version"]
@@ -56,15 +57,18 @@ module Bibliothecary
             requirement: requirement,
             type: "development",
             original_requirement: original_requirement,
-            source: options.fetch(:filename, nil)
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_manifest(file_contents, options: {})
         manifest = JSON.parse file_contents
-        map_dependencies(manifest, "require", "runtime", options.fetch(:filename, nil)) +
-          map_dependencies(manifest, "require-dev", "development", options.fetch(:filename, nil))
+        dependencies = map_dependencies(manifest, "require", "runtime", options.fetch(:filename, nil)) +
+                       map_dependencies(manifest, "require-dev", "development", options.fetch(:filename, nil))
+        ParserResult.new(dependencies: dependencies)
       end
 
       # Drupal hosts its own Composer repository, where its "modules" are indexed and searchable. The best way to

data/lib/bibliothecary/parsers/pub.rb

@@ -24,20 +24,23 @@ module Bibliothecary
 
       def self.parse_yaml_manifest(file_contents, options: {})
         manifest = YAML.load file_contents
-        map_dependencies(manifest, "dependencies", "runtime", options.fetch(:filename, nil)) +
-          map_dependencies(manifest, "dev_dependencies", "development", options.fetch(:filename, nil))
+        dependencies = map_dependencies(manifest, "dependencies", "runtime", options.fetch(:filename, nil)) +
+                       map_dependencies(manifest, "dev_dependencies", "development", options.fetch(:filename, nil))
+        ParserResult.new(dependencies: dependencies)
       end
 
       def self.parse_yaml_lockfile(file_contents, options: {})
         manifest = YAML.load file_contents
-        manifest.fetch("packages", []).map do |name, dep|
+        dependencies = manifest.fetch("packages", []).map do |name, dep|
           Dependency.new(
             name: name,
             requirement: dep["version"],
             type: "runtime",
-            source: options.fetch(:filename, nil)
+            source: options.fetch(:filename, nil),
+            platform: platform_name
           )
         end
+        ParserResult.new(dependencies: dependencies)
       end
     end
   end