bibliothecary 14.1.0 → 14.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8220f939e62ba68f9f9edebda8c1d5901d88f028c9caea6b173c2f9da14cb5b4
-  data.tar.gz: 2920b4cf85f4497bf1a2749e8c6c6b2cdfa5c0c0a9f3cb244bc86c7991041974
+  metadata.gz: 6707fc0443320dc26cce55e6adcd048042c13b1648efe3a134952c62e5288f1f
+  data.tar.gz: 7e53ee490a0f3eb7ab97470d30332247176c8ea73fdf88182c82da152de50c56
 SHA512:
-  metadata.gz: 768d17a2954b4ccb4cad09da85074ef4958193fc10aea00cf33cbc8f7a309dc4d2b287a9d71e6b509b1861ddad06b0ad0508818fcd093147214cd836edd5cdf2
-  data.tar.gz: 4d345a0068501420508694bd5491de0584517e60021ff16e216486bc8329a1c5c7655c40df33a631e280c9977f8721d4b9a572f84f60fd6cf9e449134762b768
+  metadata.gz: eea5b5ac599bbd4043a1caf1ff3f89d8356619f9f30a45715a8bb81628673934b58cec80b4234ff863bb41c5b1cfde33a9a00a8ceaa58ce256ec267d99cab292
+  data.tar.gz: 7dc7d4532c3da16a34d60e70e10022c773a2b4c748ec15efec8dda0eb3f2718f71f0f1162da28cd886e8e01138f9f945ab16bf8bcf4f4f44ebcf2a292a4a6f54

data/CHANGELOG.md

@@ -13,13 +13,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [14.3.0]
+
+### Added
+
+- Add suppport for conan parsing
+
+## [14.2.0]
+
+### Added
+
+### Changed
+
+- Dependencies from yarn.lock will return a nil "type" instead of assuming "runtime".
+- In Nuget .csproj files, ignored <Reference> tags that don't have a version.
+
+### Removed
+
 ## [14.1.0] - 2025-10-01
 
 ### Added
 
 ### Changed
 
-- Dependencies from pom.xml without a scope will not return a "type" of nil instead of guessing "runtime".
+- Dependencies from pom.xml without a scope will now return a "type" of nil instead of guessing "runtime".
 
 ### Removed
 

data/lib/bibliothecary/parsers/conan.rb

@@ -0,0 +1,243 @@
+# frozen_string_literal: true
+
+# Ported from Go code available at https://github.com/google/osv-scalibr/blob/f37275e81582aee924103d49d9a27c8e353477e7/extractor/filesystem/language/cpp/conanlock/conanlock.go
+# Go code was made available under the Apache License, Version 2.0
+
+module Bibliothecary
+  module Parsers
+    class Conan
+      include Bibliothecary::Analyser
+
+      def self.mapping
+        {
+          match_filename("conanfile.py") => {
+            kind: "manifest",
+            parser: :parse_conanfile_py,
+          },
+          match_filename("conanfile.txt") => {
+            kind: "manifest",
+            parser: :parse_conanfile_txt,
+          },
+          match_filename("conan.lock") => {
+            kind: "lockfile",
+            parser: :parse_lockfile,
+          },
+        }
+      end
+
+      add_multi_parser(Bibliothecary::MultiParsers::CycloneDX)
+      add_multi_parser(Bibliothecary::MultiParsers::Spdx)
+      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
+
+      def self.parse_conanfile_py(file_contents, options: {})
+        dependencies = []
+
+        # Parse self.requires() calls in conanfile.py
+        # Pattern matches: self.requires("package/version") or self.requires("package/version", force=True, options={...})
+        # Captures only the package spec string; additional keyword arguments are ignored
+        file_contents.scan(/self\.requires\(\s*["']([^"']+)["']/).each do |match|
+          manifest_dep = match[0]
+          reference = parse_conan_reference(manifest_dep)
+
+          # Skip entries with no name
+          next if reference[:name].nil? || reference[:name].empty?
+
+          dependencies << Dependency.new(
+            name: reference[:name],
+            requirement: reference[:version],
+            type: "runtime",
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_conanfile_txt(file_contents, options: {})
+        dependencies = []
+        current_section = nil
+
+        file_contents.each_line do |line|
+          line = line.strip
+
+          # Skip empty lines and comments
+          next if line.empty? || line.start_with?("#")
+
+          # Check for section headers
+          if line.match?(/^\[([^\]]+)\]$/)
+            current_section = line[1..-2]
+            next
+          end
+
+          # Parse dependencies in [requires] and [build_requires] sections
+          next unless %w[requires build_requires].include?(current_section)
+
+          reference = parse_conan_reference(manifest_dep)
+          next if reference[:name].nil? || reference[:name].empty?
+
+          dependencies << Dependency.new(
+            name: reference[:name],
+            requirement: reference[:version],
+            type: current_section == "requires" ? "runtime" : "development",
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_lockfile(file_contents, options: {})
+        manifest = JSON.parse(file_contents)
+
+        # Auto-detect lockfile format version
+        if manifest.dig("graph_lock", "nodes")
+          parse_v1_lockfile(manifest, options: options)
+        else
+          parse_v2_lockfile(manifest, options: options)
+        end
+      end
+
+      def self.parse_v1_lockfile(lockfile, options: {})
+        dependencies = []
+
+        lockfile["graph_lock"]["nodes"].each_value do |node|
+          if node["path"] && !node["path"].empty?
+            # a local "conanfile.txt", skip
+            next
+          end
+
+          reference = nil
+          if node["pref"]
+            #  old format 0.3 (conan 1.27-) lockfiles use "pref" instead of "ref"
+            reference = parse_conan_reference(node["pref"])
+          elsif node["ref"]
+            reference = parse_conan_reference(node["ref"])
+          else
+            next
+          end
+
+          # skip entries with no name, they are most likely consumer's conanfiles
+          # and not dependencies to be searched in a database anyway
+          next if reference[:name].nil? || reference[:name].empty?
+
+          type = case node["context"]
+                 when "build"
+                   "development"
+                 else
+                   "runtime"
+                 end
+
+          dependencies << Dependency.new(
+            name: reference[:name],
+            requirement: reference[:version],
+            type: type,
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_v2_lockfile(lockfile, options: {})
+        dependencies = []
+
+        parse_conan_requires(dependencies, lockfile["requires"], "runtime", options)
+        parse_conan_requires(dependencies, lockfile["build_requires"], "development", options)
+        parse_conan_requires(dependencies, lockfile["python_requires"], "development", options)
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      # Helper method to parse an array of Conan package references
+      # Similar to OSV Scalibr's parseConanRequires function
+      def self.parse_conan_requires(dependencies, requires, type, options)
+        return unless requires && !requires.empty?
+
+        requires.each do |ref|
+          reference = parse_conan_reference(ref)
+
+          # Skip entries with no name, they are most likely consumer's conanfiles
+          # and not dependencies to be searched in a database anyway
+          next if reference[:name].nil? || reference[:name].empty?
+
+          dependencies << Dependency.new(
+            name: reference[:name],
+            requirement: reference[:version] || "*",
+            type: type,
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end
+      end
+
+      # Parse Conan reference
+      # Handles the full Conan reference format:
+      # name/version[@username[/channel]][#recipe_revision][:package_id[#package_revision]][%timestamp]
+      #
+      # Based on OSV Scalibr's parseConanReference implementation:
+      # https://github.com/google/osv-scalibr/blob/f37275e81582aee924103d49d9a27c8e353477e7/extractor/filesystem/language/cpp/conanlock/conanlock.go
+      #
+      # Returns a hash with keys: name, version, username, channel, recipe_revision, package_id, package_revision, timestamp
+      def self.parse_conan_reference(ref)
+        reference = {
+          name: nil,
+          version: nil,
+          username: nil,
+          channel: nil,
+          recipe_revision: nil,
+          package_id: nil,
+          package_revision: nil,
+          timestamp: nil,
+        }
+
+        return reference if ref.nil? || ref.empty?
+
+        # Validate that ref contains "/" (name/version format)
+        # This filters out invalid entries like "1.2.3" (version without name)
+        return reference unless ref.include?("/")
+
+        # Strip timestamp: name/version%1234 -> name/version
+        parts = ref.split("%", 2)
+        if parts.length == 2
+          ref = parts[0]
+          reference[:timestamp] = parts[1]
+        end
+
+        # Strip package revision: name/version:pkgid#prev -> name/version
+        parts = ref.split(":", 2)
+        if parts.length == 2
+          ref = parts[0]
+          pkg_parts = parts[1].split("#", 2)
+          reference[:package_id] = pkg_parts[0]
+          reference[:package_revision] = pkg_parts[1] if pkg_parts.length == 2
+        end
+
+        # Strip recipe revision: name/version#rrev -> name/version
+        parts = ref.split("#", 2)
+        if parts.length == 2
+          ref = parts[0]
+          reference[:recipe_revision] = parts[1]
+        end
+
+        # Strip username/channel: name/version@user/channel -> name/version
+        parts = ref.split("@", 2)
+        if parts.length == 2
+          ref = parts[0]
+          user_channel = parts[1].split("/", 2)
+          reference[:username] = user_channel[0]
+          reference[:channel] = user_channel[1] if user_channel.length == 2
+        end
+
+        # Split name/version: name/version -> [name, version]
+        parts = ref.split("/", 2)
+        reference[:name] = parts[0]
+        reference[:version] = parts.length == 2 ? parts[1] : nil
+
+        reference
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/npm.rb

@@ -187,7 +187,7 @@ module Bibliothecary
             original_name: dep[:original_name],
             requirement: dep[:version],
             original_requirement: dep[:original_requirement],
-            type: "runtime", # lockfile doesn't tell us more about the type of dep
+            type: nil, # yarn.lock doesn't report on the type of dependency
             local: dep[:requirements]&.first&.start_with?("file:"),
             source: options.fetch(:filename, nil),
             platform: platform_name

data/lib/bibliothecary/parsers/nuget.rb

@@ -153,6 +153,17 @@ module Bibliothecary
           .select { |dep| dep.respond_to? "Include" }
           .map do |dependency|
             vals = *dependency.Include.split(",").map(&:strip)
+
+            # Skip <Reference> dependencies that only have the name value. Reasoning:
+            # Builtin assemblies like "System.Web" or "Microsoft.CSharp" can be required from the framework or by
+            # downloading via Nuget, and we only want to report on packages that are downloaded from Nuget. We are
+            # pretty sure that if they don't have a version in <Reference> then they're likely from the framework
+            # itself, which means they won't show up in the lockfile and we want to omit them.
+            # Note: if we omit a false positive here it should still show up in the lockfile, and it should be
+            # safer guess like this since <Reference> is an older standard.
+            # Note: this strategy could also skip on-disk 3rd-party packages with a <HintPath> but no version in <Reference>
+            next nil if vals.size == 1
+
             name = vals.shift
             vals = vals.to_h { |r| r.split("=", 2) }
 
@@ -164,6 +175,7 @@ module Bibliothecary
               platform: platform_name
             )
           end
+          .compact
 
         dependencies = packages.uniq(&:name)
         ParserResult.new(dependencies: dependencies)

data/lib/bibliothecary/purl_util.rb

@@ -12,6 +12,7 @@ module Bibliothecary
       "npm" => :npm,
       "cargo" => :cargo,
       "composer" => :packagist,
+      "conan" => :conan,
       "conda" => :conda,
       "cran" => :cran,
       "gem" => :rubygems,

data/lib/bibliothecary/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bibliothecary
-  VERSION = "14.1.0"
+  VERSION = "14.3.0"
 end

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bibliothecary
 version: !ruby/object:Gem::Version
-  version: 14.1.0
+  version: 14.3.0
 platform: ruby
 authors:
 - Andrew Nesbitt
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-10-01 00:00:00.000000000 Z
+date: 2025-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: commander
@@ -135,6 +136,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+description:
 email:
 - andrewnez@gmail.com
 executables:
@@ -181,6 +183,7 @@ files:
 - lib/bibliothecary/parsers/bower.rb
 - lib/bibliothecary/parsers/cargo.rb
 - lib/bibliothecary/parsers/cocoapods.rb
+- lib/bibliothecary/parsers/conan.rb
 - lib/bibliothecary/parsers/conda.rb
 - lib/bibliothecary/parsers/cpan.rb
 - lib/bibliothecary/parsers/cran.rb
@@ -209,6 +212,7 @@ licenses:
 - AGPL-3.0
 metadata:
   rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -223,7 +227,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.3
+rubygems_version: 3.4.19
+signing_key:
 specification_version: 4
 summary: Find and parse manifests
 test_files: []