bibliothecary 14.2.0 → 14.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 548767337e8898f61951f3e458310fd5299d88c81549a3332750c62427b93a28
-  data.tar.gz: 660e80fcdce7b4fc1ed9d498b4a8e39856498e709b16fbd0f3ffcdc5671a8942
+  metadata.gz: d1f7fd4aeb8298f9fcb9b5edc69b7936eed8f112f3a6dde000edda36d641cfca
+  data.tar.gz: 4d9b619aab4813b3ee77a36b0fbb1588b561a3dd42275feeb216f01d19f8ea05
 SHA512:
-  metadata.gz: 67d3cf0c77840be64458f50dac795a8a782e192db0138e316e21ef65fb9dd625a32fde8e5ef92fa4e47ce66bb666d5fd97d751930ad6eea4bd7a404836c03698
-  data.tar.gz: 4490815f18aac91bfa307349272699c16500f3452d88b0681ce2c927e4b7f6acc55e41afbb33299cfaa5d4330306c34b30598a42b092a732097b617de1f378a9
+  metadata.gz: a9a904ac75104ea34f45bfea2900475c89fd29a5d15ac065923d4e9d4c715ec6380d92ecea6499025063abe8f0146d2a89d9661f59f98cd216a4dcc6ce44b054
+  data.tar.gz: a4234dc007565e41587fa92ca7f970e5fdffd479debd202658e8a04edcf01943624df11aa1d0785398b87d10f694f3b84fb68fb985251315fbff67799f24fa2f

data/CHANGELOG.md

@@ -13,6 +13,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [14.4.0]
+
+### Added
+
+- Add suppport for vcpkg parsing
+
+## [14.3.0]
+
+### Added
+
+- Add suppport for conan parsing
+
 ## [14.2.0]
 
 ### Added

data/lib/bibliothecary/parsers/conan.rb

@@ -0,0 +1,243 @@
+# frozen_string_literal: true
+
+# Ported from Go code available at https://github.com/google/osv-scalibr/blob/f37275e81582aee924103d49d9a27c8e353477e7/extractor/filesystem/language/cpp/conanlock/conanlock.go
+# Go code was made available under the Apache License, Version 2.0
+
+module Bibliothecary
+  module Parsers
+    class Conan
+      include Bibliothecary::Analyser
+
+      def self.mapping
+        {
+          match_filename("conanfile.py") => {
+            kind: "manifest",
+            parser: :parse_conanfile_py,
+          },
+          match_filename("conanfile.txt") => {
+            kind: "manifest",
+            parser: :parse_conanfile_txt,
+          },
+          match_filename("conan.lock") => {
+            kind: "lockfile",
+            parser: :parse_lockfile,
+          },
+        }
+      end
+
+      add_multi_parser(Bibliothecary::MultiParsers::CycloneDX)
+      add_multi_parser(Bibliothecary::MultiParsers::Spdx)
+      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
+
+      def self.parse_conanfile_py(file_contents, options: {})
+        dependencies = []
+
+        # Parse self.requires() calls in conanfile.py
+        # Pattern matches: self.requires("package/version") or self.requires("package/version", force=True, options={...})
+        # Captures only the package spec string; additional keyword arguments are ignored
+        file_contents.scan(/self\.requires\(\s*["']([^"']+)["']/).each do |match|
+          manifest_dep = match[0]
+          reference = parse_conan_reference(manifest_dep)
+
+          # Skip entries with no name
+          next if reference[:name].nil? || reference[:name].empty?
+
+          dependencies << Dependency.new(
+            name: reference[:name],
+            requirement: reference[:version],
+            type: "runtime",
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_conanfile_txt(file_contents, options: {})
+        dependencies = []
+        current_section = nil
+
+        file_contents.each_line do |line|
+          line = line.strip
+
+          # Skip empty lines and comments
+          next if line.empty? || line.start_with?("#")
+
+          # Check for section headers
+          if line.match?(/^\[([^\]]+)\]$/)
+            current_section = line[1..-2]
+            next
+          end
+
+          # Parse dependencies in [requires] and [build_requires] sections
+          next unless %w[requires build_requires].include?(current_section)
+
+          reference = parse_conan_reference(manifest_dep)
+          next if reference[:name].nil? || reference[:name].empty?
+
+          dependencies << Dependency.new(
+            name: reference[:name],
+            requirement: reference[:version],
+            type: current_section == "requires" ? "runtime" : "development",
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_lockfile(file_contents, options: {})
+        manifest = JSON.parse(file_contents)
+
+        # Auto-detect lockfile format version
+        if manifest.dig("graph_lock", "nodes")
+          parse_v1_lockfile(manifest, options: options)
+        else
+          parse_v2_lockfile(manifest, options: options)
+        end
+      end
+
+      def self.parse_v1_lockfile(lockfile, options: {})
+        dependencies = []
+
+        lockfile["graph_lock"]["nodes"].each_value do |node|
+          if node["path"] && !node["path"].empty?
+            # a local "conanfile.txt", skip
+            next
+          end
+
+          reference = nil
+          if node["pref"]
+            #  old format 0.3 (conan 1.27-) lockfiles use "pref" instead of "ref"
+            reference = parse_conan_reference(node["pref"])
+          elsif node["ref"]
+            reference = parse_conan_reference(node["ref"])
+          else
+            next
+          end
+
+          # skip entries with no name, they are most likely consumer's conanfiles
+          # and not dependencies to be searched in a database anyway
+          next if reference[:name].nil? || reference[:name].empty?
+
+          type = case node["context"]
+                 when "build"
+                   "development"
+                 else
+                   "runtime"
+                 end
+
+          dependencies << Dependency.new(
+            name: reference[:name],
+            requirement: reference[:version],
+            type: type,
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_v2_lockfile(lockfile, options: {})
+        dependencies = []
+
+        parse_conan_requires(dependencies, lockfile["requires"], "runtime", options)
+        parse_conan_requires(dependencies, lockfile["build_requires"], "development", options)
+        parse_conan_requires(dependencies, lockfile["python_requires"], "development", options)
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      # Helper method to parse an array of Conan package references
+      # Similar to OSV Scalibr's parseConanRequires function
+      def self.parse_conan_requires(dependencies, requires, type, options)
+        return unless requires && !requires.empty?
+
+        requires.each do |ref|
+          reference = parse_conan_reference(ref)
+
+          # Skip entries with no name, they are most likely consumer's conanfiles
+          # and not dependencies to be searched in a database anyway
+          next if reference[:name].nil? || reference[:name].empty?
+
+          dependencies << Dependency.new(
+            name: reference[:name],
+            requirement: reference[:version] || "*",
+            type: type,
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end
+      end
+
+      # Parse Conan reference
+      # Handles the full Conan reference format:
+      # name/version[@username[/channel]][#recipe_revision][:package_id[#package_revision]][%timestamp]
+      #
+      # Based on OSV Scalibr's parseConanReference implementation:
+      # https://github.com/google/osv-scalibr/blob/f37275e81582aee924103d49d9a27c8e353477e7/extractor/filesystem/language/cpp/conanlock/conanlock.go
+      #
+      # Returns a hash with keys: name, version, username, channel, recipe_revision, package_id, package_revision, timestamp
+      def self.parse_conan_reference(ref)
+        reference = {
+          name: nil,
+          version: nil,
+          username: nil,
+          channel: nil,
+          recipe_revision: nil,
+          package_id: nil,
+          package_revision: nil,
+          timestamp: nil,
+        }
+
+        return reference if ref.nil? || ref.empty?
+
+        # Validate that ref contains "/" (name/version format)
+        # This filters out invalid entries like "1.2.3" (version without name)
+        return reference unless ref.include?("/")
+
+        # Strip timestamp: name/version%1234 -> name/version
+        parts = ref.split("%", 2)
+        if parts.length == 2
+          ref = parts[0]
+          reference[:timestamp] = parts[1]
+        end
+
+        # Strip package revision: name/version:pkgid#prev -> name/version
+        parts = ref.split(":", 2)
+        if parts.length == 2
+          ref = parts[0]
+          pkg_parts = parts[1].split("#", 2)
+          reference[:package_id] = pkg_parts[0]
+          reference[:package_revision] = pkg_parts[1] if pkg_parts.length == 2
+        end
+
+        # Strip recipe revision: name/version#rrev -> name/version
+        parts = ref.split("#", 2)
+        if parts.length == 2
+          ref = parts[0]
+          reference[:recipe_revision] = parts[1]
+        end
+
+        # Strip username/channel: name/version@user/channel -> name/version
+        parts = ref.split("@", 2)
+        if parts.length == 2
+          ref = parts[0]
+          user_channel = parts[1].split("/", 2)
+          reference[:username] = user_channel[0]
+          reference[:channel] = user_channel[1] if user_channel.length == 2
+        end
+
+        # Split name/version: name/version -> [name, version]
+        parts = ref.split("/", 2)
+        reference[:name] = parts[0]
+        reference[:version] = parts.length == 2 ? parts[1] : nil
+
+        reference
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/vcpkg.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Vcpkg
+      include Bibliothecary::Analyser
+
+      def self.mapping
+        {
+          match_filename("vcpkg.json") => {
+            kind: "manifest",
+            parser: :parse_vcpkg_json,
+          },
+          # _generated-vcpkg-list.json is the output of `vcpkg list --x-json`.
+          match_filename("_generated-vcpkg-list.json") => {
+            kind: "lockfile",
+            parser: :parse_vcpkg_list_json,
+          },
+        }
+      end
+
+      add_multi_parser(Bibliothecary::MultiParsers::CycloneDX)
+      add_multi_parser(Bibliothecary::MultiParsers::Spdx)
+      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
+
+      def self.parse_vcpkg_json(file_contents, options: {})
+        dependencies = []
+        manifest = JSON.parse(file_contents)
+        deps = manifest["dependencies"]
+
+        if !deps || deps.empty?
+          return ParserResult.new(dependencies: dependencies)
+        end
+
+        overrides = {}
+        manifest["overrides"]&.each do |override|
+          if override.is_a?(Hash) && override["name"]
+            override_version = override["version"] || override["version-semver"] || override["version-date"] || override["version-string"]
+            overrides[override["name"]] = format_requirement(override_version, override["port-version"])
+          end
+        end
+
+        deps.each do |dep|
+          if dep.is_a?(String)
+            # Simple string format: "boost-system"
+            name = dep
+            requirement = nil
+            is_development = false
+          elsif dep.is_a?(Hash)
+            # Object format: { "name": "cpprestsdk", "version>=": "2.10.0", ... }
+            name = dep["name"]
+            requirement = if dep["version>="]
+                            ">=#{dep['version>=']}"
+                          end
+            is_development = dep["host"] == true
+          end
+
+          # Skip entries with no name
+          next if name.nil? || name.empty?
+
+          requirement = overrides[name] if overrides[name]
+
+          dependencies << Dependency.new(
+            platform: platform_name,
+            name: name,
+            requirement: requirement,
+            type: is_development ? "development" : "runtime",
+            source: options.fetch(:filename, nil)
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_vcpkg_list_json(file_contents, options: {})
+        # parses the output of `vcpkg list --x-json`
+        dependencies = []
+        manifest = JSON.parse(file_contents)
+
+        manifest.each_value do |package_info|
+          name = package_info["package_name"]
+          version = package_info["version"]
+          port_version = package_info["port_version"]
+
+          # Skip entries with no name
+          next if name.nil? || name.empty?
+
+          dependencies << Dependency.new(
+            platform: platform_name,
+            name: name,
+            requirement: format_requirement(version, port_version),
+            type: "runtime",
+            source: options.fetch(:filename, nil)
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.format_requirement(version, port_version)
+        return "*" unless version
+
+        if port_version && port_version > 0
+          return "#{version}##{port_version}"
+        end
+
+        version
+      end
+    end
+  end
+end

data/lib/bibliothecary/purl_util.rb

@@ -12,11 +12,13 @@ module Bibliothecary
       "npm" => :npm,
       "cargo" => :cargo,
       "composer" => :packagist,
+      "conan" => :conan,
       "conda" => :conda,
       "cran" => :cran,
       "gem" => :rubygems,
       "nuget" => :nuget,
       "pypi" => :pypi,
+      "vcpkg" => :vcpkg,
     }.freeze
 
     # @param purl [PackageURL]

data/lib/bibliothecary/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bibliothecary
-  VERSION = "14.2.0"
+  VERSION = "14.4.0"
 end

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bibliothecary
 version: !ruby/object:Gem::Version
-  version: 14.2.0
+  version: 14.4.0
 platform: ruby
 authors:
 - Andrew Nesbitt
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-10-02 00:00:00.000000000 Z
+date: 2025-11-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: commander
@@ -135,6 +136,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+description:
 email:
 - andrewnez@gmail.com
 executables:
@@ -181,6 +183,7 @@ files:
 - lib/bibliothecary/parsers/bower.rb
 - lib/bibliothecary/parsers/cargo.rb
 - lib/bibliothecary/parsers/cocoapods.rb
+- lib/bibliothecary/parsers/conan.rb
 - lib/bibliothecary/parsers/conda.rb
 - lib/bibliothecary/parsers/cpan.rb
 - lib/bibliothecary/parsers/cran.rb
@@ -198,6 +201,7 @@ files:
 - lib/bibliothecary/parsers/pypi.rb
 - lib/bibliothecary/parsers/rubygems.rb
 - lib/bibliothecary/parsers/shard.rb
+- lib/bibliothecary/parsers/vcpkg.rb
 - lib/bibliothecary/purl_util.rb
 - lib/bibliothecary/related_files_info.rb
 - lib/bibliothecary/runner.rb
@@ -209,6 +213,7 @@ licenses:
 - AGPL-3.0
 metadata:
   rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -223,7 +228,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.3
+rubygems_version: 3.4.19
+signing_key:
 specification_version: 4
 summary: Find and parse manifests
 test_files: []