bibliothecary 15.1.3 → 15.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0467bf0dd389f6a58cd69510bd2fe2865f3d3d762732e5aac80f0348f2b785a7
-  data.tar.gz: 0b2015f0e1d5e0c80c82c554f14b5d03fbe96c8be58a27f630eefe6e33083eda
+  metadata.gz: ffea645c09e3339df27b102c3a6963e34346002770c9b0d5465cf7bad8e22409
+  data.tar.gz: bf2414a526fb1e90f5100efb8099e8f9ecedec8e98ffe7fd7d6df183b5b03f39
 SHA512:
-  metadata.gz: 47a1f33ff32ecb3bb8dcf4636e6b1bf4393d95b85a5a7b13c44b8438f14014e200043d45295b3c51f535acb34aa28293563584c8ce049b7af3b43955ac2f26a1
-  data.tar.gz: 45471c05872e2ec7b29013c4eab33fb268801ccb64c6e5c3238c7f86b0e5c3daea3969f3fdacbc2109f1dab55aeadb06a78084aaef6d82ed7c85135107ebe101
+  metadata.gz: 54c363ec31dea80e1f74c63d3067821d9014b4c58c37f4a8aff98a86864ba1bcbc928e6158e0a2b55283139e7bf156c3a81677bcccbfdd635144c40e2a4f6b86
+  data.tar.gz: e05042d78d5db12d3053f2e0fe2017a5dd3395a0ac7c986c204a8f3ae4db5e911f305efd799cd5d72f19b56420fe5b760b23cbba7524c676a41fceb7494724af

data/CHANGELOG.md

@@ -13,6 +13,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [15.2.0]
+
+### Changed
+
+- Exclude sub-projects in gradle-dependencies-q.txt unless keep_subprojects_in_maven_tree is true.
+- The format of Gradle sub-project GAVs that were found in a dependency tree has changed from "internal:my-subproject:1.0.0" to ":my-subproject:*".
+- Gradle dependencies in gradle-dependencies-q.txt with "(n)" suffix will be ignored in favor of their resolved dependencies, so the full dependency list could now be smaller but still correct.
+
+### Added
+
+- Added support for another project name pattern in gradle-dependencies-q.txt lockfiles.
+
 ## [15.1.3]
 
 ### Added
@@ -20,6 +32,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Start collecting "project_name" from gradle-dependencies-q.txt lockfiles.
 - Start collecting "project_name" from package.json manifests.
 
+### Changed
+
+- Bibliothecary::Parsers::Maven's GRADLE_PROJECT_REGEXP constant was renamed to GRADLE_DEPENDENCY_PROJECT_REGEXP.
+
 ### Removed
 
 - Remove "go.sum" as a lockfile for Golang because it is not a lockfile.

data/lib/bibliothecary/parsers/maven.rb

@@ -21,12 +21,15 @@ module Bibliothecary
       # e.g. "|    \\--- com.google.guava:guava:23.5-jre (*)"
       GRADLE_DEP_REGEXP = /(\+---|\\---){1}/
 
-      GRADLE_PROJECT_REGEXP = /\s*Project '?:?([^\s']+)'?/
+      GRADLE_ARROW_REGEXP = / -> /
+
+      # The name of the project containing the given dependencies
+      GRADLE_PROJECT_REGEXP = /\s*(Root p|P)roject '?:?([^\s']+)'?/
 
       # Dependencies that are on-disk projects, eg:
       # e.g. "\--- project :api:my-internal-project"
       # e.g. "+--- my-group:my-alias:1.2.3 -> project :client (*)"
-      GRADLE_DEPENDENCY_PROJECT_REGEXP = /project :(\S+)?/
+      GRADLE_DEPENDENCY_PROJECT_REGEXP = /project :?(\S+)?/
 
       # line ending legend: (c) means a dependency constraint, (n) means not resolved, or (*) means resolved previously, e.g. org.springframework.boot:spring-boot-starter-web:2.1.0.M3 (*)
       # e.g. the "(n)" in "+--- my-group:my-name:1.2.3 (n)"
@@ -192,12 +195,15 @@ module Bibliothecary
       end
 
       def self.parse_gradle_resolved(file_contents, options: {})
+        keep_subprojects = options.fetch(:keep_subprojects_in_maven_tree, false)
         current_type = nil
         project_name = nil
 
-        dependencies = file_contents.split("\n").map do |line|
+        dependencies = file_contents.lines.filter_map do |line|
+          next if line.strip.end_with?("(n)") # skip unresolved or already-resolved dependencies
+
           if project_name.nil? && (project_name_match = GRADLE_PROJECT_REGEXP.match(line))
-            project_name = project_name_match.captures[0]
+            project_name = project_name_match.captures[1]
             next
           end
 
@@ -207,66 +213,68 @@ module Bibliothecary
           gradle_dep_match = GRADLE_DEP_REGEXP.match(line)
           next unless gradle_dep_match
 
-          split = gradle_dep_match.captures[0]
-
-          # gradle can import on-disk projects and deps will be listed under them, e.g. `+--- project :test:integration`,
-          # so we treat these projects as "internal" deps with requirement of "1.0.0"
+          # omit Gradle project dependencies
           if (project_match = line.match(GRADLE_DEPENDENCY_PROJECT_REGEXP))
-            # an empty project name is self-referential (i.e. a cycle), and we don't need to track the manifest's project itself, e.g. "+--- project :"
+            next unless keep_subprojects
+
+            # an empty project name is self-referential (i.e. a cycle), and we don't need to track the manifest's
+            # project itself, e.g. "+--- project :"
             next if project_match[1].nil?
 
-            # project names can have colons (e.g. for gradle projects in subfolders), which breaks maven artifact naming assumptions, so just replace them with hyphens.
-            project_name = project_match[1].gsub(":", "-")
-            line = line.sub(GRADLE_DEPENDENCY_PROJECT_REGEXP, "internal:#{project_name}:1.0.0")
+            sub_project_name = project_match[1]
+            # gradle sub-project versions cannot be specified when including them (gradle just uses whichever version is in the
+            # codebase), and their versions are 'unspecified' if not set, so just use a wildcard placeholder since it doesn't matter.
+            line = line.sub(GRADLE_DEPENDENCY_PROJECT_REGEXP, ":#{sub_project_name}:*")
           end
 
-          dep = line
-            .split(split)[1]
+          cleaned_line = line
+            .split(gradle_dep_match.captures[0])[1]
             .sub(GRADLE_LINE_ENDING_REGEXP, "")
             .sub(/ FAILED$/, "") # dependency could not be resolved (but still may have a version)
-            .sub(" -> ", ":") # handle version arrow syntax
             .strip
-            .split(":")
 
-          # A testImplementation line can look like this so just skip those
-          # \--- org.springframework.security:spring-security-test (n)
-          next unless dep.length >= 3
+          # " -> " is either for an aliased dependency, or a version that was resolved from a different requirement or no requirement.
+          if cleaned_line =~ GRADLE_ARROW_REGEXP
+            original_depstring, resolved_depstring = *cleaned_line.split(GRADLE_ARROW_REGEXP, 2)
 
-          if dep.count == 6
-            # get name from renamed package resolution "org:name:version -> renamed_org:name:version"
-            Dependency.new(
-              original_name: dep[0, 2].join(":"),
-              original_requirement: dep[2],
-              name: dep[-3..-2].join(":"),
-              requirement: dep[-1],
-              type: current_type,
-              source: options.fetch(:filename, nil),
-              platform: platform_name
-            )
-          elsif dep.count == 5
-            # get name from renamed package resolution "org:name -> renamed_org:name:version"
-            Dependency.new(
-              original_name: dep[0, 2].join(":"),
-              original_requirement: "*",
-              name: dep[-3..-2].join(":"),
-              requirement: dep[-1],
-              type: current_type,
-              source: options.fetch(:filename, nil),
-              platform: platform_name
-            )
+            parts = original_depstring.split(":")
+            original_name = parts[0..1].join(":") # original at minimum will have a 2-part name
+            original_requirement = parts[2] || "*"
+
+            parts = resolved_depstring.split(":")
+            resolved_requirement = parts.pop # resolved at minimum will have a 1-part version
+            resolved_name = parts.join(":")
+
+            # this case is not an actual alias, just a different version was resolved, so won't keep track of original
+            if resolved_name.empty? && !original_name.empty?
+              resolved_name = original_name
+              original_name = nil
+              original_requirement = nil
+            end
           else
-            # get name from version conflict resolution ("org:name:version -> version") and no-resolution ("org:name:version")
-            Dependency.new(
-              name: dep[0..1].join(":"),
-              requirement: dep[-1],
-              type: current_type,
-              source: options.fetch(:filename, nil),
-              platform: platform_name
-            )
+            original_name = nil
+            original_requirement = nil
+
+            # handle simple resolved dep
+            parts = cleaned_line.split(":")
+            next if parts.size < 3 # we didn't get a full name and version, so skip it
+
+            resolved_requirement = parts.pop
+            resolved_name = parts.join(":")
           end
+
+          Dependency.new(
+            original_name: original_name,
+            original_requirement: original_requirement,
+            name: resolved_name,
+            requirement: resolved_requirement,
+            type: current_type,
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
         end
-          .compact
           .uniq { |item| [item.name, item.requirement, item.type, item.original_name, item.original_requirement] }
+
         ParserResult.new(
           project_name: project_name,
           dependencies: dependencies

data/lib/bibliothecary/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bibliothecary
-  VERSION = "15.1.3"
+  VERSION = "15.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bibliothecary
 version: !ruby/object:Gem::Version
-  version: 15.1.3
+  version: 15.2.0
 platform: ruby
 authors:
 - Andrew Nesbitt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-02-10 00:00:00.000000000 Z
+date: 2026-02-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: commander