ecosystems-bibliothecary 15.1.1 → 15.3.0

data/lib/bibliothecary/parsers/carthage.rb

@@ -15,6 +15,10 @@ module Bibliothecary
       # Group 4: unquoted requirement (e.g., >= 1.0, ~> 2.0)
       CARTFILE_REGEXP = /^(github|git|binary)\s+"([^"]+)"(?:\s+(?:"([^"]+)"|((?:>=|<=|~>|==|>|<)\s*[\d.]+)))?/
 
+      def self.file_patterns
+        ["Cartfile", "Cartfile.private", "Cartfile.resolved"]
+      end
+
       def self.mapping
         {
           match_filename("Cartfile") => {

data/lib/bibliothecary/parsers/clojars.rb

@@ -7,11 +7,16 @@ module Bibliothecary
       # Name can be like: org.clojure/clojure, cheshire, ring/ring-defaults
       DEPENDENCY_REGEXP = %r{\[([a-zA-Z0-9_./\-]+)\s+"([^"]+)"\]}
 
+      def self.file_patterns
+        ["project.clj"]
+      end
+
       def self.mapping
         {
           match_filename("project.clj") => {
             kind: "manifest",
             parser: :parse_manifest,
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/cocoapods.rb

@@ -17,6 +17,10 @@ module Bibliothecary
       # Podspec pattern: .dependency "Name", "version"
       PODSPEC_DEPENDENCY = /\.dependency\s+['"]([^'"]+)['"]\s*(?:,\s*['"]([^'"]+)['"])?/
 
+      def self.file_patterns
+        ["Podfile", "*.podspec", "Podfile.lock", "*.podspec.json"]
+      end
+
       def self.mapping
         {
           match_filename("Podfile") => {
@@ -45,6 +49,9 @@ module Bibliothecary
         source = options.fetch(:filename, nil)
         dependencies = []
 
+        # Parse SPEC CHECKSUMS section to build lookup table
+        checksums = parse_spec_checksums(file_contents)
+
         # Match pod entries: "  - Name (version)" or "  - Name/Subspec (version)"
         # Only process lines in PODS section (before DEPENDENCIES section)
         pods_section = file_contents.split(/^DEPENDENCIES:/)[0]
@@ -56,13 +63,38 @@ module Bibliothecary
             name: base_name,
             requirement: version,
             type: "runtime",
-            source: source
+            source: source,
+            integrity: checksums[base_name]
           )
         end
 
         ParserResult.new(dependencies: dependencies)
       end
 
+      def self.parse_spec_checksums(file_contents)
+        checksums = {}
+        in_checksums = false
+
+        file_contents.each_line do |line|
+          if line.start_with?("SPEC CHECKSUMS:")
+            in_checksums = true
+            next
+          end
+
+          next unless in_checksums
+
+          # End of section (blank line or new section)
+          break if line.strip.empty? || (line !~ /^\s/ && line.strip != "")
+
+          # Match "  Name: sha1hash"
+          if (match = line.match(/^\s+([^:]+):\s*([a-f0-9]+)\s*$/))
+            checksums[match[1]] = "sha1=#{match[2]}"
+          end
+        end
+
+        checksums
+      end
+
       def self.parse_podspec(file_contents, options: {})
         source = options.fetch(:filename, nil)
         deps = []

data/lib/bibliothecary/parsers/cog.rb

@@ -5,12 +5,16 @@ module Bibliothecary
     class Cog
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["cog.yaml"]
+      end
+
       def self.mapping
         {
           match_filename("cog.yaml") => {
             kind: 'manifest',
             parser: :parse_cog_yaml,
-            related_to: [ 'manifest' ]
+            can_have_lockfile: false,
           }
         }
       end

data/lib/bibliothecary/parsers/conan.rb

@@ -5,6 +5,10 @@ module Bibliothecary
     class Conan
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["conanfile.py", "conanfile.txt", "conan.lock"]
+      end
+
       def self.mapping
         {
           match_filename("conanfile.py") => {

data/lib/bibliothecary/parsers/conda.rb

@@ -7,15 +7,21 @@ module Bibliothecary
     class Conda
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["environment.yml", "environment.yaml"]
+      end
+
       def self.mapping
         {
           match_filename("environment.yml") => {
             parser: :parse_conda,
             kind: "manifest",
+            can_have_lockfile: false,
           },
           match_filename("environment.yaml") => {
             parser: :parse_conda,
             kind: "manifest",
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/cpan.rb

@@ -8,6 +8,10 @@ module Bibliothecary
     class CPAN
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["META.json", "META.yml", "cpanfile", "cpanfile.snapshot", "Makefile.PL", "Build.PL"]
+      end
+
       def self.mapping
         {
           match_filename("META.json", case_insensitive: true) => {

data/lib/bibliothecary/parsers/cran.rb

@@ -9,6 +9,10 @@ module Bibliothecary
 
       REQUIRE_REGEXP = /([a-zA-Z0-9\-_.]+)\s?\(?([><=\s\d.,]+)?\)?/
 
+      def self.file_patterns
+        ["DESCRIPTION", "renv.lock"]
+      end
+
       def self.mapping
         {
           match_filename("DESCRIPTION", case_insensitive: true) => {

data/lib/bibliothecary/parsers/deb.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Deb
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["debian/control", "control"]
+      end
+
+      def self.mapping
+        {
+          match_filename("debian/control") => {
+            kind: "manifest",
+            parser: :parse_control,
+            can_have_lockfile: false,
+          },
+          match_filename("control") => {
+            kind: "manifest",
+            parser: :parse_control,
+            can_have_lockfile: false,
+          },
+        }
+      end
+
+      BUILD_DEP_FIELDS = %w[Build-Depends Build-Depends-Indep Build-Depends-Arch].freeze
+      RUNTIME_DEP_FIELDS = %w[Depends Pre-Depends Recommends Suggests].freeze
+
+      def self.parse_control(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        dependencies = []
+
+        # Parse the control file - it's in RFC 822 format with continuation lines
+        # Fields can span multiple lines if continuation lines start with whitespace
+        fields = parse_fields(file_contents)
+
+        # Build dependencies
+        BUILD_DEP_FIELDS.each do |field_name|
+          next unless fields[field_name.downcase]
+
+          parse_dependency_list(fields[field_name.downcase]).each do |dep|
+            dependencies << Dependency.new(
+              name: dep[:name],
+              requirement: dep[:requirement] || "*",
+              type: "build",
+              source: source,
+              platform: platform_name
+            )
+          end
+        end
+
+        # Runtime dependencies
+        RUNTIME_DEP_FIELDS.each do |field_name|
+          next unless fields[field_name.downcase]
+
+          parse_dependency_list(fields[field_name.downcase]).each do |dep|
+            dependencies << Dependency.new(
+              name: dep[:name],
+              requirement: dep[:requirement] || "*",
+              type: "runtime",
+              source: source,
+              platform: platform_name
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_fields(contents)
+        fields = {}
+        current_field = nil
+        current_value = []
+
+        contents.each_line do |line|
+          if line =~ /^(\S+):\s*(.*)$/
+            # Save previous field
+            if current_field
+              fields[current_field] = current_value.join(" ").strip
+            end
+            current_field = $1.downcase
+            current_value = [$2]
+          elsif line =~ /^\s+(.*)$/ && current_field
+            # Continuation line
+            current_value << $1
+          elsif line.strip.empty?
+            # Empty line - save current field and reset
+            if current_field
+              fields[current_field] = current_value.join(" ").strip
+            end
+            current_field = nil
+            current_value = []
+          end
+        end
+
+        # Save last field
+        if current_field
+          fields[current_field] = current_value.join(" ").strip
+        end
+
+        fields
+      end
+
+      def self.parse_dependency_list(dep_string)
+        deps = []
+
+        # Dependencies are comma-separated
+        dep_string.split(/,/).each do |dep|
+          dep = dep.strip
+          next if dep.empty?
+          next if dep.start_with?("$") # Skip substitution variables like ${shlibs:Depends}
+
+          # Handle alternatives (pkg1 | pkg2) - just take the first one
+          dep = dep.split("|").first.strip
+
+          # Parse package name and optional version constraint
+          # Format: package (>= 1.0) or just package
+          if dep =~ /^(\S+)\s*\(([^)]+)\)$/
+            name = $1
+            constraint = $2.strip
+            deps << { name: name, requirement: constraint }
+          elsif dep =~ /^(\S+)$/
+            deps << { name: $1, requirement: nil }
+          end
+        end
+
+        deps
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/deno.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Bibliothecary
+  module Parsers
+    class Deno
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["deno.json", "deno.jsonc", "deno.lock"]
+      end
+
+      def self.mapping
+        {
+          match_filename("deno.json") => {
+            kind: "manifest",
+            parser: :parse_manifest,
+          },
+          match_filename("deno.jsonc") => {
+            kind: "manifest",
+            parser: :parse_manifest,
+          },
+          match_filename("deno.lock") => {
+            kind: "lockfile",
+            parser: :parse_lockfile,
+          },
+        }
+      end
+
+      def self.parse_manifest(file_contents, options: {})
+        manifest = JSON.parse(file_contents)
+        source = options.fetch(:filename, nil)
+
+        dependencies = manifest.fetch("imports", {}).map do |alias_name, specifier|
+          name, requirement = parse_specifier(specifier)
+          next unless name
+
+          Dependency.new(
+            name: name,
+            requirement: requirement,
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end.compact
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_lockfile(file_contents, options: {})
+        manifest = JSON.parse(file_contents)
+        source = options.fetch(:filename, nil)
+
+        # Build integrity lookup from jsr and npm sections
+        integrity_map = {}
+        manifest.fetch("jsr", {}).each do |key, value|
+          integrity_map["jsr:#{key}"] = value["integrity"] if value.is_a?(Hash) && value["integrity"]
+        end
+        manifest.fetch("npm", {}).each do |key, value|
+          integrity_map["npm:#{key}"] = value["integrity"] if value.is_a?(Hash) && value["integrity"]
+        end
+
+        dependencies = manifest.fetch("specifiers", {}).map do |specifier, resolved_version|
+          name, _requirement = parse_specifier(specifier)
+          next unless name
+
+          # Determine protocol (npm: or jsr:) and build lookup key
+          protocol = specifier.start_with?("jsr:") ? "jsr" : "npm"
+          integrity_key = "#{protocol}:#{name}@#{resolved_version}"
+
+          Dependency.new(
+            name: name,
+            requirement: resolved_version,
+            type: "runtime",
+            source: source,
+            platform: platform_name,
+            integrity: integrity_map[integrity_key]
+          )
+        end.compact
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      # Parses specifiers like:
+      #   "npm:chalk@1" => ["chalk", "1"]
+      #   "npm:chalk" => ["chalk", "*"]
+      #   "jsr:@std/path@^1" => ["@std/path", "^1"]
+      #   "jsr:@std/path" => ["@std/path", "*"]
+      def self.parse_specifier(specifier)
+        return nil unless specifier.start_with?("npm:", "jsr:")
+
+        # Remove the protocol prefix
+        without_protocol = specifier.sub(/^(npm|jsr):/, "")
+
+        # Handle scoped packages (@scope/name@version)
+        if without_protocol.start_with?("@")
+          # Split on @ but keep the first @ for the scope
+          parts = without_protocol[1..].split("@", 2)
+          name = "@#{parts[0]}"
+          requirement = parts[1] || "*"
+        else
+          # Regular package (name@version)
+          name, requirement = without_protocol.split("@", 2)
+          requirement ||= "*"
+        end
+
+        [name, requirement]
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/docker.rb

@@ -8,6 +8,10 @@ module Bibliothecary
 
       DOCKER_COMPOSE_REGEXP = /docker-compose[a-zA-Z0-9\-_\.]*\.yml$/
 
+      def self.file_patterns
+        ["docker-compose*.yml", "Dockerfile"]
+      end
+
       def self.mapping
         {
           lambda { |p| DOCKER_COMPOSE_REGEXP.match(p) } => {

data/lib/bibliothecary/parsers/dub.rb

@@ -9,15 +9,21 @@ module Bibliothecary
 
       SDL_DEPENDENCY_REGEXP = /^dependency\s+"([^"]+)"(?:\s+version="([^"]+)")?/
 
+      def self.file_patterns
+        ["dub.json", "dub.sdl"]
+      end
+
       def self.mapping
         {
           match_filename("dub.json") => {
             kind: "manifest",
             parser: :parse_json_manifest,
+            can_have_lockfile: false,
           },
           match_filename("dub.sdl") => {
             kind: "manifest",
             parser: :parse_sdl_manifest,
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/dvc.rb

@@ -5,12 +5,16 @@ module Bibliothecary
     class DVC
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["dvc.yaml"]
+      end
+
       def self.mapping
         {
           match_filename("dvc.yaml") => {
             kind: 'manifest',
             parser: :parse_dvc_yaml,
-            related_to: [ 'manifest' ]
+            can_have_lockfile: false,
           }
         }
       end

data/lib/bibliothecary/parsers/elm.rb

@@ -7,6 +7,10 @@ module Bibliothecary
     class Elm
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["elm-package.json", "elm_dependencies.json", "elm-stuff/exact-dependencies.json"]
+      end
+
       def self.mapping
         {
           match_filenames("elm-package.json", "elm_dependencies.json") => {

data/lib/bibliothecary/parsers/go.rb

@@ -18,6 +18,10 @@ module Bibliothecary
       GOMOD_MULTILINE_END_REGEXP = /^\)/
       GOSUM_REGEXP = /^(.+)\s+(.+)\s+(.+)$/
 
+      def self.file_patterns
+        ["go.mod", "go.sum", "glide.yaml", "glide.lock", "Godeps/Godeps.json", "Godeps", "vendor/manifest", "vendor/vendor.json", "Gopkg.toml", "Gopkg.lock", "go-resolved-dependencies.json"]
+      end
+
       def self.mapping
         {
           # Go Modules (recommended)
@@ -205,10 +209,12 @@ module Bibliothecary
             requirement: match[2].strip.split("/").first,
             type: "runtime",
             source: options.fetch(:filename, nil),
-            platform: platform_name
+            platform: platform_name,
+            integrity: match[3].strip
           )
         end
-        dependencies = deps.uniq
+        # Dedupe by name+requirement, keeping the first occurrence (h1 hash, not go.mod hash)
+        dependencies = deps.uniq { |d| [d.name, d.requirement] }
         ParserResult.new(dependencies: dependencies)
       end
 

data/lib/bibliothecary/parsers/hackage.rb

@@ -12,8 +12,12 @@ module Bibliothecary
       # Matches build-tool-depends format: package:tool == version
       BUILD_TOOL_REGEXP = /^\s*([a-zA-Z][a-zA-Z0-9-]*):[a-zA-Z][a-zA-Z0-9-]*\s*((?:[<>=!]+\s*[\d.*]+(?:\s*&&\s*[<>=!]+\s*[\d.*]+)*)?)/
 
-      # Matches stack.yaml.lock hackage entries like: hackage: fuzzyset-0.2.4@sha256:...
-      STACK_LOCK_REGEXP = /hackage:\s*([a-zA-Z0-9-]+)-([0-9.]+)@/
+      # Matches stack.yaml.lock hackage entries like: hackage: fuzzyset-0.2.4@sha256:hash,size
+      STACK_LOCK_REGEXP = /hackage:\s*([a-zA-Z0-9-]+)-([0-9.]+)@sha256:([a-f0-9]+)/
+
+      def self.file_patterns
+        ["*.cabal", "*cabal.config", "stack.yaml.lock", "cabal.project.freeze"]
+      end
 
       def self.mapping
         {
@@ -29,6 +33,10 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parse_stack_yaml_lock,
           },
+          match_filename("cabal.project.freeze") => {
+            kind: "lockfile",
+            parser: :parse_cabal_project_freeze,
+          },
         }
       end
 
@@ -185,6 +193,54 @@ module Bibliothecary
           match = line.match(STACK_LOCK_REGEXP)
           next unless match
 
+          deps << Dependency.new(
+            platform: platform_name,
+            name: match[1],
+            requirement: match[2],
+            type: "runtime",
+            source: source,
+            integrity: "sha256=#{match[3]}"
+          )
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
+
+      def self.parse_cabal_project_freeze(file_contents, options: {})
+        source = options.fetch(:filename, "cabal.project.freeze")
+        deps = []
+
+        # Parse constraints field which can span multiple lines
+        # Format: constraints: any.pkg ==version, any.pkg2 ==version2, ...
+        # Also handles flag constraints like: any.pkg +flag -flag2
+        constraints = nil
+        file_contents.each_line do |line|
+          if line =~ /^constraints:\s*(.*)/i
+            constraints = $1.strip
+          elsif line =~ /^\s+(.*)/ && constraints
+            constraints += " " + $1.strip
+          elsif line =~ /^[a-z]/i && constraints
+            break
+          end
+        end
+
+        return ParserResult.new(dependencies: []) unless constraints
+
+        constraints.split(",").each do |dep_str|
+          dep_str = dep_str.strip
+          next if dep_str.empty?
+
+          # Format: any.package ==version or any.package +flag -flag
+          # Skip flag-only entries (no version constraint)
+          next unless dep_str.include?("==")
+
+          # Remove "any." prefix and parse
+          dep_str = dep_str.sub(/^any\./, "")
+
+          # Extract name and version: "package ==version" or "package ==version +flag"
+          match = dep_str.match(/^([a-zA-Z][a-zA-Z0-9-]*)\s*==\s*([\d.]+)/)
+          next unless match
+
           deps << Dependency.new(
             platform: platform_name,
             name: match[1],

data/lib/bibliothecary/parsers/haxelib.rb

@@ -7,11 +7,16 @@ module Bibliothecary
     class Haxelib
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["haxelib.json"]
+      end
+
       def self.mapping
         {
           match_filename("haxelib.json") => {
             kind: "manifest",
             parser: :parse_manifest,
+            can_have_lockfile: false,
           },
         }
       end