gemxray 0.1.0

data/lib/gemxray/code_scanner.rb

@@ -0,0 +1,143 @@
+# frozen_string_literal: true
+
+require "etc"
+require "find"
+require "set"
+
+module GemXray
+  class CodeScanner
+    SCAN_EXTENSIONS = %w[.rb .erb .haml .slim .rake .thor .gemspec .ru].freeze
+    REQUIRE_PATTERN = /
+      (?:
+        \brequire(?:_relative)?\s*\(?\s*["']([^"']+)["']
+      |
+        send\(\s*:require\s*,\s*["']([^"']+)["']
+      )
+    /x.freeze
+    CONSTANT_PATTERN = /\b(?:[A-Z][A-Za-z0-9]*)(?:::[A-Z][A-Za-z0-9]*)*\b/.freeze
+    GEMSPEC_DEPENDENCY_PATTERN = /\badd_(?:runtime_)?dependency\s+["']([^"']+)["']/.freeze
+
+    class Snapshot
+      attr_reader :requires, :constants, :dependency_names, :files
+
+      def initialize(requires:, constants:, dependency_names:, files:)
+        @requires = requires
+        @constants = constants
+        @dependency_names = dependency_names
+        @files = files
+      end
+
+      def require_used?(candidates)
+        Array(candidates).any? do |candidate|
+          requires.any? { |reference| reference == candidate || reference.start_with?("#{candidate}/") }
+        end
+      end
+
+      def constant_used?(candidates)
+        !(constants & candidates.to_set).empty?
+      end
+
+      def dependency_used?(gem_name)
+        dependency_names.include?(gem_name)
+      end
+    end
+
+    def initialize(config)
+      @config = config
+    end
+
+    def scan
+      requires = Set.new
+      constants = Set.new
+      dependency_names = Set.new
+      files = scan_files
+
+      scan_payloads(files).each do |payload|
+        payload[:requires].each { |value| requires << value }
+        payload[:constants].each { |value| constants << value }
+        payload[:dependency_names].each { |value| dependency_names << value }
+      end
+
+      Snapshot.new(
+        requires: requires,
+        constants: constants,
+        dependency_names: dependency_names,
+        files: files
+      )
+    end
+
+    private
+
+    attr_reader :config
+
+    def scan_payloads(files)
+      count = [files.length, worker_count].min
+      return files.filter_map { |path| scan_file(path) } if count <= 1
+
+      queue = Queue.new
+      files.each { |path| queue << path }
+      count.times { queue << nil }
+
+      Array.new(count) do
+        Thread.new do
+          payloads = []
+
+          while (path = queue.pop)
+            payload = scan_file(path)
+            payloads << payload if payload
+          end
+
+          payloads
+        end
+      end.flat_map(&:value)
+    end
+
+    def scan_files
+      root = config.project_root
+      paths = []
+
+      config.scan_dirs.each do |relative_dir|
+        absolute_dir = File.join(root, relative_dir)
+        next unless Dir.exist?(absolute_dir)
+
+        Find.find(absolute_dir) do |path|
+          next if File.directory?(path)
+          next unless SCAN_EXTENSIONS.include?(File.extname(path))
+
+          paths << path
+        end
+      end
+
+      %w[Gemfile Rakefile].each do |filename|
+        absolute_path = File.join(root, filename)
+        paths << absolute_path if File.exist?(absolute_path)
+      end
+
+      Dir.glob(File.join(root, "*.gemspec")).each { |path| paths << path }
+
+      paths.uniq
+    end
+
+    def scan_file(path)
+      content = File.read(path, encoding: "utf-8")
+      {
+        requires: extract_requires(content),
+        constants: content.scan(CONSTANT_PATTERN),
+        dependency_names: content.scan(GEMSPEC_DEPENDENCY_PATTERN).flatten
+      }
+    rescue ArgumentError, Errno::ENOENT
+      nil
+    end
+
+    def worker_count
+      cpu_count = Etc.nprocessors
+      [[cpu_count, 2].max, 8].min
+    rescue StandardError
+      4
+    end
+
+    def extract_requires(content)
+      content.scan(REQUIRE_PATTERN).map { |left, right| left || right }.compact
+    end
+  end
+end

data/lib/gemxray/config.rb

@@ -0,0 +1,215 @@
+# frozen_string_literal: true
+
+require "yaml"
+
+module GemXray
+  class Config
+    DEFAULT_CONFIG_PATH = ".gemxray.yml"
+    DEFAULT_SCAN_DIRS = %w[app lib config db script bin exe spec test tasks].freeze
+    DEFAULTS = {
+      gemfile_path: "Gemfile",
+      format: "terminal",
+      only: nil,
+      severity: "info",
+      auto_fix: false,
+      dry_run: false,
+      ci: false,
+      comment: false,
+      bundle_install: false,
+      whitelist: [],
+      scan_dirs: [],
+      overrides: {},
+      redundant_depth: 2,
+      github: {
+        base_branch: "main",
+        labels: %w[dependencies cleanup],
+        reviewers: [],
+        per_gem: false,
+        bundle_install: true
+      }
+    }.freeze
+    SEVERITY_ORDER = { danger: 0, warning: 1, info: 2 }.freeze
+    TEMPLATE = <<~YAML.freeze
+      version: 1
+
+      whitelist:
+        - bootsnap
+        - tzinfo-data
+
+      scan_dirs:
+        - engines/billing/app
+        - engines/billing/lib
+
+      overrides:
+        puma:
+          severity: ignore
+
+      github:
+        base_branch: main
+        labels:
+          - dependencies
+          - cleanup
+        reviewers: []
+        per_gem: false
+        bundle_install: true
+    YAML
+
+    attr_reader :config_path, :gemfile_path, :format, :only, :severity_threshold, :whitelist,
+                :scan_dirs, :overrides, :redundant_depth, :github
+
+    def self.load(options = {})
+      raw_options = symbolize_keys(options)
+      config_path = raw_options.delete(:config_path) || DEFAULT_CONFIG_PATH
+      file_options = load_file_config(config_path)
+      merged = deep_merge(DEFAULTS, deep_merge(file_options, raw_options))
+
+      new(merged, config_path: config_path)
+    end
+
+    def self.load_file_config(path)
+      return {} unless path && File.exist?(path)
+
+      symbolize_keys(YAML.safe_load(File.read(path), aliases: true) || {})
+    end
+
+    def self.symbolize_keys(value)
+      case value
+      when Hash
+        value.each_with_object({}) do |(key, nested), result|
+          result[key.to_sym] = symbolize_keys(nested)
+        end
+      when Array
+        value.map { |item| symbolize_keys(item) }
+      else
+        value
+      end
+    end
+
+    def self.deep_merge(left, right)
+      left.merge(right) do |_key, left_value, right_value|
+        if left_value.is_a?(Hash) && right_value.is_a?(Hash)
+          deep_merge(left_value, right_value)
+        elsif left_value.is_a?(Array) && right_value.is_a?(Array)
+          (left_value + right_value).uniq
+        else
+          right_value
+        end
+      end
+    end
+
+    def initialize(options, config_path:)
+      @config_path = config_path
+      @gemfile_path = File.expand_path(options.fetch(:gemfile_path))
+      @format = options.fetch(:format).to_s
+      @only = normalize_only(options[:only])
+      @severity_threshold = normalize_severity(options.fetch(:severity))
+      @whitelist = Array(options[:whitelist]).map(&:to_s).uniq
+      @scan_dirs = (DEFAULT_SCAN_DIRS + Array(options[:scan_dirs]).map(&:to_s)).uniq
+      @overrides = options.fetch(:overrides, {})
+      @redundant_depth = options.fetch(:redundant_depth).to_i
+      @github = options.fetch(:github)
+      @auto_fix = truthy?(options[:auto_fix])
+      @dry_run = truthy?(options[:dry_run])
+      @ci = truthy?(options[:ci])
+      @comment = truthy?(options[:comment])
+      @bundle_install = truthy?(options[:bundle_install])
+    end
+
+    def lockfile_path
+      "#{gemfile_path}.lock"
+    end
+
+    def project_root
+      File.dirname(gemfile_path)
+    end
+
+    def auto_fix?
+      @auto_fix
+    end
+
+    def dry_run?
+      @dry_run
+    end
+
+    def ci?
+      @ci
+    end
+
+    def comment?
+      @comment
+    end
+
+    def bundle_install?
+      @bundle_install
+    end
+
+    def whitelisted?(gem_name)
+      whitelist.include?(gem_name.to_s)
+    end
+
+    def override_for(gem_name)
+      overrides[gem_name.to_sym] || overrides[gem_name.to_s]
+    end
+
+    def ignore_gem?(gem_name)
+      override = override_for(gem_name)
+      override && override[:severity].to_s == "ignore"
+    end
+
+    def override_severity_for(gem_name)
+      override = override_for(gem_name)
+      severity = override && override[:severity]
+      return nil if severity.nil? || severity.to_s == "ignore"
+
+      normalize_severity(severity)
+    end
+
+    def severity_in_scope?(severity)
+      SEVERITY_ORDER.fetch(severity) <= SEVERITY_ORDER.fetch(severity_threshold)
+    end
+
+    def github_base_branch
+      github.fetch(:base_branch, "main")
+    end
+
+    def github_labels
+      Array(github.fetch(:labels, []))
+    end
+
+    def github_reviewers
+      Array(github.fetch(:reviewers, []))
+    end
+
+    def github_per_gem?
+      truthy?(github.fetch(:per_gem, false))
+    end
+
+    def github_bundle_install?
+      truthy?(github.fetch(:bundle_install, true))
+    end
+
+    private
+
+    def normalize_only(value)
+      items =
+        case value
+        when nil then nil
+        when String then value.split(",")
+        else Array(value)
+        end
+
+      items&.map { |item| item.to_s.strip }&.reject(&:empty?)&.map(&:to_sym)
+    end
+
+    def normalize_severity(value)
+      key = value.to_s.strip.downcase.to_sym
+      return key if SEVERITY_ORDER.key?(key)
+
+      raise Error, "unknown severity: #{value}"
+    end
+
+    def truthy?(value)
+      value == true || value.to_s == "true"
+    end
+  end
+end

data/lib/gemxray/dependency_resolver.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "set"
+
+module GemXray
+  class DependencyResolver
+    def initialize(dependency_tree)
+      @dependency_tree = dependency_tree
+    end
+
+    def find_parent(target:, roots:, max_depth:)
+      roots.each do |root|
+        next if root == target
+
+        path = find_path(root, target, max_depth)
+        return path if path
+      end
+
+      nil
+    end
+
+    private
+
+    attr_reader :dependency_tree
+
+    def find_path(root, target, max_depth)
+      visited = Set.new([root])
+      queue = [[root, [root], [], 0]]
+
+      until queue.empty?
+        current, path, edges, depth = queue.shift
+        next if depth >= max_depth
+
+        Array(dependency_tree[current]).each do |edge|
+          child = edge.name
+          next if visited.include?(child) && child != target
+
+          return { gems: path + [child], edges: edges + [edge] } if child == target
+
+          visited << child
+          queue << [child, path + [child], edges + [edge], depth + 1]
+        end
+      end
+
+      nil
+    end
+  end
+end

data/lib/gemxray/editors/gemfile_editor.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require "open3"
+
+module GemXray
+  module Editors
+    class GemfileEditor
+      EditResult = Struct.new(:removed, :skipped, :dry_run, :backup_path, :preview, keyword_init: true)
+
+      def initialize(gemfile_path)
+        @gemfile_path = File.expand_path(gemfile_path)
+      end
+
+      def apply(results, dry_run:, comment:, backup: true)
+        lines = File.readlines(gemfile_path, chomp: false)
+        preview_hunks = []
+        removed = []
+        skipped = []
+
+        results.sort_by { |result| -(result.gemfile_line || 0) }.each do |result|
+          line_number = result.gemfile_line
+          end_line = result.gemfile_end_line || line_number
+          if !line_number || !gem_line?(lines[line_number - 1], result.gem_name)
+            skipped << result.gem_name
+            next
+          end
+
+          replacement =
+            if comment
+              ["#{leading_whitespace(lines[line_number - 1])}# Removed by gemxray: #{comment_summary(result)}\n"]
+            else
+              []
+            end
+          original = lines[(line_number - 1)..(end_line - 1)]
+          preview_hunks << build_preview_hunk(result, original, replacement)
+
+          if comment
+            lines[(line_number - 1)..(end_line - 1)] = replacement
+          else
+            lines[(line_number - 1)..(end_line - 1)] = replacement
+          end
+
+          removed << result.gem_name
+        end
+
+        backup_path = nil
+        unless dry_run || removed.empty?
+          if backup
+            backup_path = "#{gemfile_path}.bak"
+            File.write(backup_path, File.read(gemfile_path))
+          end
+          File.write(gemfile_path, lines.join)
+        end
+
+        EditResult.new(
+          removed: removed.reverse,
+          skipped: skipped.uniq,
+          dry_run: dry_run,
+          backup_path: backup_path,
+          preview: preview_hunks.reverse.join("\n")
+        )
+      end
+
+      def bundle_install!
+        stdout, stderr, status = Open3.capture3("bundle", "install", chdir: project_root)
+        return stdout if status.success?
+
+        raise Error, "bundle install failed: #{stderr.strip.empty? ? stdout.strip : stderr.strip}"
+      end
+
+      private
+
+      attr_reader :gemfile_path
+
+      def gem_line?(line, gem_name)
+        line && line.match?(/^\s*gem\s+["']#{Regexp.escape(gem_name)}["']/)
+      end
+
+      def comment_summary(result)
+        "#{result.gem_name} - #{result.reasons.map(&:detail).join(' / ')}"
+      end
+
+      def build_preview_hunk(result, original_lines, replacement_lines)
+        header = "@@ #{File.basename(gemfile_path)}:#{result.gemfile_line}-#{result.gemfile_end_line || result.gemfile_line} #{result.gem_name} @@"
+        removed = Array(original_lines).map { |line| "-#{line.chomp}" }
+        added = Array(replacement_lines).map { |line| "+#{line.chomp}" }
+        ([header] + removed + added).join("\n")
+      end
+
+      def leading_whitespace(line)
+        line[/\A\s*/] || ""
+      end
+
+      def project_root
+        File.dirname(gemfile_path)
+      end
+    end
+  end
+end

data/lib/gemxray/editors/github_api_client.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require "json"
+require "net/http"
+require "uri"
+
+module GemXray
+  module Editors
+    class GithubApiClient
+      API_BASE = URI("https://api.github.com").freeze
+
+      def initialize(token:, repository:)
+        @token = token
+        @repository = repository
+      end
+
+      def create_pull_request(base:, head:, title:, body:, labels:, reviewers:)
+        pr = post_json("/repos/#{repository}/pulls", {
+                         title: title,
+                         head: head,
+                         base: base,
+                         body: body
+                       })
+
+        issue_number = pr.fetch("number")
+        post_json("/repos/#{repository}/issues/#{issue_number}/labels", { labels: labels }) unless labels.empty?
+        post_json("/repos/#{repository}/pulls/#{issue_number}/requested_reviewers", { reviewers: reviewers }) unless reviewers.empty?
+
+        pr.fetch("html_url")
+      end
+
+      private
+
+      attr_reader :token, :repository
+
+      def post_json(path, payload)
+        uri = API_BASE.dup
+        uri.path = path
+
+        response = Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
+          request = Net::HTTP::Post.new(uri)
+          request["Accept"] = "application/vnd.github+json"
+          request["Authorization"] = "Bearer #{token}"
+          request["X-GitHub-Api-Version"] = "2022-11-28"
+          request["Content-Type"] = "application/json"
+          request.body = JSON.dump(payload)
+          http.request(request)
+        end
+
+        raise Error, "GitHub API request failed: #{response.code} #{response.body}" unless response.is_a?(Net::HTTPSuccess)
+
+        JSON.parse(response.body)
+      end
+    end
+  end
+end