gurney_client 0.3.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce89572fd28ab8810c0c4783e211e984ec8675d52e5e99f7ec3c0fca0af1404d
-  data.tar.gz: '009d1d819bdf23e70fd0004bdf421b25f9c73f93dba47aca28f7cf6070e33e83'
+  metadata.gz: 1097c1c98d3799765d40e6a5263a1fe58baa6a4df542570f91654247218b7d64
+  data.tar.gz: 953fe191235e0c338cb71a690284ff5beed7e36f26a511fe1cb3f6311493ef82
 SHA512:
-  metadata.gz: fcdd4b685a61d3f3179d1803343f21b8554694a9f2e3af52a1629d3d22c8323eb2b4cbd3f7e0d96d860690eb67b6c158e2268e8fabd5f171663a1d550de3ca41
-  data.tar.gz: 2f73d012863be290165d7944fdaaecdc2d3c28de70b7ce08c2c97ca27feb933c1d514c92f9a4e1c04c44c2b7a18765658e3b3f6bc59fe1c9337ca73ecb7ba852
+  metadata.gz: 41cd13cf0b65dca7b568cd00f2a3dc95045ae3a6cdb8e896b24e9dcc755efc21fd24d3a328388604d3e783ce2a64f1dfe864d17f745df6ae957f032a4a1131b5
+  data.tar.gz: b00a53d0aa50995c7be657090d50c906e5914cf5ee1dd5d3b14c74679400f356b49ded4fc653c525ca962d1a2755ceba12be27f32c0361b358c6011d19477cad

data/CHANGELOG.md

@@ -1,8 +1,37 @@
-# Gurney changelog
+# Changelog
 
-## 0.3.0 (2024-11-14)
+All notable changes to this project will be documented in this file.
+This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## Unreleased
+
+### Compatible changes
+
+### Breaking changes
+
+
+## 0.5.0 2025-03-26
+
+### Compatible changes
+* Dependencies are also parsed from package-lock.json and pnpm-lock.yaml if present.
+
+
+## 0.4.0 2024-11-15
+
+### Compatible changes
+* Added: Reporting of the repository path as identifier. Should it ever change,
+  it is an indicator for an unchanged gurney.yml in a project fork, and the 
+  API may respond with an error.
+
+
+## 0.3.0 2024-11-14
+
+### Compatible changes
 * Added: Compatibility with Ruby 3
 * Fixed: Support UTF-8 chars in branch names
 
-## 0.2.3 (2023-05-24)
+
+## 0.2.3 2023-05-24
+
+### Compatible changes
 * Added: Suppress Bundler's "the Bundler version is older than the one in the lockfile" warning.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    gurney_client (0.2.3)
+    gurney_client (0.5.0)
       bundler (< 3)
       colorize (~> 0.8)
       git (~> 1.5)
@@ -10,22 +10,24 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.4)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
     byebug (11.0.1)
     colorize (0.8.1)
     diff-lcs (1.3)
-    git (1.18.0)
+    git (1.19.1)
       addressable (~> 2.8)
       rchardet (~> 1.8)
     httparty (0.17.3)
       mime-types (~> 3.0)
       multi_xml (>= 0.5.2)
-    mime-types (3.4.1)
+    logger (1.6.1)
+    mime-types (3.6.0)
+      logger
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2023.0218.1)
+    mime-types-data (3.2024.1105)
     multi_xml (0.6.0)
-    public_suffix (5.0.1)
+    public_suffix (5.1.1)
     rake (13.0.1)
     rchardet (1.8.0)
     rspec (3.9.0)
@@ -52,4 +54,4 @@ DEPENDENCIES
   rspec
 
 BUNDLED WITH
-   2.2.27
+   2.3.19

data/README.md

@@ -1,30 +1,31 @@
-## Gurney
+# Gurney
 
-Gurney is a small tool to extract dependencies from project files and report them to a web api.
-It can either run locally or as a git post-receive hook in gitlab.
+Gurney is a small tool to extract dependencies from project files and report
+them to a web API. Modes:
+- normal
+- local pre-push hook
+- remote post-receive hook
+Usually, we configure the latter on our Git server to automatically run on each
+push, with the API url passed as command line option.
 
-When run as a git hook, the project gets cloned on the git server and gurney then looks for a `gurney.yml` within the project files. 
-If its present gurney looks at the pushed branches and analyses the ones specified in the config for dependencies. 
-It then reports them to the web api also specified in the config.
+When run as a post-receive hook, Gurney will make a bare copy of the project and 
+look for a gurney.yml file. If present, Gurney looks at the configured branches
+and collects their dependencies. These are reported to the web API.
 
-#### Usage:
+## Usage
 ```
 Usage: gurney [options]
-        --api-url [API URL]
-                                     Url for web api call, can have parameters for <project_id> and <branch>
-                                     example: --api-url "http://example.com/project/<project_id>/branch/<branch>"
-        --api-token [API TOKEN]
-                                     Token to be send to the api in the X-AuthToken header
+        --api-url [API URL]          Url for web API call, can have parameters for <project_id> and <branch>
+                                     Example: --api-url "https://example.com/project/<project_id>/branch/<branch>"
+        --api-token [API TOKEN]      Token to be sent to the API in the X-AuthToken header
     -c, --config [CONFIG FILE]       Config file to use
-    -h, --hook                       Run as a git post-receive hook
-        --client-hook
-                                     Run as a git pre-push hook
-    -p, --project-id [PROJECT ID]    Specify project id for api
-        --help
-                                     Prints this help
+    -h, --hook                       Run as a Git post-receive hook
+        --client-hook                Run as a Git pre-push hook
+    -p, --project-id [PROJECT ID]    Specify project id for API
+        --help                       Print this help
 ```
 
-#### Sample Config:
+## Sample Config
 ```yaml
 project_id: 1
 branches:
@@ -34,5 +35,13 @@ api_url: http://example.com/dep_reporter/project/<project_id>/branch/<branch>
 api_token: 1234567890
 ```
 
-##### Running as a global git hook
-To run as a global git hook in your gitlab see https://docs.gitlab.com/ee/administration/custom_hooks.html#set-a-global-git-hook-for-all-repositories
+## Running as a global Git hook
+See https://docs.gitlab.com/ee/administration/server_hooks.html#create-global-server-hooks-for-all-repositories
+
+## Development
+You can run Gurney locally from another directory like this:
+
+```bash
+cd some/real/project
+ruby -I path/to/gurney/lib path/to/gurney/exe/gurney
+```

data/lib/gurney/api.rb

@@ -9,13 +9,14 @@ module Gurney
       @token = token
     end
 
-    def post_dependencies(dependencies:, branch:, project_id:)
-      data = {
-          dependencies: dependencies
-      }
+    def post_dependencies(dependencies:, branch:, project_id:, repo_path: nil)
+      data = { dependencies: dependencies }
+      data[:repository_path] = repo_path if repo_path
+
       url = base_url
       url.gsub! '<project_id>', CGI.escape(project_id)
       url.gsub! '<branch>', CGI.escape(branch)
+
       post_json(url, data.to_json)
     end
 
@@ -31,7 +32,7 @@ module Gurney
       )
       unless response.success?
         if response.code == 404
-          raise ApiError.new("#{response.code} api url is probably wrong")
+          raise ApiError.new("#{response.code} API url is probably wrong")
         else
           raise ApiError.new("#{response.code} #{response.body}")
         end

data/lib/gurney/cli.rb

@@ -6,118 +6,105 @@ require 'git'
 require 'fileutils'
 
 module Gurney
+
+  class Error < StandardError; end
+
   class CLI
     HOOK_STDIN_REGEX = /(?<old>[0-9a-f]{40}) (?<new>[0-9a-f]{40}) refs\/heads\/(?<ref>\w+)/m
     CLIENT_HOOK_STDIN_REGEX = /refs\/heads\/(?<ref>\w+) (?<new>[0-9a-f]{40}) refs\/heads\/(?<remote_ref>\w+) (?<remote_sha>[0-9a-f]{40})/m
     MAIN_BRANCHES = ['master', 'main'].freeze
 
     def self.run(cmd_parameter=[])
-      options = Gurney::CLI::OptionParser.parse(cmd_parameter)
-
-      begin
-        if options.hook
-          g = Git.bare(ENV['GIT_DIR'] || Dir.pwd)
-        else
-          unless Dir.exist? './.git'
-            raise Gurney::Error.new('Must be run within a git repository')
-          end
-          g = Git.open('.')
-        end
-        config_file = MAIN_BRANCHES.find do |branch|
-          file = read_file(g, options.hook, branch, options.config_file)
-          break file if file
-        end
-        if !config_file && options.hook
-          # dont run as a hook with no config
-          exit 0
-        end
-        config_file ||= '---'
-        config = Gurney::Config.from_yaml(config_file)
-
-        options.branches ||= config&.branches
-        options.branches ||= config&.branches
-        options.api_token ||= config&.api_token
-        options.api_url ||= config&.api_url
-        options.project_id ||= config&.project_id
-
-        if [options.project_id, options.branches, options.api_url, options.api_token].any?(&:nil?)
-          raise Gurney::Error.new("Either provide in a config file or set the flags for project id, branches, api url and api token")
-        end
-
-        branches = []
-        if options.hook || options.client_hook
-          # we get passed changed branches and refs via stdin
-          $stdin.each_line do |line|
-            regex = options.client_hook ? CLIENT_HOOK_STDIN_REGEX : HOOK_STDIN_REGEX
-            line.force_encoding(Encoding::UTF_8)
-            matches = line.match(regex)
-            if matches && matches[:new] != '0' * 40
-              if options.branches.include? matches[:ref]
-                branches << matches[:ref]
-              end
-            end
-          end
+      new(cmd_parameter).run
+    rescue SystemExit
+      # Do nothing
+    rescue Gurney::ApiError => e
+      puts "Gurney API error".red
+      puts e.message.red
+    rescue Gurney::Error => e
+      puts "Gurney error: #{e.message}".red
+    rescue Exception
+      puts "Gurney: an unexpected error occurred".red
+      raise
+    end
 
-        else
-          current_branch = g.current_branch
-          unless options.branches.nil? || options.branches.include?(current_branch)
-            raise Gurney::Error.new('The current branch is not specified in the config.')
-          end
-          branches << current_branch
+    def initialize(cmd_parameter=[])
+      @options = Gurney::CLI::OptionParser.parse(cmd_parameter)
+      @git = if options.hook
+        Git.bare(ENV['GIT_DIR'] || Dir.pwd)
+      else
+        unless Dir.exist? './.git'
+          raise Gurney::Error.new('Must be run within a git repository')
         end
+        Git.open('.')
+      end
 
-        branches.each do |branch|
-          dependencies = []
-
-          yarn_source = Gurney::Source::Yarn.new(yarn_lock: read_file(g, options.hook || options.client_hook, branch, 'yarn.lock'))
-          dependencies.concat yarn_source.dependencies || []
-
-          bundler_source = Gurney::Source::Bundler.new(gemfile_lock: read_file(g, options.hook || options.client_hook, branch, 'Gemfile.lock'))
-          dependencies.concat bundler_source.dependencies || []
-
-          ruby_version_source = Gurney::Source::RubyVersion.new(ruby_version: read_file(g, options.hook || options.client_hook, branch, '.ruby-version'))
-          dependencies.concat ruby_version_source.dependencies || []
-
-          dependencies.compact!
+      config_file = MAIN_BRANCHES.find do |branch|
+        git_file_reader = GitFileReader.new(git, branch, read_from_git: options.hook)
+        file = git_file_reader.read(options.config_file)
+        break file if file
+      end
+      if options.hook && !config_file
+        # Git hooks are activated by the config file. Without, do nothing.
+        exit 0
+      end
+      config_file ||= '---'
+      config = Gurney::Config.from_yaml(config_file)
+
+      options.branches ||= config&.branches
+      options.branches ||= config&.branches
+      options.api_token ||= config&.api_token
+      options.api_url ||= config&.api_url
+      options.project_id ||= config&.project_id
+
+      missing_options = [:project_id, :branches, :api_url, :api_token].select { |option| options.send(option).nil? }
+      # Use the line below in development
+      # missing_options = [:project_id, :branches, :api_token].select { |option| options.send(option).nil? }
+      raise Gurney::Error.new("Incomplete config - missing #{missing_options.map(&:inspect).join(', ')}.") unless missing_options.empty?
+    end
 
-          api = Gurney::Api.new(base_url: options.api_url, token: options.api_token)
-          api.post_dependencies(dependencies: dependencies, branch: branch, project_id: options.project_id)
+    def run
+      reporting_branches.each do |branch|
+        git_file_reader = GitFileReader.new(git, branch, read_from_git: options.hook || options.client_hook)
+        dependencies = DependencyCollector.new(git_file_reader).collect_all
 
-          dependency_counts = dependencies.group_by(&:ecosystem).map{|ecosystem, dependencies| "#{ecosystem}: #{dependencies.count}" }.join(', ')
-          puts "Gurney: reported dependencies (#{dependency_counts})"
-        end
+        api = Gurney::Api.new(base_url: options.api_url, token: options.api_token)
+        api.post_dependencies(dependencies: dependencies, branch: branch, project_id: options.project_id, repo_path: git.repo.path)
 
-      rescue SystemExit
-      rescue Gurney::ApiError => e
-        puts "Gurney: api error".red
-        puts e.message.red
-      rescue Gurney::Error => e
-        puts "Gurney: error".red
-        puts e.message.red
-      rescue Exception => e
-        puts "Gurney: an unexpected error occurred".red
-        raise
+        dependency_counts = dependencies.group_by(&:ecosystem).map{|ecosystem, dependencies| "#{ecosystem}: #{dependencies.count}" }.join(', ')
+        puts "Gurney: reported dependencies (#{dependency_counts})"
       end
     end
 
     private
 
-    def self.read_file(git, from_git, branch, filename)
-      if from_git
-        begin
-          git.show("#{branch}:#{filename}")
-        rescue Git::GitExecuteError
-          # happens if branch does not exist
+    attr_accessor :git, :options
+
+    def reporting_branches
+      branches = []
+      if options.hook || options.client_hook
+        # We get changed branches and refs via stdin
+        # See https://git-scm.com/docs/githooks#post-receive
+        $stdin.each_line do |line|
+          regex = options.client_hook ? CLIENT_HOOK_STDIN_REGEX : HOOK_STDIN_REGEX
+          line.force_encoding(Encoding::UTF_8)
+          matches = line.match(regex)
+          if matches && matches[:new] != '0' * 40
+            if options.branches.include? matches[:ref]
+              branches << matches[:ref]
+            end
+          end
         end
       else
-        if File.exist? filename
-          return File.read filename
+        current_branch = git.current_branch
+        unless options.branches.nil? || options.branches.include?(current_branch)
+          raise Gurney::Error.new('The current branch is not specified in the config.')
         end
+        branches << current_branch
       end
-    end
 
-  end
+      branches
+    end
 
-  class Error < Exception
   end
 end

data/lib/gurney/dependency_collector.rb

@@ -0,0 +1,64 @@
+module Gurney
+  class DependencyCollector
+
+    def initialize(git_file_reader)
+      @git_file_reader = git_file_reader
+    end
+
+    def collect_all
+      dependencies = []
+
+      dependencies.concat npm_dependencies
+      dependencies.concat bundler_dependencies
+      dependencies.concat ruby_version_dependencies
+
+      dependencies.compact
+    end
+
+    private
+
+    def bundler_dependencies
+      bundler_source = Gurney::Source::Bundler.new(gemfile_lock: @git_file_reader.read('Gemfile.lock'))
+      bundler_source.dependencies || []
+    end
+
+    def ruby_version_dependencies
+      ruby_version_source = Gurney::Source::RubyVersion.new(ruby_version: @git_file_reader.read('.ruby-version'))
+      ruby_version_source.dependencies || []
+    end
+
+    def npm_dependencies
+      npm_dependencies = []
+
+      if yarn_lock
+        yarn_source = Gurney::Source::Yarn.new(yarn_lock: yarn_lock)
+        npm_dependencies.concat(yarn_source.dependencies || [])
+      end
+
+      if package_lock_json
+        npm_source = Gurney::Source::Npm.new(package_lock_json: package_lock_json)
+        npm_dependencies.concat(npm_source.dependencies || [])
+      end
+
+      if pnpm_lock
+        pnpm_source = Gurney::Source::Pnpm.new(pnpm_lock: pnpm_lock)
+        npm_dependencies.concat(pnpm_source.dependencies || [])
+      end
+
+      npm_dependencies
+    end
+
+    def yarn_lock
+      @yarn_lock ||= @git_file_reader.read('yarn.lock')
+    end
+
+    def package_lock_json
+      @package_lock_json = @git_file_reader.read('package-lock.json')
+    end
+
+    def pnpm_lock
+      @pnpm_lock = @git_file_reader.read('pnpm-lock.yaml')
+    end
+
+  end
+end

data/lib/gurney/git_file_reader.rb

@@ -0,0 +1,23 @@
+module Gurney
+  class GitFileReader
+
+    def initialize(git, branch, read_from_git:)
+      @git = git
+      @branch = branch
+      @read_from_git = read_from_git
+    end
+
+    def read(filename)
+      if @read_from_git
+        begin
+          @git.show("#{@branch}:#{filename}")
+        rescue Git::GitExecuteError
+          # happens if branch does not exist
+        end
+      else
+        File.read(filename) if File.exist?(filename)
+      end
+    end
+
+  end
+end

data/lib/gurney/source/npm.rb

@@ -0,0 +1,58 @@
+require 'json'
+require 'colorize'
+
+module Gurney
+  module Source
+    class Npm < Base
+
+      SUPPORTED_LOCKFILE_VERSIONS = [2, 3].freeze
+     
+      def initialize(package_lock_json:)
+        @package_lock_json = package_lock_json
+      end
+
+      def present?
+        !@package_lock_json&.empty?
+      end
+
+      def dependencies
+        if present?
+          parsed_lock = JSON.parse(@package_lock_json)
+
+          if SUPPORTED_LOCKFILE_VERSIONS.include?(parsed_lock['lockfileVersion'])
+            extract_dependencies(parsed_lock)
+          else
+            puts "package-lock.json: Lockfile version #{parsed_lock['lockfileVersion']} is unsupported. No npm dependencies reported.".yellow
+            []
+          end
+        end
+      rescue JSON::ParserError => e
+        raise Gurney::Error.new("Invalid package-lock.json format: #{e.message}")
+      end
+
+      private
+
+      attr_reader :package_lock_json
+
+      def extract_dependencies(parsed_lock)
+        dependencies = []
+
+        if parsed_lock['packages']
+          parsed_lock['packages'].each do |path_to_package, details|
+            next if path_to_package == ''
+
+            name = path_to_package.sub(/^node_modules\//, '') # remove "node_modules/" prefix to get package name
+            dependencies << Dependency.new(
+              ecosystem: 'npm',
+              name: name,
+              version: details['version']
+            )
+          end
+        end
+
+        dependencies
+      end
+
+    end
+  end
+end

data/lib/gurney/source/pnpm.rb

@@ -0,0 +1,54 @@
+require 'yaml'
+require 'colorize'
+
+module Gurney
+  module Source
+    class Pnpm < Base
+      def initialize(pnpm_lock:)
+        @pnpm_lock = pnpm_lock
+      end
+
+      def present?
+        !@pnpm_lock&.empty?
+      end
+
+      def dependencies
+        if present?
+          parsed_lock = YAML.safe_load(@pnpm_lock)
+
+          major_version = parsed_lock['lockfileVersion'].split('.').first
+          if major_version == '9'
+            extract_dependencies(parsed_lock)
+          else
+            puts "pnpm-lock.yaml: Lockfile version #{major_version} is unsupported. No npm dependencies reported.".yellow
+            []
+          end
+        end
+      rescue Psych::SyntaxError => e
+        raise Gurney::Error.new("Invalid pnpm-lock.yaml format: #{e.message}")
+      end
+
+      private
+
+      attr_reader :pnpm_lock
+
+      def extract_dependencies(parsed_lock)
+        dependencies = []
+
+        # dependency_id has format <scoped_pkg_name>@<pkg_version>
+        # see https://github.com/pnpm/spec/blob/master/lockfile/9.0.md#packages
+        parsed_lock['packages'].each_key do |dependency_id|
+          name, _, version = dependency_id.rpartition('@')
+          dependencies << Dependency.new(
+            ecosystem: 'npm',
+            name: name,
+            version: version
+          )
+        end
+
+        dependencies
+      end
+
+    end
+  end
+end 

data/lib/gurney/version.rb

@@ -1,3 +1,3 @@
 module Gurney
-  VERSION = '0.3.0'
+  VERSION = '0.5.0'
 end

data/lib/gurney.rb

@@ -1,8 +1,12 @@
 require_relative 'gurney/version'
 require_relative 'gurney/config'
+require_relative 'gurney/git_file_reader'
 require_relative 'gurney/dependency'
+require_relative 'gurney/dependency_collector'
 require_relative 'gurney/source/base'
 require_relative 'gurney/source/yarn'
+require_relative 'gurney/source/npm'
+require_relative 'gurney/source/pnpm'
 require_relative 'gurney/source/bundler'
 require_relative 'gurney/source/ruby_version'
 require_relative 'gurney/api'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gurney_client
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Martin Schaflitzl
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-11-14 00:00:00.000000000 Z
+date: 2025-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -66,7 +66,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.5'
-description: 
+description:
 email:
 - martin.schaflitzl@makandra.de
 executables:
@@ -93,8 +93,12 @@ files:
 - lib/gurney/cli/option_parser.rb
 - lib/gurney/config.rb
 - lib/gurney/dependency.rb
+- lib/gurney/dependency_collector.rb
+- lib/gurney/git_file_reader.rb
 - lib/gurney/source/base.rb
 - lib/gurney/source/bundler.rb
+- lib/gurney/source/npm.rb
+- lib/gurney/source/pnpm.rb
 - lib/gurney/source/ruby_version.rb
 - lib/gurney/source/yarn.rb
 - lib/gurney/version.rb
@@ -103,7 +107,7 @@ licenses:
 - MIT
 metadata:
   rubygems_mfa_required: 'true'
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -118,8 +122,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.1.0
+signing_key:
 specification_version: 4
 summary: Gurney is a small tool to extract yarn and RubyGems dependencies from project
   files and report them to a web api.