spandx 0.13.0 → 0.13.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a2cbe4ba53ef5f776dd0c52170e0c7b56b0bf2aa9893f221c45636fcc7080cb5
-  data.tar.gz: ee0936304c2322df4d568223aa1095dffe1b874a1902f6fc74504e28b63dffd4
+  metadata.gz: 01abc42f6e315aee9f35bf60cdad7a4801ee95ae4a186ef3ee001f2617c9891e
+  data.tar.gz: 78248675cdddbcb197f347239c85016862254a113b17894e4d6ffe7ecd33cddd
 SHA512:
-  metadata.gz: 19627c27dca8dc2609549f7a4245488689aa0dda9846dfc555e50b39735e6a2895686d2b1a672afaecc73080f02436070e34060b15b2cc250dbbe13ca46999eb
-  data.tar.gz: ee2b9816fb6e85e94c32ba05844540872244cf8cc4aac175ce3043c921429bbc4aaaf643c753b681c83a06eb6e7ae3bb044fd2944d9fa1e70508143e01bf18c1
+  metadata.gz: d6d4462c74dc412f9016ff576f55e67bdc9a6b341059d3b372b505f6e7ee730a92da53a4b5d0ab836df298b2cb527d0890c599fdc48f92a848b3d93c6c7d67ab
+  data.tar.gz: fdc618b97c619aa7d8a99b799dc5b1569d8396e9cfbbee5ee91cf7b994335e7fcbd9a5abac03b87a21615b23eef7913d5b59aabf277cacaa3eeac8497d795f38

data/CHANGELOG.md

@@ -1,4 +1,4 @@
-Version 0.13.0
+Version 0.13.5
 
 # Changelog
 
@@ -8,6 +8,36 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+## [0.13.5] - 2020-05-26
+### Fixed
+- Process PyPI package urls with single digit versions.
+- Remove unsupported `hash` report from help text.
+
+### Changed
+- Stream output to output stream as soon as results are available.
+- Switch to `Oj` for JSON parsing.
+- Run spinner on background thread.
+
+## [0.13.4] - 2020-05-26
+### Added
+- Add detected file path to report output.
+
+### Changed
+- Use `Pathname` instead of `String` to represent file paths.
+- Scan current directory when a path is not specified.
+
+## [0.13.3] - 2020-05-19
+### Fixed
+- Ignore invalid URLs during scan.
+
+## [0.13.2] - 2020-05-17
+### Fixed
+- Detect licenses when provided as an array.
+- Skip empty lockfiles.
+
+## [0.13.1] - 2020-05-16
+### Fixed
+- Add `ext/**/*.c` and `ext/**/*.h` to list of files.
 
 ## [0.13.0] - 2020-05-12
 ### Added
@@ -168,7 +198,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Provide ruby API to the latest SPDX catalogue.
 
-[Unreleased]: https://github.com/spandx/spandx/compare/v0.13.0...HEAD
+[Unreleased]: https://github.com/spandx/spandx/compare/v0.13.5...HEAD
+[0.13.5]: https://github.com/spandx/spandx/compare/v0.13.4...v0.13.5
+[0.13.4]: https://github.com/spandx/spandx/compare/v0.13.3...v0.13.4
+[0.13.3]: https://github.com/spandx/spandx/compare/v0.13.2...v0.13.3
+[0.13.2]: https://github.com/spandx/spandx/compare/v0.13.1...v0.13.2
+[0.13.1]: https://github.com/spandx/spandx/compare/v0.13.0...v0.13.1
 [0.13.0]: https://github.com/spandx/spandx/compare/v0.12.3...v0.13.0
 [0.12.3]: https://github.com/spandx/spandx/compare/v0.12.2...v0.12.3
 [0.12.2]: https://github.com/spandx/spandx/compare/v0.12.1...v0.12.2

data/exe/spandx

@@ -4,7 +4,6 @@
 require 'spandx'
 
 Signal.trap('INT') do
-  warn("\n#{caller.join("\n")}: interrupted")
   exit(1)
 end
 

data/ext/spandx/spandx.c

@@ -0,0 +1,55 @@
+#include "spandx.h"
+
+#define NEWLINE 10
+
+VALUE rb_mSpandx;
+VALUE rb_mCore;
+VALUE rb_mCsvParser;
+
+// "name","version","license"
+// "name","version","license"\n
+// "name","version","license"\r
+// "name","version","license"\r\n
+// "name","version",""\r\n
+VALUE parse(VALUE self, VALUE line)
+{
+  if (NIL_P(line)) return Qnil;
+
+  char *p;
+
+  p = RSTRING_PTR(line);
+  if (*p != '"') return Qnil;
+
+  const VALUE items = rb_ary_new2(3);
+  const char *s, *n;
+  const long len = RSTRING_LEN(line);
+  enum { open, closed } state = closed;
+
+  for (int i = 0; i < len && *p; i++) {
+    if (*p == '"') {
+      n = p;
+      if (i < (len - 1)) *n++;
+
+      if (state == closed) {
+        s = n;
+        state = open;
+      } else if (state == open) {
+        if (!*n || n == p || *n == ',' || *n == NEWLINE) {
+          rb_ary_push(items, rb_str_new(s, p - s));
+          state = closed;
+        }
+      }
+    }
+    *(p++);
+  }
+
+  return items;
+}
+
+void Init_spandx(void)
+{
+  rb_mSpandx = rb_define_module("Spandx");
+  rb_mCore = rb_define_module_under(rb_mSpandx, "Core");
+  rb_mCsvParser = rb_define_module_under(rb_mCore, "CsvParser");
+  rb_define_module_function(rb_mCsvParser, "parse", parse, 1);
+}

data/ext/spandx/spandx.h

@@ -0,0 +1,6 @@
+#ifndef SPANDX_H
+#define SPANDX_H 1
+
+#include "ruby.h"
+
+#endif /* SPANDX_H */

data/lib/spandx.rb

@@ -8,11 +8,11 @@ require 'json'
 require 'logger'
 require 'net/hippie'
 require 'nokogiri'
+require 'oj'
 require 'parslet'
 require 'pathname'
 require 'yaml'
 require 'zeitwerk'
-
 require 'spandx/spandx'
 
 loader = Zeitwerk::Loader.for_gem

data/lib/spandx/cli.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 require 'thor'
-require 'tty-progressbar'
+require 'tty-spinner'
+require 'terminal-table'
 
 module Spandx
   module Cli

data/lib/spandx/cli/commands/scan.rb

@@ -4,10 +4,7 @@ module Spandx
   module Cli
     module Commands
       class Scan
-        NULL_BAR = Class.new do
-          def advance(*args); end
-        end.new
-
+        include Spandx::Core
         attr_reader :scan_path
 
         def initialize(scan_path, options)
@@ -17,32 +14,24 @@ module Spandx
         end
 
         def execute(output: $stdout)
-          Spandx::Core::ThreadPool.open do |pool|
-            report = ::Spandx::Core::Report.new
-            each_file do |file|
-              each_dependency_from(file, pool) do |dependency|
-                report.add(dependency)
-              end
+          with_printer(output) do |printer|
+            each_dependency do |dependency|
+              printer.print_line(Plugin.enhance(dependency), output)
             end
-            output.puts(format(report.to(@options[:format])))
           end
         end
 
         private
 
         def each_file
-          Spandx::Core::PathTraversal
-            .new(scan_path, recursive: @options['recursive'])
+          PathTraversal
+            .new(scan_path, recursive: @options[:recursive])
             .each { |file| yield file }
         end
 
-        def each_dependency_from(file, pool)
-          dependencies = ::Spandx::Core::Parser.for(file).parse(file)
-          with_progress(title_for(file), dependencies.size) do |bar|
-            ::Spandx::Core::Concurrent
-              .map(dependencies, pool: pool) { |dependency| enhance(dependency) }
-              .each do |dependency|
-              bar.advance(1)
+        def each_dependency
+          each_file do |file|
+            Parser.parse(file).each do |dependency|
               yield dependency
             end
           end
@@ -52,18 +41,12 @@ module Spandx
           Array(output).map(&:to_s)
         end
 
-        def enhance(dependency)
-          ::Spandx::Core::Plugin
-            .all
-            .inject(dependency) { |memo, plugin| plugin.enhance(memo) }
-        end
-
-        def title_for(file)
-          "#{file} [:bar, :elapsed] :percent"
-        end
-
-        def with_progress(title, total)
-          yield @options[:show_progress] ? TTY::ProgressBar.new(title, total: total) : NULL_BAR
+        def with_printer(output)
+          printer = ::Spandx::Cli::Printer.for(@options[:format])
+          printer.print_header(output)
+          yield printer
+        ensure
+          printer.print_footer(output)
         end
       end
     end

data/lib/spandx/cli/main.rb

@@ -8,14 +8,14 @@ module Spandx
       method_option :recursive, aliases: '-R', type: :boolean, desc: 'Perform recursive scan', default: false
       method_option :airgap, aliases: '-a', type: :boolean, desc: 'Disable network connections', default: false
       method_option :logfile, aliases: '-l', type: :string, desc: 'Path to a logfile', default: '/dev/null'
-      method_option :format, aliases: '-f', type: :string, desc: 'Format of report', default: 'table'
+      method_option :format, aliases: '-f', type: :string, desc: 'Format of report. (table, csv, json)', default: 'table'
       method_option :pull, aliases: '-p', type: :boolean, desc: 'Pull the latest cache before the scan', default: false
       method_option :require, aliases: '-r', type: :string, desc: 'Causes spandx to load the library using require.', default: nil
-      method_option :show_progress, aliases: '-sp', type: :boolean, desc: 'Shows a progress bar', default: true
-      def scan(lockfile)
+      def scan(lockfile = Pathname.pwd)
         if options[:help]
           invoke :help, ['scan']
         else
+          Oj.default_options = { mode: :strict }
           Spandx.airgap = options[:airgap]
           Spandx.logger = Logger.new(options[:logfile])
           pull if options[:pull]

data/lib/spandx/cli/printer.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Spandx
+  module Cli
+    class Printer
+      def match?(_format)
+        raise ::Spandx::Error, :match?
+      end
+
+      def print_header(io); end
+
+      def print_line(dependency, io)
+        io.puts(dependency.to_s)
+      end
+
+      def print_footer(io); end
+
+      class << self
+        include Core::Registerable
+
+        def for(format)
+          find { |x| x.match?(format) } || new
+        end
+      end
+    end
+  end
+end

data/lib/spandx/cli/printers/csv.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Spandx
+  module Cli
+    module Printers
+      class Csv < Printer
+        def match?(format)
+          format.to_sym == :csv
+        end
+
+        def print_line(dependency, io)
+          io.puts(CSV.generate_line(dependency.to_a))
+        end
+      end
+    end
+  end
+end

data/lib/spandx/cli/printers/json.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Spandx
+  module Cli
+    module Printers
+      class Json < Printer
+        def match?(format)
+          format.to_sym == :json
+        end
+
+        def print_line(dependency, io)
+          io.puts(Oj.dump(dependency.to_h))
+        end
+      end
+    end
+  end
+end

data/lib/spandx/cli/printers/table.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Spandx
+  module Cli
+    module Printers
+      class Table < Printer
+        HEADINGS = ['Name', 'Version', 'Licenses', 'Location'].freeze
+
+        def initialize
+          @spinner = TTY::Spinner.new(output: $stderr)
+        end
+
+        def match?(format)
+          format.to_sym == :table
+        end
+
+        def print_header(_io)
+          @dependencies = SortedSet.new
+          @spinner.auto_spin
+        end
+
+        def print_line(dependency, _io)
+          @dependencies << dependency
+        end
+
+        def print_footer(io)
+          @spinner.stop
+          io.puts(to_table(@dependencies.map(&:to_a)))
+        end
+
+        private
+
+        def to_table(rows)
+          Terminal::Table.new(headings: HEADINGS) do |table|
+            rows.each { |row| table.add_row(row) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spandx/core/dependency.rb

@@ -3,46 +3,80 @@
 module Spandx
   module Core
     class Dependency
-      attr_reader :package_manager, :name, :version, :licenses, :meta
+      PACKAGE_MANAGERS = {
+        Spandx::Dotnet::Parsers::Csproj => :nuget,
+        Spandx::Dotnet::Parsers::PackagesConfig => :nuget,
+        Spandx::Dotnet::Parsers::Sln => :nuget,
+        Spandx::Java::Parsers::Maven => :maven,
+        Spandx::Js::Parsers::Npm => :npm,
+        Spandx::Js::Parsers::Yarn => :yarn,
+        Spandx::Php::Parsers::Composer => :composer,
+        Spandx::Python::Parsers::PipfileLock => :pypi,
+        Spandx::Ruby::Parsers::GemfileLock => :rubygems,
+      }.freeze
+      attr_reader :path, :name, :version, :licenses, :meta
 
-      def initialize(package_manager:, name:, version:, licenses: [], meta: {})
-        @package_manager = package_manager
-        @name = name
-        @version = version
-        @licenses = licenses
+      def initialize(name:, version:, path:, meta: {})
+        @path = Pathname.new(path).realpath
+        @name = name || @path.basename.to_s
+        @version = version || @path.mtime.to_i.to_s
+        @licenses = []
         @meta = meta
       end
 
-      def managed_by?(value)
-        package_manager == value&.to_sym
+      def package_manager
+        PACKAGE_MANAGERS[Parser.for(path).class]
       end
 
       def <=>(other)
-        to_s <=> other.to_s
+        return 1 if other.nil?
+
+        score = (name <=> other.name)
+        score = score.zero? ? (version <=> other&.version) : score
+        score.zero? ? (path.to_s <=> other&.path.to_s) : score
       end
 
       def hash
         to_s.hash
       end
 
+      def ==(other)
+        eql?(other)
+      end
+
       def eql?(other)
         to_s == other.to_s
       end
 
       def to_s
-        @to_s ||= [name, version].compact.join(' ')
+        @to_s ||= [name, version, path].compact.join(' ')
       end
 
       def inspect
-        "#<Spandx::Core::Dependency name=#{name}, version=#{version}>"
+        "#<#{self.class} name=#{name} version=#{version} path=#{relative_path}>"
       end
 
       def to_a
-        [name, version, licenses.map(&:id)]
+        [name, version, license_expression, relative_path.to_s]
       end
 
       def to_h
-        { name: name, version: version, licenses: licenses.map(&:id) }
+        {
+          name: name,
+          version: version,
+          licenses: license_expression,
+          path: relative_path.to_s
+        }
+      end
+
+      private
+
+      def relative_path(from: Pathname.pwd)
+        path.relative_path_from(from)
+      end
+
+      def license_expression
+        licenses.map(&:id).join(' AND ')
       end
     end
   end