spandx 0.13.1 → 0.14.0

data/lib/spandx/js/yarn_pkg.rb

@@ -27,7 +27,7 @@ module Spandx
         response = http.get(uri, escape: false)
 
         if http.ok?(response)
-          json = JSON.parse(response.body)
+          json = Oj.load(response.body)
           json['versions'] ? json['versions'][dependency.version] : json
         else
           {}

data/lib/spandx/os/parsers/apk.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Spandx
+  module Os
+    module Parsers
+      class Apk < ::Spandx::Core::Parser
+        def match?(path)
+          path.basename.fnmatch?('installed')
+        end
+
+        def parse(lockfile)
+          path = lockfile.to_s
+
+          [].tap do |items|
+            lockfile.open(mode: 'r') do |io|
+              each_package(io) do |data|
+                items.push(map_from(data, path))
+              end
+            end
+          end
+        end
+
+        private
+
+        def each_package(io)
+          package = {}
+
+          until io.eof?
+            line = io.readline.chomp
+            if line.empty?
+              yield package
+
+              package = {}
+            else
+              line.split(':').tap { |(key, value)| package[key] = value }
+            end
+          end
+        end
+
+        def map_from(data, path)
+          ::Spandx::Core::Dependency.new(
+            path: path,
+            name: data['P'],
+            version: data['V'],
+            meta: data.merge('license' => [data['L']])
+          )
+        end
+      end
+    end
+  end
+end

data/lib/spandx/php/packagist_gateway.rb

@@ -17,7 +17,7 @@ module Spandx
         response = http.get("https://repo.packagist.org/p/#{dependency.name}.json")
         return [] unless http.ok?(response)
 
-        json = JSON.parse(response.body)
+        json = Oj.load(response.body)
         json['packages'][dependency.name][dependency.version]['license']
       end
     end

data/lib/spandx/php/parsers/composer.rb

@@ -4,24 +4,24 @@ module Spandx
   module Php
     module Parsers
       class Composer < ::Spandx::Core::Parser
-        def matches?(filename)
-          File.basename(filename) == 'composer.lock'
+        def match?(path)
+          path.basename.fnmatch? 'composer.lock'
         end
 
-        def parse(file_path)
+        def parse(path)
           items = Set.new
-          composer_lock = JSON.parse(IO.read(file_path))
+          composer_lock = Oj.load(path.read)
           composer_lock['packages'].concat(composer_lock['packages-dev']).each do |dependency|
-            items.add(map_from(dependency))
+            items.add(map_from(path, dependency))
           end
           items
         end
 
         private
 
-        def map_from(dependency)
+        def map_from(path, dependency)
           Spandx::Core::Dependency.new(
-            package_manager: :composer,
+            path: path,
             name: dependency['name'],
             version: dependency['version'],
             meta: dependency

data/lib/spandx/python/parsers/pipfile_lock.rb

@@ -4,8 +4,8 @@ module Spandx
   module Python
     module Parsers
       class PipfileLock < ::Spandx::Core::Parser
-        def matches?(filename)
-          filename.match?(/Pipfile.*\.lock/)
+        def match?(path)
+          path.basename.fnmatch?('Pipfile*.lock')
         end
 
         def parse(lockfile)
@@ -19,10 +19,10 @@ module Spandx
         private
 
         def dependencies_from(lockfile)
-          json = JSON.parse(IO.read(lockfile))
+          json = Oj.load(lockfile.read)
           each_dependency(json) do |name, version|
             yield ::Spandx::Core::Dependency.new(
-              package_manager: :pypi,
+              path: lockfile,
               name: name,
               version: version,
               meta: json

data/lib/spandx/python/pypi.rb

@@ -49,19 +49,26 @@ module Spandx
       end
 
       def version_from(url)
-        path = SUBSTITUTIONS.inject(URI.parse(url).path.split('/')[-1]) do |memo, item|
-          memo.gsub(item, '')
-        end
-
+        path = cleanup(url)
         return if path.rindex('-').nil?
 
-        path.scan(/-\d+\..*/)[-1][1..-1]
+        section = path.scan(/-\d+\..*/)
+        section = path.scan(/-\d+\.?.*/) if section.empty?
+        section[-1][1..-1]
+      rescue StandardError => error
+        warn([url, error].inspect)
       end
 
       private
 
       attr_reader :http
 
+      def cleanup(url)
+        SUBSTITUTIONS.inject(URI.parse(url).path.split('/')[-1]) do |memo, item|
+          memo.gsub(item, '')
+        end
+      end
+
       def sources_for(dependency)
         return default_sources if dependency.meta.empty?
 
@@ -76,7 +83,7 @@ module Spandx
         sources.each do |source|
           html_from(source, '/simple/').css('a[href*="/simple"]').each do |node|
             each_version(source, node[:href]) do |dependency|
-              definition = source.lookup(dependency[:name], dependency[:version])
+              definition = source.lookup(dependency[:name], dependency[:version], http: http)
               yield dependency.merge(license: definition['license'])
             end
           end
@@ -93,10 +100,13 @@ module Spandx
 
       def html_from(source, path)
         url = URI.join(source.uri.to_s, path).to_s
-        Nokogiri::HTML(http.get(url).body)
+        response = http.get(url)
+        if http.ok?(response)
+          Nokogiri::HTML(response.body)
+        else
+          Nokogiri::HTML('<html><head></head><body></body></html>')
+        end
       end
     end
-
-    PyPI = Pypi
   end
 end

data/lib/spandx/python/source.rb

@@ -22,17 +22,29 @@ module Spandx
       def lookup(name, version, http: Spandx.http)
         response = http.get(uri_for(name, version))
         if http.ok?(response)
-          JSON.parse(response.body)
+          Oj.load(response.body)
         else
           {}
         end
       end
 
+      def ==(other)
+        name == other.name &&
+          uri.to_s == other.uri.to_s &&
+          verify_ssl == other.verify_ssl
+      end
+
+      def eql(other)
+        self == other
+      end
+
       class << self
         def sources_from(json)
           meta = json['_meta']
           meta['sources'].map do |hash|
             new(hash)
+          rescue URI::InvalidURIError
+            default
           end
         end
 

data/lib/spandx/ruby/gateway.rb

@@ -27,7 +27,7 @@ module Spandx
       end
 
       def parse(json)
-        JSON.parse(json)
+        Oj.load(json)
       end
     end
   end

data/lib/spandx/ruby/parsers/gemfile_lock.rb

@@ -6,31 +6,32 @@ module Spandx
       class GemfileLock < ::Spandx::Core::Parser
         STRIP_BUNDLED_WITH = /^BUNDLED WITH$(\r?\n)   (?<major>\d+)\.\d+\.\d+/m.freeze
 
-        def matches?(filename)
-          filename.match?(/Gemfile.*\.lock/) ||
-            filename.match?(/gems.*\.lock/)
+        def match?(pathname)
+          basename = pathname.basename
+          basename.fnmatch?('Gemfile*.lock') ||
+            basename.fnmatch?('gems*.lock')
         end
 
         def parse(lockfile)
           dependencies_from(lockfile).map do |specification|
-            map_from(specification)
+            map_from(lockfile, specification)
           end
         end
 
         private
 
         def dependencies_from(filepath)
-          content = IO.read(filepath)
-          Dir.chdir(File.dirname(filepath)) do
+          content = filepath.read.sub(STRIP_BUNDLED_WITH, '')
+          Dir.chdir(filepath.dirname) do
             ::Bundler::LockfileParser
-              .new(content.sub(STRIP_BUNDLED_WITH, ''))
+              .new(content)
               .specs
           end
         end
 
-        def map_from(specification)
+        def map_from(lockfile, specification)
           ::Spandx::Core::Dependency.new(
-            package_manager: :rubygems,
+            path: lockfile,
             name: specification.name,
             version: specification.version.to_s,
             meta: {

data/lib/spandx/spdx/catalogue.rb

@@ -33,7 +33,7 @@ module Spandx
         end
 
         def from_file(path)
-          from_json(IO.read(path))
+          from_json(Pathname.new(path).read)
         end
 
         def from_git

data/lib/spandx/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Spandx
-  VERSION = '0.13.1'
+  VERSION = '0.14.0'
 end

data/spandx.gemspec

@@ -34,11 +34,13 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'addressable', '~> 2.7'
   spec.add_dependency 'bundler', '>= 1.16', '< 3.0.0'
-  spec.add_dependency 'net-hippie', '~> 0.3'
+  spec.add_dependency 'net-hippie', '~> 1.0'
   spec.add_dependency 'nokogiri', '~> 1.10'
+  spec.add_dependency 'oj', '~> 3.10'
   spec.add_dependency 'parslet', '~> 2.0'
+  spec.add_dependency 'terminal-table', '~> 1.8'
   spec.add_dependency 'thor'
-  spec.add_dependency 'tty-progressbar', '~> 0.17'
+  spec.add_dependency 'tty-spinner', '~> 0.9'
   spec.add_dependency 'zeitwerk', '~> 2.3'
 
   spec.add_development_dependency 'benchmark-ips', '~> 2.8'
@@ -52,6 +54,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rubocop', '~> 0.52'
   spec.add_development_dependency 'rubocop-rspec', '~> 1.22'
   spec.add_development_dependency 'ruby-prof', '~> 1.3'
-  spec.add_development_dependency 'vcr', '~> 5.0'
+  spec.add_development_dependency 'vcr', '~> 6.0'
   spec.add_development_dependency 'webmock', '~> 3.7'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spandx
 version: !ruby/object:Gem::Version
-  version: 0.13.1
+  version: 0.14.0
 platform: ruby
 authors:
 - Can Eldem
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-17 00:00:00.000000000 Z
+date: 2020-11-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -51,14 +51,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.3'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.3'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -73,6 +73,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: oj
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
 - !ruby/object:Gem::Dependency
   name: parslet
   requirement: !ruby/object:Gem::Requirement
@@ -87,6 +101,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: terminal-table
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -102,19 +130,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: tty-progressbar
+  name: tty-spinner
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.17'
+        version: '0.9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.17'
+        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: zeitwerk
   requirement: !ruby/object:Gem::Requirement
@@ -289,14 +317,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -339,9 +367,12 @@ files:
 - lib/spandx/cli/commands/pull.rb
 - lib/spandx/cli/commands/scan.rb
 - lib/spandx/cli/main.rb
+- lib/spandx/cli/printer.rb
+- lib/spandx/cli/printers/csv.rb
+- lib/spandx/cli/printers/json.rb
+- lib/spandx/cli/printers/table.rb
 - lib/spandx/core/cache.rb
 - lib/spandx/core/circuit.rb
-- lib/spandx/core/concurrent.rb
 - lib/spandx/core/content.rb
 - lib/spandx/core/data_file.rb
 - lib/spandx/core/dependency.rb
@@ -351,15 +382,12 @@ files:
 - lib/spandx/core/http.rb
 - lib/spandx/core/index_file.rb
 - lib/spandx/core/license_plugin.rb
-- lib/spandx/core/line_io.rb
 - lib/spandx/core/parser.rb
 - lib/spandx/core/path_traversal.rb
 - lib/spandx/core/plugin.rb
 - lib/spandx/core/registerable.rb
 - lib/spandx/core/relation.rb
-- lib/spandx/core/report.rb
 - lib/spandx/core/score.rb
-- lib/spandx/core/table.rb
 - lib/spandx/core/thread_pool.rb
 - lib/spandx/dotnet/index.rb
 - lib/spandx/dotnet/nuget_gateway.rb
@@ -376,6 +404,7 @@ files:
 - lib/spandx/js/parsers/yarn.rb
 - lib/spandx/js/yarn_lock.rb
 - lib/spandx/js/yarn_pkg.rb
+- lib/spandx/os/parsers/apk.rb
 - lib/spandx/php/packagist_gateway.rb
 - lib/spandx/php/parsers/composer.rb
 - lib/spandx/python/index.rb
@@ -413,7 +442,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: A ruby interface to the SPDX catalogue.