spandx 0.13.3 → 0.13.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4b36f49bab527c52c6d3f6ddf1d70e022422f70c678bf865231921982460a4b4
-  data.tar.gz: 5d31efbe54079dd42a07c46f9d47bbe508d712ebed5d7294537685112d170079
+  metadata.gz: ef9e117562bb153d2bf7a7aa8561244f50f7dcbca8a81300e10279efec45c674
+  data.tar.gz: '069f96ae764417f3b005ebd8e7fee919c66eee38a63649918f7dea3209a9bc34'
 SHA512:
-  metadata.gz: abe3e8e231a35f5861b3e85502a7b5c415684ce351756b0d64c77cfcf417bfd099e25587714c9e88b9a3ddb7309154921e0b57b4601bbe9aa74de7f057165773
-  data.tar.gz: 757dd76cebbd921d4034a69e794beffac0c9ff00ec846491b4037bf01a687d06aad5a8d258dccb59dc6cce6d94626dbb6df77eae53ccc8755982482a780bf65f
+  metadata.gz: 67ec66d00236b0c4a98bc770e0b33698ecabb6e868b4e1b309c735a0d3cf5288a49393280f0cff2829d8ab5d1005920b16a877bdabdb2a0b63c88ac9f7af7df9
+  data.tar.gz: 9260aeb08a495fb4f8bd1ba4c2b17fed8e34c2e60e96d5c826c79f7c51d83a8686b4194e060fa77e3b898f1beb17404006dd5370b727d2a7ce98d87ddce41507

data/CHANGELOG.md

@@ -1,4 +1,4 @@
-Version 0.13.3
+Version 0.13.4
 
 # Changelog
 
@@ -9,6 +9,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.13.4] - 2020-05-26
+### Added
+- Add detected file path to report output.
+
+### Changed
+- Use `Pathname` instead of `String` to represent file paths.
+- Scan current directory when a path is not specified.
+
 ## [0.13.3] - 2020-05-19
 ### Fixed
 - Ignore invalid URLs during scan.

data/ext/spandx/spandx.c

@@ -1,5 +1,7 @@
 #include "spandx.h"
 
+#define NEWLINE 10
+
 VALUE rb_mSpandx;
 VALUE rb_mCore;
 VALUE rb_mCsvParser;
@@ -9,7 +11,7 @@ VALUE rb_mCsvParser;
 // "name","version","license"\r
 // "name","version","license"\r\n
 // "name","version",""\r\n
-static VALUE parse(VALUE self, VALUE line)
+VALUE parse(VALUE self, VALUE line)
 {
   if (NIL_P(line)) return Qnil;
 
@@ -32,13 +34,13 @@ static VALUE parse(VALUE self, VALUE line)
         s = n;
         state = open;
       } else if (state == open) {
-        if (!*n || n == p || *n == ',' || *n == 10) {
+        if (!*n || n == p || *n == ',' || *n == NEWLINE) {
           rb_ary_push(items, rb_str_new(s, p - s));
           state = closed;
         }
       }
     }
-    *p++;
+    *(p++);
   }
 
   return items;

data/lib/spandx.rb

@@ -12,7 +12,7 @@ require 'parslet'
 require 'pathname'
 require 'yaml'
 require 'zeitwerk'
-
+require 'terminal-table'
 require 'spandx/spandx'
 
 loader = Zeitwerk::Loader.for_gem

data/lib/spandx/cli/commands/scan.rb

@@ -30,13 +30,12 @@ module Spandx
 
         def each_file
           Spandx::Core::PathTraversal
-            .new(scan_path, recursive: @options['recursive'])
+            .new(scan_path, recursive: @options[:recursive])
             .each { |file| yield file }
         end
 
         def each_dependency_from(file)
           ::Spandx::Core::Parser
-            .for(file)
             .parse(file)
             .map { |x| enhance(x) }
             .each { |dependency| yield dependency }

data/lib/spandx/cli/main.rb

@@ -8,11 +8,11 @@ module Spandx
       method_option :recursive, aliases: '-R', type: :boolean, desc: 'Perform recursive scan', default: false
       method_option :airgap, aliases: '-a', type: :boolean, desc: 'Disable network connections', default: false
       method_option :logfile, aliases: '-l', type: :string, desc: 'Path to a logfile', default: '/dev/null'
-      method_option :format, aliases: '-f', type: :string, desc: 'Format of report', default: 'table'
+      method_option :format, aliases: '-f', type: :string, desc: 'Format of report. (table, csv, json, hash)', default: 'table'
       method_option :pull, aliases: '-p', type: :boolean, desc: 'Pull the latest cache before the scan', default: false
       method_option :require, aliases: '-r', type: :string, desc: 'Causes spandx to load the library using require.', default: nil
       method_option :show_progress, aliases: '-sp', type: :boolean, desc: 'Shows a progress bar', default: true
-      def scan(lockfile)
+      def scan(lockfile = Pathname.pwd)
         if options[:help]
           invoke :help, ['scan']
         else

data/lib/spandx/core/dependency.rb

@@ -3,46 +3,80 @@
 module Spandx
   module Core
     class Dependency
-      attr_reader :package_manager, :name, :version, :licenses, :meta
+      PACKAGE_MANAGERS = {
+        Spandx::Dotnet::Parsers::Csproj => :nuget,
+        Spandx::Dotnet::Parsers::PackagesConfig => :nuget,
+        Spandx::Dotnet::Parsers::Sln => :nuget,
+        Spandx::Java::Parsers::Maven => :maven,
+        Spandx::Js::Parsers::Npm => :npm,
+        Spandx::Js::Parsers::Yarn => :yarn,
+        Spandx::Php::Parsers::Composer => :composer,
+        Spandx::Python::Parsers::PipfileLock => :pypi,
+        Spandx::Ruby::Parsers::GemfileLock => :rubygems,
+      }.freeze
+      attr_reader :path, :name, :version, :licenses, :meta
 
-      def initialize(package_manager:, name:, version:, licenses: [], meta: {})
-        @package_manager = package_manager
-        @name = name
-        @version = version
-        @licenses = licenses
+      def initialize(name:, version:, path:, meta: {})
+        @path = Pathname.new(path).realpath
+        @name = name || @path.basename.to_s
+        @version = version || @path.mtime.to_i.to_s
+        @licenses = []
         @meta = meta
       end
 
-      def managed_by?(value)
-        package_manager == value&.to_sym
+      def package_manager
+        PACKAGE_MANAGERS[Parser.for(path).class]
       end
 
       def <=>(other)
-        to_s <=> other.to_s
+        return 1 if other.nil?
+
+        score = (name <=> other.name)
+        score = score.zero? ? (version <=> other&.version) : score
+        score.zero? ? (path.to_s <=> other&.path.to_s) : score
       end
 
       def hash
         to_s.hash
       end
 
+      def ==(other)
+        eql?(other)
+      end
+
       def eql?(other)
         to_s == other.to_s
       end
 
       def to_s
-        @to_s ||= [name, version].compact.join(' ')
+        @to_s ||= [name, version, path].compact.join(' ')
       end
 
       def inspect
-        "#<Spandx::Core::Dependency name=#{name}, version=#{version}>"
+        "#<#{self.class} name=#{name} version=#{version} path=#{relative_path}>"
       end
 
       def to_a
-        [name, version, licenses.map(&:id)]
+        [name, version, license_expression, relative_path.to_s]
       end
 
       def to_h
-        { name: name, version: version, licenses: licenses.map(&:id) }
+        {
+          name: name,
+          version: version,
+          licenses: license_expression,
+          path: relative_path.to_s
+        }
+      end
+
+      private
+
+      def relative_path(from: Pathname.pwd)
+        path.relative_path_from(from)
+      end
+
+      def license_expression
+        licenses.map(&:id).join(' AND ')
       end
     end
   end

data/lib/spandx/core/license_plugin.rb

@@ -8,7 +8,8 @@ module Spandx
       end
 
       def enhance(dependency)
-        return dependency unless known?(dependency.package_manager)
+        package_manager = package_manager_for(dependency)
+        return dependency unless known?(package_manager)
         return enhance_from_metadata(dependency) if available_in?(dependency.meta)
 
         licenses_for(dependency).each do |text|
@@ -25,8 +26,9 @@ module Spandx
       end
 
       def cache_for(dependency, git: Spandx.git)
-        git = git[dependency.package_manager.to_sym] || git[:cache]
-        key = key_for(dependency.package_manager)
+        package_manager = package_manager_for(dependency)
+        git = git[package_manager.to_sym] || git[:cache]
+        key = key_for(package_manager)
         Spandx::Core::Cache.new(key, root: "#{git.root}/.index")
       end
 
@@ -54,6 +56,10 @@ module Spandx
       def key_for(package_manager)
         package_manager == :yarn ? :npm : package_manager
       end
+
+      def package_manager_for(dependency)
+        dependency.package_manager
+      end
     end
   end
 end

data/lib/spandx/core/parser.rb

@@ -9,8 +9,8 @@ module Spandx
         end
       end
 
-      def matches?(_filename)
-        raise ::Spandx::Error, :matches?
+      def match?(_path)
+        raise ::Spandx::Error, :match?
       end
 
       def parse(_dependency)
@@ -20,10 +20,15 @@ module Spandx
       class << self
         include Registerable
 
+        def parse(path)
+          self.for(path).parse(path)
+        end
+
         def for(path)
-          return UNKNOWN if !File.exist?(path) || File.size(path).zero?
+          path = Pathname.new(path)
+          return UNKNOWN if !path.exist? || path.zero?
 
-          find { |x| x.matches?(File.basename(path)) } || UNKNOWN
+          find { |x| x.match?(path) } || UNKNOWN
         end
       end
     end

data/lib/spandx/core/path_traversal.rb

@@ -6,7 +6,7 @@ module Spandx
       attr_reader :root
 
       def initialize(root, recursive: true)
-        @root = root
+        @root = Pathname.new(root)
         @recursive = recursive
       end
 
@@ -14,27 +14,18 @@ module Spandx
         each_file_in(root, &block)
       end
 
-      def to_enum
-        Enumerator.new do |yielder|
-          each do |item|
-            yielder.yield item
-          end
-        end
-      end
-
       private
 
       def recursive?
         @recursive
       end
 
-      def each_file_in(dir, &block)
-        files = File.directory?(dir) ? Dir.glob(File.join(dir, '*')) : [dir]
+      def each_file_in(path, &block)
+        files = path.directory? ? path.children : [path]
         files.each do |file|
-          if File.directory?(file)
+          if file.directory?
             each_file_in(file, &block) if recursive?
           else
-            Spandx.logger.debug(file)
             block.call(file)
           end
         end

data/lib/spandx/core/report.rb

@@ -3,7 +3,7 @@
 module Spandx
   module Core
     class Report
-      include Enumerable
+      attr_reader :dependencies
 
       FORMATS = {
         csv: :to_csv,
@@ -20,27 +20,21 @@ module Spandx
         @dependencies << dependency
       end
 
-      def each
-        @dependencies.each do |dependency|
-          yield dependency
-        end
-      end
-
       def to(format, formats: FORMATS)
         public_send(formats.fetch(format&.to_sym, :to_json))
       end
 
       def to_table
-        Table.new do |table|
-          map do |dependency|
-            table << dependency
+        Terminal::Table.new(headings: ['Name', 'Version', 'Licenses', 'Location']) do |t|
+          dependencies.each do |d|
+            t.add_row d.to_a
           end
         end
       end
 
       def to_h
         { version: '1.0', dependencies: [] }.tap do |report|
-          each do |dependency|
+          dependencies.each do |dependency|
             report[:dependencies].push(dependency.to_h)
           end
         end
@@ -51,7 +45,7 @@ module Spandx
       end
 
       def to_csv
-        map do |dependency|
+        dependencies.map do |dependency|
           CSV.generate_line(dependency.to_a)
         end
       end

data/lib/spandx/dotnet/parsers/csproj.rb

@@ -4,22 +4,22 @@ module Spandx
   module Dotnet
     module Parsers
       class Csproj < ::Spandx::Core::Parser
-        def matches?(filename)
-          ['.csproj', '.props'].include?(File.extname(filename))
+        def match?(path)
+          ['.csproj', '.props'].include?(path.extname)
         end
 
-        def parse(lockfile)
+        def parse(path)
           ProjectFile
-            .new(lockfile)
+            .new(path)
             .package_references
-            .map { |x| map_from(x) }
+            .map { |x| map_from(path, x) }
         end
 
         private
 
-        def map_from(package_reference)
+        def map_from(path, package_reference)
           ::Spandx::Core::Dependency.new(
-            package_manager: :nuget,
+            path: path,
             name: package_reference.name,
             version: package_reference.version,
             meta: package_reference

data/lib/spandx/dotnet/parsers/packages_config.rb

@@ -4,22 +4,22 @@ module Spandx
   module Dotnet
     module Parsers
       class PackagesConfig < ::Spandx::Core::Parser
-        def matches?(filename)
-          filename.match?(/packages\.config/)
+        def match?(path)
+          path.basename.fnmatch?('packages.config')
         end
 
-        def parse(lockfile)
-          Nokogiri::XML(IO.read(lockfile))
+        def parse(path)
+          Nokogiri::XML(path.read)
             .search('//package')
-            .map { |node| map_from(node) }
+            .map { |node| map_from(path, node) }
         end
 
         private
 
-        def map_from(node)
+        def map_from(path, node)
           name = attribute_for('id', node)
           version = attribute_for('version', node)
-          ::Spandx::Core::Dependency.new(package_manager: :nuget, name: name, version: version)
+          ::Spandx::Core::Dependency.new(name: name, version: version, path: path)
         end
 
         def attribute_for(key, node)

data/lib/spandx/dotnet/parsers/sln.rb

@@ -4,29 +4,26 @@ module Spandx
   module Dotnet
     module Parsers
       class Sln < ::Spandx::Core::Parser
-        def matches?(filename)
-          filename.match?(/.*\.sln/)
+        def match?(path)
+          path.extname == '.sln'
         end
 
-        def parse(file_path)
-          project_paths_from(file_path).map do |path|
-            ::Spandx::Core::Parser
-              .for(path)
-              .parse(path)
+        def parse(path)
+          project_paths_from(path).map do |project_path|
+            ::Spandx::Core::Parser.parse(project_path)
           end.flatten
         end
 
         private
 
-        def project_paths_from(file_path)
-          IO.readlines(file_path).map do |line|
+        def project_paths_from(path)
+          path.each_line.map do |line|
             next unless project_line?(line)
 
-            path = project_path_from(line)
-            next unless path
+            project_path = project_path_from(line)
+            next unless project_path
 
-            path = File.join(File.dirname(file_path), path)
-            Pathname.new(path).cleanpath.to_path
+            path.dirname.join(project_path).cleanpath.to_path
           end.compact
         end
 

data/lib/spandx/dotnet/project_file.rb

@@ -6,9 +6,9 @@ module Spandx
       attr_reader :catalogue, :document, :nuget
 
       def initialize(path)
-        @path = path
-        @dir = File.dirname(path)
-        @document = Nokogiri::XML(IO.read(path)).tap(&:remove_namespaces!)
+        @path = Pathname(path)
+        @dir = @path.dirname
+        @document = Nokogiri::XML(@path.read).tap(&:remove_namespaces!)
       end
 
       def package_references

data/lib/spandx/java/parsers/maven.rb

@@ -4,26 +4,26 @@ module Spandx
   module Java
     module Parsers
       class Maven < ::Spandx::Core::Parser
-        def matches?(filename)
-          File.basename(filename) == 'pom.xml'
+        def match?(path)
+          path.basename.fnmatch?('pom.xml')
         end
 
-        def parse(filename)
-          document = Nokogiri.XML(IO.read(filename)).tap(&:remove_namespaces!)
+        def parse(path)
+          document = Nokogiri.XML(path.read).tap(&:remove_namespaces!)
           document.search('//project/dependencies/dependency').map do |node|
-            map_from(node)
+            map_from(path, node)
           end
         end
 
         private
 
-        def map_from(node)
+        def map_from(path, node)
           artifact_id = node.at_xpath('./artifactId').text
           group_id = node.at_xpath('./groupId').text
           version = node.at_xpath('./version').text
 
           ::Spandx::Core::Dependency.new(
-            package_manager: :maven,
+            path: path,
             name: "#{group_id}:#{artifact_id}",
             version: version
           )

data/lib/spandx/js/parsers/npm.rb

@@ -4,14 +4,14 @@ module Spandx
   module Js
     module Parsers
       class Npm < ::Spandx::Core::Parser
-        def matches?(filename)
+        def match?(filename)
           File.basename(filename) == 'package-lock.json'
         end
 
-        def parse(file_path)
+        def parse(path)
           items = Set.new
-          each_metadata(file_path) do |metadata|
-            items.add(map_from(metadata))
+          each_metadata(path) do |metadata|
+            items.add(map_from(path, metadata))
           end
           items
         end
@@ -25,9 +25,9 @@ module Spandx
           end
         end
 
-        def map_from(metadata)
+        def map_from(path, metadata)
           Spandx::Core::Dependency.new(
-            package_manager: :npm,
+            path: path,
             name: metadata['name'],
             version: metadata['version'],
             meta: metadata

data/lib/spandx/js/parsers/yarn.rb

@@ -4,21 +4,21 @@ module Spandx
   module Js
     module Parsers
       class Yarn < ::Spandx::Core::Parser
-        def matches?(filename)
-          File.basename(filename) == 'yarn.lock'
+        def match?(filename)
+          filename.basename.fnmatch?('yarn.lock')
         end
 
-        def parse(file_path)
-          YarnLock.new(file_path).each_with_object(Set.new) do |metadata, memo|
-            memo << map_from(metadata)
+        def parse(path)
+          YarnLock.new(path).each_with_object(Set.new) do |metadata, memo|
+            memo << map_from(path, metadata)
           end
         end
 
         private
 
-        def map_from(metadata)
+        def map_from(path, metadata)
           ::Spandx::Core::Dependency.new(
-            package_manager: :yarn,
+            path: path,
             name: metadata['name'],
             version: metadata['version'],
             meta: metadata

data/lib/spandx/php/parsers/composer.rb

@@ -4,24 +4,24 @@ module Spandx
   module Php
     module Parsers
       class Composer < ::Spandx::Core::Parser
-        def matches?(filename)
-          File.basename(filename) == 'composer.lock'
+        def match?(path)
+          path.basename.fnmatch? 'composer.lock'
         end
 
-        def parse(file_path)
+        def parse(path)
           items = Set.new
-          composer_lock = JSON.parse(IO.read(file_path))
+          composer_lock = JSON.parse(path.read)
           composer_lock['packages'].concat(composer_lock['packages-dev']).each do |dependency|
-            items.add(map_from(dependency))
+            items.add(map_from(path, dependency))
           end
           items
         end
 
         private
 
-        def map_from(dependency)
+        def map_from(path, dependency)
           Spandx::Core::Dependency.new(
-            package_manager: :composer,
+            path: path,
             name: dependency['name'],
             version: dependency['version'],
             meta: dependency

data/lib/spandx/python/parsers/pipfile_lock.rb

@@ -4,8 +4,8 @@ module Spandx
   module Python
     module Parsers
       class PipfileLock < ::Spandx::Core::Parser
-        def matches?(filename)
-          filename.match?(/Pipfile.*\.lock/)
+        def match?(path)
+          path.basename.fnmatch?('Pipfile*.lock')
         end
 
         def parse(lockfile)
@@ -19,10 +19,10 @@ module Spandx
         private
 
         def dependencies_from(lockfile)
-          json = JSON.parse(IO.read(lockfile))
+          json = JSON.parse(lockfile.read)
           each_dependency(json) do |name, version|
             yield ::Spandx::Core::Dependency.new(
-              package_manager: :pypi,
+              path: lockfile,
               name: name,
               version: version,
               meta: json

data/lib/spandx/ruby/parsers/gemfile_lock.rb

@@ -6,31 +6,32 @@ module Spandx
       class GemfileLock < ::Spandx::Core::Parser
         STRIP_BUNDLED_WITH = /^BUNDLED WITH$(\r?\n)   (?<major>\d+)\.\d+\.\d+/m.freeze
 
-        def matches?(filename)
-          filename.match?(/Gemfile.*\.lock/) ||
-            filename.match?(/gems.*\.lock/)
+        def match?(pathname)
+          basename = pathname.basename
+          basename.fnmatch?('Gemfile*.lock') ||
+            basename.fnmatch?('gems*.lock')
         end
 
         def parse(lockfile)
           dependencies_from(lockfile).map do |specification|
-            map_from(specification)
+            map_from(lockfile, specification)
           end
         end
 
         private
 
         def dependencies_from(filepath)
-          content = IO.read(filepath)
-          Dir.chdir(File.dirname(filepath)) do
+          content = filepath.read.sub(STRIP_BUNDLED_WITH, '')
+          Dir.chdir(filepath.dirname) do
             ::Bundler::LockfileParser
-              .new(content.sub(STRIP_BUNDLED_WITH, ''))
+              .new(content)
               .specs
           end
         end
 
-        def map_from(specification)
+        def map_from(lockfile, specification)
           ::Spandx::Core::Dependency.new(
-            package_manager: :rubygems,
+            path: lockfile,
             name: specification.name,
             version: specification.version.to_s,
             meta: {

data/lib/spandx/spdx/catalogue.rb

@@ -33,7 +33,7 @@ module Spandx
         end
 
         def from_file(path)
-          from_json(IO.read(path))
+          from_json(Pathname.new(path).read)
         end
 
         def from_git

data/lib/spandx/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Spandx
-  VERSION = '0.13.3'
+  VERSION = '0.13.4'
 end

data/spandx.gemspec

@@ -38,6 +38,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'net-hippie', '~> 0.3'
   spec.add_dependency 'nokogiri', '~> 1.10'
   spec.add_dependency 'parslet', '~> 2.0'
+  spec.add_dependency 'terminal-table', '~> 1.8'
   spec.add_dependency 'thor'
   spec.add_dependency 'tty-screen', '~> 0.7'
   spec.add_dependency 'zeitwerk', '~> 2.3'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spandx
 version: !ruby/object:Gem::Version
-  version: 0.13.3
+  version: 0.13.4
 platform: ruby
 authors:
 - Can Eldem
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-21 00:00:00.000000000 Z
+date: 2020-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -101,6 +101,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: terminal-table
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -372,7 +386,6 @@ files:
 - lib/spandx/core/report.rb
 - lib/spandx/core/score.rb
 - lib/spandx/core/spinner.rb
-- lib/spandx/core/table.rb
 - lib/spandx/dotnet/index.rb
 - lib/spandx/dotnet/nuget_gateway.rb
 - lib/spandx/dotnet/package_reference.rb

data/lib/spandx/core/table.rb

@@ -1,29 +0,0 @@
-# frozen_string_literal: true
-
-module Spandx
-  module Core
-    class Table
-      def initialize
-        @rows = []
-        @max_justification = 0
-        yield self
-      end
-
-      def <<(item)
-        row = item.to_a
-        new_max = row[0].size
-        @max_justification = new_max + 1 if new_max > @max_justification
-        @rows << row
-      end
-
-      def to_s
-        @rows.map do |row|
-          row.each.with_index.map do |cell, index|
-            justification = index.zero? ? @max_justification : 15
-            Array(cell).join(', ').ljust(justification, ' ')
-          end.join
-        end
-      end
-    end
-  end
-end