cycode 3.16.3.dev2__py3-none-any.whl → 3.16.3.dev4__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
cycode/__init__.py CHANGED
@@ -5,4 +5,4 @@ import time as _time
5
5
  # end-to-end scan duration from the moment the user actually triggered it.
6
6
  _BOOT_WALL: float = _time.time()
7
7
 
8
- __version__ = '3.16.3.dev2' # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
8
+ __version__ = '3.16.3.dev4' # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
cycode/cli/consts.py CHANGED
@@ -102,6 +102,7 @@ SCA_CONFIGURATION_SCAN_SUPPORTED_FILES = ( # keep in lowercase
102
102
  'deno.lock',
103
103
  'deno.json',
104
104
  'pnpm-lock.yaml',
105
+ 'bun.lock',
105
106
  'npm-shrinkwrap.json',
106
107
  'packages.config',
107
108
  'project.assets.json',
@@ -165,6 +166,7 @@ PROJECT_FILES_BY_ECOSYSTEM_MAP = {
165
166
  'npm-shrinkwrap.json',
166
167
  '.npmrc',
167
168
  'pnpm-lock.yaml',
169
+ 'bun.lock',
168
170
  'deno.lock',
169
171
  'deno.json',
170
172
  ],
@@ -0,0 +1,113 @@
1
+ import json
2
+ import re
3
+ from pathlib import Path
4
+ from typing import Optional
5
+
6
+ import typer
7
+
8
+ from cycode.cli.files_collector.sca.base_restore_dependencies import BaseRestoreDependencies, build_dep_tree_path
9
+ from cycode.cli.models import Document
10
+ from cycode.cli.utils.path_utils import get_file_content
11
+ from cycode.cli.utils.shell_executor import shell
12
+ from cycode.logger import get_logger
13
+
14
+ logger = get_logger('Bun Restore Dependencies')
15
+
16
+ BUN_MANIFEST_FILE_NAME = 'package.json'
17
+ BUN_LOCK_FILE_NAME = 'bun.lock'
18
+
19
+ # Only Bun >=1.2 produces the text-based `bun.lock` lockfile that we parse.
20
+ # Older Bun versions emit a binary `bun.lockb`, which is not supported.
21
+ MINIMUM_BUN_VERSION = (1, 2)
22
+ BUN_VERSION_COMMAND = ['bun', '--version']
23
+
24
+
25
+ def _indicates_bun(package_json_content: Optional[str]) -> bool:
26
+ """Return True if package.json content signals that this project uses Bun."""
27
+ if not package_json_content:
28
+ return False
29
+ try:
30
+ data = json.loads(package_json_content)
31
+ except (json.JSONDecodeError, ValueError):
32
+ return False
33
+
34
+ package_manager = data.get('packageManager', '')
35
+ if isinstance(package_manager, str) and package_manager.startswith('bun'):
36
+ return True
37
+
38
+ engines = data.get('engines', {})
39
+ return isinstance(engines, dict) and 'bun' in engines
40
+
41
+
42
+ def _parse_bun_version(raw_version: Optional[str]) -> Optional[tuple[int, int]]:
43
+ """Parse the (major, minor) version from `bun --version` output (e.g. '1.2.3')."""
44
+ if not raw_version:
45
+ return None
46
+ match = re.match(r'(\d+)\.(\d+)', raw_version.strip())
47
+ if not match:
48
+ return None
49
+ return int(match.group(1)), int(match.group(2))
50
+
51
+
52
+ class RestoreBunDependencies(BaseRestoreDependencies):
53
+ def __init__(self, ctx: typer.Context, is_git_diff: bool, command_timeout: int) -> None:
54
+ super().__init__(ctx, is_git_diff, command_timeout)
55
+
56
+ def is_project(self, document: Document) -> bool:
57
+ if Path(document.path).name != BUN_MANIFEST_FILE_NAME:
58
+ return False
59
+
60
+ manifest_dir = self.get_manifest_dir(document)
61
+ if manifest_dir and (Path(manifest_dir) / BUN_LOCK_FILE_NAME).is_file():
62
+ return True
63
+
64
+ return _indicates_bun(document.content)
65
+
66
+ def _is_supported_bun_version(self) -> bool:
67
+ """Verify that the installed Bun is >=1.2, which is required to generate a text bun.lock."""
68
+ raw_version = shell(command=BUN_VERSION_COMMAND, timeout=self.command_timeout, silent_exc_info=True)
69
+ version = _parse_bun_version(raw_version)
70
+ minimum = '.'.join(str(part) for part in MINIMUM_BUN_VERSION)
71
+ if version is None:
72
+ logger.warning(
73
+ 'Could not determine Bun version; Bun %s+ is required to restore Bun dependencies, %s',
74
+ minimum,
75
+ {'raw_version': raw_version},
76
+ )
77
+ return False
78
+ if version < MINIMUM_BUN_VERSION:
79
+ logger.warning(
80
+ 'Unsupported Bun version; Bun %s+ is required to restore Bun dependencies, %s',
81
+ minimum,
82
+ {'detected_version': '.'.join(str(part) for part in version)},
83
+ )
84
+ return False
85
+ return True
86
+
87
+ def try_restore_dependencies(self, document: Document) -> Optional[Document]:
88
+ manifest_dir = self.get_manifest_dir(document)
89
+ lockfile_path = Path(manifest_dir) / BUN_LOCK_FILE_NAME if manifest_dir else None
90
+
91
+ if lockfile_path and lockfile_path.is_file():
92
+ # Lockfile already exists — read it directly without running bun.
93
+ # A text bun.lock only exists when generated by Bun >=1.2, so no version check is needed here.
94
+ content = get_file_content(str(lockfile_path))
95
+ relative_path = build_dep_tree_path(document.path, BUN_LOCK_FILE_NAME)
96
+ logger.debug('Using existing bun.lock, %s', {'path': str(lockfile_path)})
97
+ return Document(relative_path, content, self.is_git_diff)
98
+
99
+ # Lockfile absent — must generate it via `bun install`. This requires Bun >=1.2,
100
+ # otherwise an older Bun would emit a binary bun.lockb that we cannot parse.
101
+ if not self._is_supported_bun_version():
102
+ return None
103
+
104
+ return super().try_restore_dependencies(document)
105
+
106
+ def get_commands(self, manifest_file_path: str) -> list[list[str]]:
107
+ return [['bun', 'install', '--ignore-scripts']]
108
+
109
+ def get_lock_file_name(self) -> str:
110
+ return BUN_LOCK_FILE_NAME
111
+
112
+ def get_lock_file_names(self) -> list[str]:
113
+ return [BUN_LOCK_FILE_NAME]
@@ -11,7 +11,7 @@ logger = get_logger('NPM Restore Dependencies')
11
11
  NPM_MANIFEST_FILE_NAME = 'package.json'
12
12
  NPM_LOCK_FILE_NAME = 'package-lock.json'
13
13
  # These lockfiles indicate another package manager owns the project — NPM should not run
14
- _ALTERNATIVE_LOCK_FILES = ('yarn.lock', 'pnpm-lock.yaml', 'deno.lock')
14
+ _ALTERNATIVE_LOCK_FILES = ('yarn.lock', 'pnpm-lock.yaml', 'deno.lock', 'bun.lock')
15
15
 
16
16
 
17
17
  class RestoreNpmDependencies(BaseRestoreDependencies):
@@ -23,6 +23,15 @@ class RestoreNpmDependencies(BaseRestoreDependencies):
23
23
 
24
24
  Yarn and pnpm projects are handled by their dedicated handlers, which run before
25
25
  this one in the handler list. This handler is the npm fallback.
26
+
27
+ NOTE: this guard only excludes a project when an alternative lockfile is *physically
28
+ present on disk*. It does not inspect the `packageManager`/`engines` signal in
29
+ package.json. So a project that declares e.g. `packageManager: "bun@..."` (or pnpm)
30
+ but has no lockfile yet is claimed by BOTH the dedicated handler and this npm fallback,
31
+ and both restores run. This is pre-existing behavior shared by pnpm/yarn/bun and is
32
+ accepted for now (a real Bun/pnpm project ships a lockfile, so npm correctly skips).
33
+ If this ever needs tightening, also skip here when package.json declares a non-npm
34
+ packageManager/engines signal.
26
35
  """
27
36
  if Path(document.path).name != NPM_MANIFEST_FILE_NAME:
28
37
  return False
@@ -10,6 +10,7 @@ from cycode.cli.files_collector.sca.base_restore_dependencies import BaseRestore
10
10
  from cycode.cli.files_collector.sca.go.restore_go_dependencies import RestoreGoDependencies
11
11
  from cycode.cli.files_collector.sca.maven.restore_gradle_dependencies import RestoreGradleDependencies
12
12
  from cycode.cli.files_collector.sca.maven.restore_maven_dependencies import RestoreMavenDependencies
13
+ from cycode.cli.files_collector.sca.npm.restore_bun_dependencies import RestoreBunDependencies
13
14
  from cycode.cli.files_collector.sca.npm.restore_deno_dependencies import RestoreDenoDependencies
14
15
  from cycode.cli.files_collector.sca.npm.restore_npm_dependencies import RestoreNpmDependencies
15
16
  from cycode.cli.files_collector.sca.npm.restore_pnpm_dependencies import RestorePnpmDependencies
@@ -157,8 +158,9 @@ def _get_restore_handlers(ctx: typer.Context, is_git_diff: bool) -> list[BaseRes
157
158
  RestoreNugetDependencies(ctx, is_git_diff, build_dep_tree_timeout),
158
159
  RestoreYarnDependencies(ctx, is_git_diff, build_dep_tree_timeout),
159
160
  RestorePnpmDependencies(ctx, is_git_diff, build_dep_tree_timeout),
161
+ RestoreBunDependencies(ctx, is_git_diff, build_dep_tree_timeout),
160
162
  RestoreDenoDependencies(ctx, is_git_diff, build_dep_tree_timeout),
161
- RestoreNpmDependencies(ctx, is_git_diff, build_dep_tree_timeout), # Must be after Yarn & Pnpm for fallback
163
+ RestoreNpmDependencies(ctx, is_git_diff, build_dep_tree_timeout), # Must be after Yarn, Pnpm & Bun for fallback
162
164
  RestoreRubyDependencies(ctx, is_git_diff, build_dep_tree_timeout),
163
165
  RestoreUvDependencies(ctx, is_git_diff, build_dep_tree_timeout), # Must be before Poetry for pyproject.toml
164
166
  RestorePoetryDependencies(ctx, is_git_diff, build_dep_tree_timeout),
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: cycode
3
- Version: 3.16.3.dev2
3
+ Version: 3.16.3.dev4
4
4
  Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
5
5
  License-Expression: MIT
6
6
  License-File: LICENCE
@@ -1,4 +1,4 @@
1
- cycode/__init__.py,sha256=a02DIWGLRttTo50tdayCtRosK8xi_hs0uTrsl0YxH90,396
1
+ cycode/__init__.py,sha256=M9P-K1qrr5klIKq7_vzZPAbHawccu47Rp-dd-QFoMPQ,396
2
2
  cycode/__main__.py,sha256=Z3bD5yrA7yPvAChcADQrqCaZd0ChGI1gdiwALwbWJ6U,104
3
3
  cycode/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
4
4
  cycode/cli/app.py,sha256=AlR2durAEbsa47PDfIj7JtMvJDWA_Dq6wPtVuMJYSCs,10250
@@ -94,7 +94,7 @@ cycode/cli/apps/status/version_command.py,sha256=c6Iko_rmZo9T_kQSd3HUloBi40Qv7cj
94
94
  cycode/cli/cli_types.py,sha256=QbFWJLtlsEnHGdqdHbLolJqT57RfhocvsPAhlcNcCRE,3354
95
95
  cycode/cli/config.py,sha256=Op-lX_neanJtvPvoOEx4ByBdveh5ygElIga1FdSHhOI,299
96
96
  cycode/cli/console.py,sha256=vp-DHwlkwpwdsPyfwGdjsPF-6-Bi3f8W7G-W_YXCMH8,1914
97
- cycode/cli/consts.py,sha256=DA64POP-TWR4jTOkBzzN-paHX_S_9A_qPs6GCIW-U9s,9651
97
+ cycode/cli/consts.py,sha256=L900JVQyOILWFg6D6miNQHv0h2Wr6PYA4FuiDSymzaw,9687
98
98
  cycode/cli/exceptions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
99
99
  cycode/cli/exceptions/custom_exceptions.py,sha256=mTPLPI6V5JrEM6IQ8f7An9P207oYWEgJr-l9UpieSWk,4232
100
100
  cycode/cli/exceptions/handle_ai_remediation_errors.py,sha256=mA70upSYXK3rL_fmanzKYeUzLENhpXdkW8k3aIHrKzU,785
@@ -120,8 +120,9 @@ cycode/cli/files_collector/sca/maven/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeu
120
120
  cycode/cli/files_collector/sca/maven/restore_gradle_dependencies.py,sha256=hwsdJby0_7i3s6YmCU-tB6B3TfsfbyQyeTVwEy6c6SA,2699
121
121
  cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py,sha256=zObNN8n6yUriNVB3ZdvAkoKXXrMvzU9Lpd5lNhVo_so,4003
122
122
  cycode/cli/files_collector/sca/npm/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
123
+ cycode/cli/files_collector/sca/npm/restore_bun_dependencies.py,sha256=HI0X_19wCM6B_vRpX6uD12dXsQbU6LCcLQdobPZDgAs,4580
123
124
  cycode/cli/files_collector/sca/npm/restore_deno_dependencies.py,sha256=XL0VXEPL0jf6ruZZkCpv99lkU8-MNc09CU1fgGgTbHs,1768
124
- cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py,sha256=oUPJa1qwzCg3h1eZeVrU95Fluubo7p5gNlGmjJQem-4,2477
125
+ cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py,sha256=Uwoemv18PX2_9pSGzyYJ7wixQtgDZVOuuJuHIjdnF7M,3173
125
126
  cycode/cli/files_collector/sca/npm/restore_pnpm_dependencies.py,sha256=CcvJOox2JpWl_UeCjMP9I8fP85bPZXfhH7IwLzq2U8E,2708
126
127
  cycode/cli/files_collector/sca/npm/restore_yarn_dependencies.py,sha256=903Ra2YOKwlJnknG47embjPLQUajUb8_1j94GAVcnX0,2698
127
128
  cycode/cli/files_collector/sca/nuget/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -136,7 +137,7 @@ cycode/cli/files_collector/sca/ruby/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQ
136
137
  cycode/cli/files_collector/sca/ruby/restore_ruby_dependencies.py,sha256=Vqswcxte9YjGnvIm9oZ8r91jNyhuiYDf1mouaTaLg3U,694
137
138
  cycode/cli/files_collector/sca/sbt/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
138
139
  cycode/cli/files_collector/sca/sbt/restore_sbt_dependencies.py,sha256=cfBUR4iQcfplX_O2QPjYh2wSyBteze8wZcT_dG9d1d4,709
139
- cycode/cli/files_collector/sca/sca_file_collector.py,sha256=YnO1SYvzDM-9YjKLjfPJJ-El7MrvqCdV8PyjOeY3THk,9925
140
+ cycode/cli/files_collector/sca/sca_file_collector.py,sha256=POvajFssRea-Lax9YG3taAlYvI5by1EbMqso401SQ8M,10099
140
141
  cycode/cli/files_collector/walk_ignore.py,sha256=nvOM6oDmT2SxSI4pU-bLlc9LwTgkfTd2egse69ixf3g,2464
141
142
  cycode/cli/files_collector/zip_documents.py,sha256=FMzbA2Vog7Zl_ntizNQJK8AFqoGu0QlPIMIBpgmBiVI,1852
142
143
  cycode/cli/logger.py,sha256=mlaYEQGYd582fTCc3SC3cFMj0PKTB6EsaI12Q4VL1z8,65
@@ -208,8 +209,8 @@ cycode/cyclient/report_client.py,sha256=Scq30NeJPzgXv0hPLO1U05AdE9i_2iu6cIrSKpEJ
208
209
  cycode/cyclient/scan_client.py,sha256=6TK5FQkfrvV7PHqRnUzEn1PBNd2oPYVamvIixcUfe3c,16755
209
210
  cycode/cyclient/scan_config_base.py,sha256=mXsPZGYCtp85rv5GIige40yQZXuRcEKUW-VQJ0vgFzk,1201
210
211
  cycode/logger.py,sha256=EfZGRK6VC5rE_LAjIcRrHFiQCueylCDXoG6bvGkrIME,2111
211
- cycode-3.16.3.dev2.dist-info/METADATA,sha256=DBWx5RMjw0IZkbH7-ltfRf7zZxQ8NyjE6iczyICIUk0,89245
212
- cycode-3.16.3.dev2.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
213
- cycode-3.16.3.dev2.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
214
- cycode-3.16.3.dev2.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
215
- cycode-3.16.3.dev2.dist-info/RECORD,,
212
+ cycode-3.16.3.dev4.dist-info/METADATA,sha256=6TbdbNG3KBoVsoR1J6Oy4jje6zfnlxg0WVN5iuvBU4I,89245
213
+ cycode-3.16.3.dev4.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
214
+ cycode-3.16.3.dev4.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
215
+ cycode-3.16.3.dev4.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
216
+ cycode-3.16.3.dev4.dist-info/RECORD,,