cycode 3.16.3.dev2__py3-none-any.whl → 3.16.3.dev4__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- cycode/__init__.py +1 -1
- cycode/cli/consts.py +2 -0
- cycode/cli/files_collector/sca/npm/restore_bun_dependencies.py +113 -0
- cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py +10 -1
- cycode/cli/files_collector/sca/sca_file_collector.py +3 -1
- {cycode-3.16.3.dev2.dist-info → cycode-3.16.3.dev4.dist-info}/METADATA +1 -1
- {cycode-3.16.3.dev2.dist-info → cycode-3.16.3.dev4.dist-info}/RECORD +10 -9
- {cycode-3.16.3.dev2.dist-info → cycode-3.16.3.dev4.dist-info}/WHEEL +0 -0
- {cycode-3.16.3.dev2.dist-info → cycode-3.16.3.dev4.dist-info}/entry_points.txt +0 -0
- {cycode-3.16.3.dev2.dist-info → cycode-3.16.3.dev4.dist-info}/licenses/LICENCE +0 -0
cycode/__init__.py
CHANGED
|
@@ -5,4 +5,4 @@ import time as _time
|
|
|
5
5
|
# end-to-end scan duration from the moment the user actually triggered it.
|
|
6
6
|
_BOOT_WALL: float = _time.time()
|
|
7
7
|
|
|
8
|
-
__version__ = '3.16.3.
|
|
8
|
+
__version__ = '3.16.3.dev4' # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
|
cycode/cli/consts.py
CHANGED
|
@@ -102,6 +102,7 @@ SCA_CONFIGURATION_SCAN_SUPPORTED_FILES = ( # keep in lowercase
|
|
|
102
102
|
'deno.lock',
|
|
103
103
|
'deno.json',
|
|
104
104
|
'pnpm-lock.yaml',
|
|
105
|
+
'bun.lock',
|
|
105
106
|
'npm-shrinkwrap.json',
|
|
106
107
|
'packages.config',
|
|
107
108
|
'project.assets.json',
|
|
@@ -165,6 +166,7 @@ PROJECT_FILES_BY_ECOSYSTEM_MAP = {
|
|
|
165
166
|
'npm-shrinkwrap.json',
|
|
166
167
|
'.npmrc',
|
|
167
168
|
'pnpm-lock.yaml',
|
|
169
|
+
'bun.lock',
|
|
168
170
|
'deno.lock',
|
|
169
171
|
'deno.json',
|
|
170
172
|
],
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
import json
|
|
2
|
+
import re
|
|
3
|
+
from pathlib import Path
|
|
4
|
+
from typing import Optional
|
|
5
|
+
|
|
6
|
+
import typer
|
|
7
|
+
|
|
8
|
+
from cycode.cli.files_collector.sca.base_restore_dependencies import BaseRestoreDependencies, build_dep_tree_path
|
|
9
|
+
from cycode.cli.models import Document
|
|
10
|
+
from cycode.cli.utils.path_utils import get_file_content
|
|
11
|
+
from cycode.cli.utils.shell_executor import shell
|
|
12
|
+
from cycode.logger import get_logger
|
|
13
|
+
|
|
14
|
+
logger = get_logger('Bun Restore Dependencies')
|
|
15
|
+
|
|
16
|
+
BUN_MANIFEST_FILE_NAME = 'package.json'
|
|
17
|
+
BUN_LOCK_FILE_NAME = 'bun.lock'
|
|
18
|
+
|
|
19
|
+
# Only Bun >=1.2 produces the text-based `bun.lock` lockfile that we parse.
|
|
20
|
+
# Older Bun versions emit a binary `bun.lockb`, which is not supported.
|
|
21
|
+
MINIMUM_BUN_VERSION = (1, 2)
|
|
22
|
+
BUN_VERSION_COMMAND = ['bun', '--version']
|
|
23
|
+
|
|
24
|
+
|
|
25
|
+
def _indicates_bun(package_json_content: Optional[str]) -> bool:
|
|
26
|
+
"""Return True if package.json content signals that this project uses Bun."""
|
|
27
|
+
if not package_json_content:
|
|
28
|
+
return False
|
|
29
|
+
try:
|
|
30
|
+
data = json.loads(package_json_content)
|
|
31
|
+
except (json.JSONDecodeError, ValueError):
|
|
32
|
+
return False
|
|
33
|
+
|
|
34
|
+
package_manager = data.get('packageManager', '')
|
|
35
|
+
if isinstance(package_manager, str) and package_manager.startswith('bun'):
|
|
36
|
+
return True
|
|
37
|
+
|
|
38
|
+
engines = data.get('engines', {})
|
|
39
|
+
return isinstance(engines, dict) and 'bun' in engines
|
|
40
|
+
|
|
41
|
+
|
|
42
|
+
def _parse_bun_version(raw_version: Optional[str]) -> Optional[tuple[int, int]]:
|
|
43
|
+
"""Parse the (major, minor) version from `bun --version` output (e.g. '1.2.3')."""
|
|
44
|
+
if not raw_version:
|
|
45
|
+
return None
|
|
46
|
+
match = re.match(r'(\d+)\.(\d+)', raw_version.strip())
|
|
47
|
+
if not match:
|
|
48
|
+
return None
|
|
49
|
+
return int(match.group(1)), int(match.group(2))
|
|
50
|
+
|
|
51
|
+
|
|
52
|
+
class RestoreBunDependencies(BaseRestoreDependencies):
|
|
53
|
+
def __init__(self, ctx: typer.Context, is_git_diff: bool, command_timeout: int) -> None:
|
|
54
|
+
super().__init__(ctx, is_git_diff, command_timeout)
|
|
55
|
+
|
|
56
|
+
def is_project(self, document: Document) -> bool:
|
|
57
|
+
if Path(document.path).name != BUN_MANIFEST_FILE_NAME:
|
|
58
|
+
return False
|
|
59
|
+
|
|
60
|
+
manifest_dir = self.get_manifest_dir(document)
|
|
61
|
+
if manifest_dir and (Path(manifest_dir) / BUN_LOCK_FILE_NAME).is_file():
|
|
62
|
+
return True
|
|
63
|
+
|
|
64
|
+
return _indicates_bun(document.content)
|
|
65
|
+
|
|
66
|
+
def _is_supported_bun_version(self) -> bool:
|
|
67
|
+
"""Verify that the installed Bun is >=1.2, which is required to generate a text bun.lock."""
|
|
68
|
+
raw_version = shell(command=BUN_VERSION_COMMAND, timeout=self.command_timeout, silent_exc_info=True)
|
|
69
|
+
version = _parse_bun_version(raw_version)
|
|
70
|
+
minimum = '.'.join(str(part) for part in MINIMUM_BUN_VERSION)
|
|
71
|
+
if version is None:
|
|
72
|
+
logger.warning(
|
|
73
|
+
'Could not determine Bun version; Bun %s+ is required to restore Bun dependencies, %s',
|
|
74
|
+
minimum,
|
|
75
|
+
{'raw_version': raw_version},
|
|
76
|
+
)
|
|
77
|
+
return False
|
|
78
|
+
if version < MINIMUM_BUN_VERSION:
|
|
79
|
+
logger.warning(
|
|
80
|
+
'Unsupported Bun version; Bun %s+ is required to restore Bun dependencies, %s',
|
|
81
|
+
minimum,
|
|
82
|
+
{'detected_version': '.'.join(str(part) for part in version)},
|
|
83
|
+
)
|
|
84
|
+
return False
|
|
85
|
+
return True
|
|
86
|
+
|
|
87
|
+
def try_restore_dependencies(self, document: Document) -> Optional[Document]:
|
|
88
|
+
manifest_dir = self.get_manifest_dir(document)
|
|
89
|
+
lockfile_path = Path(manifest_dir) / BUN_LOCK_FILE_NAME if manifest_dir else None
|
|
90
|
+
|
|
91
|
+
if lockfile_path and lockfile_path.is_file():
|
|
92
|
+
# Lockfile already exists — read it directly without running bun.
|
|
93
|
+
# A text bun.lock only exists when generated by Bun >=1.2, so no version check is needed here.
|
|
94
|
+
content = get_file_content(str(lockfile_path))
|
|
95
|
+
relative_path = build_dep_tree_path(document.path, BUN_LOCK_FILE_NAME)
|
|
96
|
+
logger.debug('Using existing bun.lock, %s', {'path': str(lockfile_path)})
|
|
97
|
+
return Document(relative_path, content, self.is_git_diff)
|
|
98
|
+
|
|
99
|
+
# Lockfile absent — must generate it via `bun install`. This requires Bun >=1.2,
|
|
100
|
+
# otherwise an older Bun would emit a binary bun.lockb that we cannot parse.
|
|
101
|
+
if not self._is_supported_bun_version():
|
|
102
|
+
return None
|
|
103
|
+
|
|
104
|
+
return super().try_restore_dependencies(document)
|
|
105
|
+
|
|
106
|
+
def get_commands(self, manifest_file_path: str) -> list[list[str]]:
|
|
107
|
+
return [['bun', 'install', '--ignore-scripts']]
|
|
108
|
+
|
|
109
|
+
def get_lock_file_name(self) -> str:
|
|
110
|
+
return BUN_LOCK_FILE_NAME
|
|
111
|
+
|
|
112
|
+
def get_lock_file_names(self) -> list[str]:
|
|
113
|
+
return [BUN_LOCK_FILE_NAME]
|
|
@@ -11,7 +11,7 @@ logger = get_logger('NPM Restore Dependencies')
|
|
|
11
11
|
NPM_MANIFEST_FILE_NAME = 'package.json'
|
|
12
12
|
NPM_LOCK_FILE_NAME = 'package-lock.json'
|
|
13
13
|
# These lockfiles indicate another package manager owns the project — NPM should not run
|
|
14
|
-
_ALTERNATIVE_LOCK_FILES = ('yarn.lock', 'pnpm-lock.yaml', 'deno.lock')
|
|
14
|
+
_ALTERNATIVE_LOCK_FILES = ('yarn.lock', 'pnpm-lock.yaml', 'deno.lock', 'bun.lock')
|
|
15
15
|
|
|
16
16
|
|
|
17
17
|
class RestoreNpmDependencies(BaseRestoreDependencies):
|
|
@@ -23,6 +23,15 @@ class RestoreNpmDependencies(BaseRestoreDependencies):
|
|
|
23
23
|
|
|
24
24
|
Yarn and pnpm projects are handled by their dedicated handlers, which run before
|
|
25
25
|
this one in the handler list. This handler is the npm fallback.
|
|
26
|
+
|
|
27
|
+
NOTE: this guard only excludes a project when an alternative lockfile is *physically
|
|
28
|
+
present on disk*. It does not inspect the `packageManager`/`engines` signal in
|
|
29
|
+
package.json. So a project that declares e.g. `packageManager: "bun@..."` (or pnpm)
|
|
30
|
+
but has no lockfile yet is claimed by BOTH the dedicated handler and this npm fallback,
|
|
31
|
+
and both restores run. This is pre-existing behavior shared by pnpm/yarn/bun and is
|
|
32
|
+
accepted for now (a real Bun/pnpm project ships a lockfile, so npm correctly skips).
|
|
33
|
+
If this ever needs tightening, also skip here when package.json declares a non-npm
|
|
34
|
+
packageManager/engines signal.
|
|
26
35
|
"""
|
|
27
36
|
if Path(document.path).name != NPM_MANIFEST_FILE_NAME:
|
|
28
37
|
return False
|
|
@@ -10,6 +10,7 @@ from cycode.cli.files_collector.sca.base_restore_dependencies import BaseRestore
|
|
|
10
10
|
from cycode.cli.files_collector.sca.go.restore_go_dependencies import RestoreGoDependencies
|
|
11
11
|
from cycode.cli.files_collector.sca.maven.restore_gradle_dependencies import RestoreGradleDependencies
|
|
12
12
|
from cycode.cli.files_collector.sca.maven.restore_maven_dependencies import RestoreMavenDependencies
|
|
13
|
+
from cycode.cli.files_collector.sca.npm.restore_bun_dependencies import RestoreBunDependencies
|
|
13
14
|
from cycode.cli.files_collector.sca.npm.restore_deno_dependencies import RestoreDenoDependencies
|
|
14
15
|
from cycode.cli.files_collector.sca.npm.restore_npm_dependencies import RestoreNpmDependencies
|
|
15
16
|
from cycode.cli.files_collector.sca.npm.restore_pnpm_dependencies import RestorePnpmDependencies
|
|
@@ -157,8 +158,9 @@ def _get_restore_handlers(ctx: typer.Context, is_git_diff: bool) -> list[BaseRes
|
|
|
157
158
|
RestoreNugetDependencies(ctx, is_git_diff, build_dep_tree_timeout),
|
|
158
159
|
RestoreYarnDependencies(ctx, is_git_diff, build_dep_tree_timeout),
|
|
159
160
|
RestorePnpmDependencies(ctx, is_git_diff, build_dep_tree_timeout),
|
|
161
|
+
RestoreBunDependencies(ctx, is_git_diff, build_dep_tree_timeout),
|
|
160
162
|
RestoreDenoDependencies(ctx, is_git_diff, build_dep_tree_timeout),
|
|
161
|
-
RestoreNpmDependencies(ctx, is_git_diff, build_dep_tree_timeout), # Must be after Yarn &
|
|
163
|
+
RestoreNpmDependencies(ctx, is_git_diff, build_dep_tree_timeout), # Must be after Yarn, Pnpm & Bun for fallback
|
|
162
164
|
RestoreRubyDependencies(ctx, is_git_diff, build_dep_tree_timeout),
|
|
163
165
|
RestoreUvDependencies(ctx, is_git_diff, build_dep_tree_timeout), # Must be before Poetry for pyproject.toml
|
|
164
166
|
RestorePoetryDependencies(ctx, is_git_diff, build_dep_tree_timeout),
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
cycode/__init__.py,sha256=
|
|
1
|
+
cycode/__init__.py,sha256=M9P-K1qrr5klIKq7_vzZPAbHawccu47Rp-dd-QFoMPQ,396
|
|
2
2
|
cycode/__main__.py,sha256=Z3bD5yrA7yPvAChcADQrqCaZd0ChGI1gdiwALwbWJ6U,104
|
|
3
3
|
cycode/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
4
4
|
cycode/cli/app.py,sha256=AlR2durAEbsa47PDfIj7JtMvJDWA_Dq6wPtVuMJYSCs,10250
|
|
@@ -94,7 +94,7 @@ cycode/cli/apps/status/version_command.py,sha256=c6Iko_rmZo9T_kQSd3HUloBi40Qv7cj
|
|
|
94
94
|
cycode/cli/cli_types.py,sha256=QbFWJLtlsEnHGdqdHbLolJqT57RfhocvsPAhlcNcCRE,3354
|
|
95
95
|
cycode/cli/config.py,sha256=Op-lX_neanJtvPvoOEx4ByBdveh5ygElIga1FdSHhOI,299
|
|
96
96
|
cycode/cli/console.py,sha256=vp-DHwlkwpwdsPyfwGdjsPF-6-Bi3f8W7G-W_YXCMH8,1914
|
|
97
|
-
cycode/cli/consts.py,sha256=
|
|
97
|
+
cycode/cli/consts.py,sha256=L900JVQyOILWFg6D6miNQHv0h2Wr6PYA4FuiDSymzaw,9687
|
|
98
98
|
cycode/cli/exceptions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
99
99
|
cycode/cli/exceptions/custom_exceptions.py,sha256=mTPLPI6V5JrEM6IQ8f7An9P207oYWEgJr-l9UpieSWk,4232
|
|
100
100
|
cycode/cli/exceptions/handle_ai_remediation_errors.py,sha256=mA70upSYXK3rL_fmanzKYeUzLENhpXdkW8k3aIHrKzU,785
|
|
@@ -120,8 +120,9 @@ cycode/cli/files_collector/sca/maven/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeu
|
|
|
120
120
|
cycode/cli/files_collector/sca/maven/restore_gradle_dependencies.py,sha256=hwsdJby0_7i3s6YmCU-tB6B3TfsfbyQyeTVwEy6c6SA,2699
|
|
121
121
|
cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py,sha256=zObNN8n6yUriNVB3ZdvAkoKXXrMvzU9Lpd5lNhVo_so,4003
|
|
122
122
|
cycode/cli/files_collector/sca/npm/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
123
|
+
cycode/cli/files_collector/sca/npm/restore_bun_dependencies.py,sha256=HI0X_19wCM6B_vRpX6uD12dXsQbU6LCcLQdobPZDgAs,4580
|
|
123
124
|
cycode/cli/files_collector/sca/npm/restore_deno_dependencies.py,sha256=XL0VXEPL0jf6ruZZkCpv99lkU8-MNc09CU1fgGgTbHs,1768
|
|
124
|
-
cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py,sha256=
|
|
125
|
+
cycode/cli/files_collector/sca/npm/restore_npm_dependencies.py,sha256=Uwoemv18PX2_9pSGzyYJ7wixQtgDZVOuuJuHIjdnF7M,3173
|
|
125
126
|
cycode/cli/files_collector/sca/npm/restore_pnpm_dependencies.py,sha256=CcvJOox2JpWl_UeCjMP9I8fP85bPZXfhH7IwLzq2U8E,2708
|
|
126
127
|
cycode/cli/files_collector/sca/npm/restore_yarn_dependencies.py,sha256=903Ra2YOKwlJnknG47embjPLQUajUb8_1j94GAVcnX0,2698
|
|
127
128
|
cycode/cli/files_collector/sca/nuget/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
@@ -136,7 +137,7 @@ cycode/cli/files_collector/sca/ruby/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQ
|
|
|
136
137
|
cycode/cli/files_collector/sca/ruby/restore_ruby_dependencies.py,sha256=Vqswcxte9YjGnvIm9oZ8r91jNyhuiYDf1mouaTaLg3U,694
|
|
137
138
|
cycode/cli/files_collector/sca/sbt/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
138
139
|
cycode/cli/files_collector/sca/sbt/restore_sbt_dependencies.py,sha256=cfBUR4iQcfplX_O2QPjYh2wSyBteze8wZcT_dG9d1d4,709
|
|
139
|
-
cycode/cli/files_collector/sca/sca_file_collector.py,sha256=
|
|
140
|
+
cycode/cli/files_collector/sca/sca_file_collector.py,sha256=POvajFssRea-Lax9YG3taAlYvI5by1EbMqso401SQ8M,10099
|
|
140
141
|
cycode/cli/files_collector/walk_ignore.py,sha256=nvOM6oDmT2SxSI4pU-bLlc9LwTgkfTd2egse69ixf3g,2464
|
|
141
142
|
cycode/cli/files_collector/zip_documents.py,sha256=FMzbA2Vog7Zl_ntizNQJK8AFqoGu0QlPIMIBpgmBiVI,1852
|
|
142
143
|
cycode/cli/logger.py,sha256=mlaYEQGYd582fTCc3SC3cFMj0PKTB6EsaI12Q4VL1z8,65
|
|
@@ -208,8 +209,8 @@ cycode/cyclient/report_client.py,sha256=Scq30NeJPzgXv0hPLO1U05AdE9i_2iu6cIrSKpEJ
|
|
|
208
209
|
cycode/cyclient/scan_client.py,sha256=6TK5FQkfrvV7PHqRnUzEn1PBNd2oPYVamvIixcUfe3c,16755
|
|
209
210
|
cycode/cyclient/scan_config_base.py,sha256=mXsPZGYCtp85rv5GIige40yQZXuRcEKUW-VQJ0vgFzk,1201
|
|
210
211
|
cycode/logger.py,sha256=EfZGRK6VC5rE_LAjIcRrHFiQCueylCDXoG6bvGkrIME,2111
|
|
211
|
-
cycode-3.16.3.
|
|
212
|
-
cycode-3.16.3.
|
|
213
|
-
cycode-3.16.3.
|
|
214
|
-
cycode-3.16.3.
|
|
215
|
-
cycode-3.16.3.
|
|
212
|
+
cycode-3.16.3.dev4.dist-info/METADATA,sha256=6TbdbNG3KBoVsoR1J6Oy4jje6zfnlxg0WVN5iuvBU4I,89245
|
|
213
|
+
cycode-3.16.3.dev4.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
|
|
214
|
+
cycode-3.16.3.dev4.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
|
|
215
|
+
cycode-3.16.3.dev4.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
|
|
216
|
+
cycode-3.16.3.dev4.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|