depsdev 0.0.3__tar.gz → 0.0.4__tar.gz

{depsdev-0.0.3 → depsdev-0.0.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: depsdev
-Version: 0.0.3
+Version: 0.0.4
 Summary: Python wrapper for https://deps.dev/ API
 Project-URL: Documentation, https://github.com/FlavioAmurrioCS/depsdev#readme
 Project-URL: Issues, https://github.com/FlavioAmurrioCS/depsdev/issues
@@ -20,6 +20,7 @@ Classifier: Programming Language :: Python :: Implementation :: CPython
 Classifier: Programming Language :: Python :: Implementation :: PyPy
 Requires-Python: >=3.9
 Requires-Dist: httpx
+Requires-Dist: packageurl-python
 Provides-Extra: cli
 Requires-Dist: rich; extra == 'cli'
 Requires-Dist: typer-slim; extra == 'cli'

{depsdev-0.0.3 → depsdev-0.0.4}/pyproject.toml

@@ -27,6 +27,7 @@ classifiers = [
 ]
 dependencies = [
   "httpx",
+  "packageurl-python",
 ]
 
 [project.optional-dependencies]

{depsdev-0.0.3 → depsdev-0.0.4}/src/depsdev/__main__.py

@@ -1,6 +1,21 @@
 from __future__ import annotations
 
 import logging
+import sys
+
+from depsdev.cli.purl import get_extractor
+from depsdev.cli.vuln import main_helper
+
+try:
+    import typer
+except ImportError:
+    msg = (
+        "The 'cli' optional dependency is not installed. "
+        "Please install it with 'pip install depsdev[cli]'."
+    )
+    print(msg, file=sys.stderr)
+    raise SystemExit(1) from None
+
 import os
 from textwrap import dedent
 from typing import TYPE_CHECKING
@@ -14,7 +29,6 @@ if TYPE_CHECKING:
     P = ParamSpec("P")
     R = TypeVar("R")
 
-
 logging.basicConfig(
     level=logging.ERROR,
     format="[%(asctime)s] [%(levelname)-7s] [%(name)s] %(message)s",
@@ -38,7 +52,9 @@ def to_sync() -> Callable[[Callable[P, R]], Callable[P, R]]:
 
                 from rich import print_json
 
-                print_json(data=asyncio.run(func(*args, **kwargs)))  # type: ignore[arg-type]
+                result: object = asyncio.run(func(*args, **kwargs))  # type: ignore[arg-type]
+                if result is not None:
+                    print_json(data=result)
             except Exception:
                 logger.exception("An error occurred while executing the command.")
                 raise SystemExit(1) from None
@@ -50,25 +66,14 @@ def to_sync() -> Callable[[Callable[P, R]], Callable[P, R]]:
     return decorator
 
 
-def main() -> None:
+def create_app() -> typer.Typer:
     """
     Main entry point for the CLI.
     """
-
-    try:
-        import typer
-    except ImportError:
-        msg = (
-            "The 'cli' optional dependency is not installed. "
-            "Please install it with 'pip install depsdev[cli]'."
-        )
-        logger.error(msg)  # noqa: TRY400
-        raise SystemExit(1) from None
-
     alpha = os.environ.get("DEPSDEV_V3_ALPHA", "false").lower() in ("true", "1", "yes")
 
     app = typer.Typer(
-        name="depsdev",
+        name="api",
         no_args_is_help=True,
         rich_markup_mode="rich",
         help=dedent(
@@ -125,7 +130,49 @@ def main() -> None:
         app.command(rich_help_panel="v3alpha")(to_sync()(client_v3_alpha.purl_lookup_batch))
         app.command(rich_help_panel="v3alpha")(to_sync()(client_v3_alpha.query_container_images))
 
-    return app()
+    return app
+
+
+main = typer.Typer(
+    name="depsdev",
+    no_args_is_help=True,
+    rich_markup_mode="rich",
+)
+
+main.add_typer(
+    create_app(),
+    name="api",
+)
+
+
+@main.command(name="purl", rich_help_panel="Utils")
+def purl(filename: str) -> None:
+    """
+    Extract package URLs from various formats.
+    """
+    extractor = get_extractor(filename)
+
+    for purl in extractor.extract(filename):
+        print(purl)
+
+
+main.command(name="vuln", rich_help_panel="Utils")(to_sync()(main_helper))
+
+
+@main.command()
+@to_sync()
+async def report(filename: str) -> None:
+    """
+    Show vulnerabilities for packages in a file.
+
+    Example usage:
+        depsdev report requirements.txt
+        depsdev report pom.xml
+        depsdev report Pipfile.lock
+    """
+    extractor = get_extractor(filename)
+    packages = extractor.extract(filename)
+    await main_helper([x.to_string() for x in packages])
 
 
 if __name__ == "__main__":

{depsdev-0.0.3 → depsdev-0.0.4}/src/depsdev/_version.py

@@ -17,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.0.3'
-__version_tuple__ = version_tuple = (0, 0, 3)
+__version__ = version = '0.0.4'
+__version_tuple__ = version_tuple = (0, 0, 4)

depsdev-0.0.4/src/depsdev/base.py

@@ -0,0 +1,47 @@
+from __future__ import annotations
+
+import logging
+from dataclasses import dataclass
+from dataclasses import field
+from typing import TYPE_CHECKING
+from urllib.parse import quote
+
+import httpx
+
+if TYPE_CHECKING:
+    from httpx._types import QueryParamTypes
+    from typing_extensions import Literal
+
+    from depsdev.v3 import Incomplete
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class BaseClient:
+    base_url: str
+    timeout: float = 5.0
+    client: httpx.AsyncClient = field(init=False, repr=False)
+
+    def __post_init__(self) -> None:
+        self.client = httpx.AsyncClient(base_url=self.base_url, timeout=self.timeout)
+
+    async def _requests(
+        self,
+        url: str = "",
+        method: Literal["GET", "POST"] = "GET",
+        params: QueryParamTypes | None = None,
+        json: object | None = None,
+    ) -> Incomplete:
+        logger.info(locals())
+        response = await self.client.request(method=method, url=url, params=params, json=json)
+        if not response.is_success:
+            logger.error(
+                "Request failed with status code %s: %s", response.status_code, response.text
+            )
+            response.raise_for_status()
+        return response.json()
+
+    @staticmethod
+    def url_escape(string: str) -> str:
+        return quote(string, safe="")

depsdev-0.0.4/src/depsdev/cli/purl.py

@@ -0,0 +1,142 @@
+from __future__ import annotations
+
+import itertools
+import json
+import logging
+import os
+import subprocess
+import sys
+from typing import TYPE_CHECKING
+
+from packageurl import PackageURL
+
+if TYPE_CHECKING:
+    from collections.abc import Iterable
+
+logger = logging.getLogger(__name__)
+
+
+class MavenExtractor:
+    @classmethod
+    def extract(cls, filename: str) -> Iterable[PackageURL]:
+        yield from (cls.parse_single_line(x) for x in cls._clean(cls._get_source(filename)))
+
+    @staticmethod
+    def _get_source(filename: str) -> Iterable[str]:
+        """
+        Read lines from stdin or a file.
+        """
+        if not filename.endswith("pom.xml"):
+            logger.error("Invalid POM file: %s. It should end with 'pom.xml'.", filename)
+            raise SystemExit(1)
+        result = subprocess.run(
+            ["mvn", "dependency:tree"],  # noqa: S607
+            check=False,
+            capture_output=True,
+            text=True,
+            cwd=os.path.dirname(os.path.abspath(filename)),
+        )
+        if result.returncode != 0:
+            print(result.stderr, file=sys.stderr)
+            raise SystemExit(1)
+        yield from result.stdout.splitlines()
+
+    @staticmethod
+    def parse_single_line(line: str) -> PackageURL:
+        """
+        Parse a single line of Maven dependency output and return a PackageURL object.
+        """
+        package, *rest = line.split()
+        _is_optional = bool(rest)
+        group, artifact, _type, version, *classifier = package.split(":")
+        return PackageURL(
+            type="maven",
+            namespace=group,
+            name=artifact,
+            version=version,
+            qualifiers=None,
+            subpath=None,
+        )
+
+    @staticmethod
+    def _clean(lines: Iterable[str]) -> Iterable[str]:
+        stage1 = (x.rstrip() for x in lines if x.strip())
+        stage2 = itertools.dropwhile(lambda x: not x.startswith("[INFO] --- "), stage1)
+        stage3 = itertools.takewhile(
+            lambda x: not x.startswith(
+                "[INFO] ------------------------------------------------------------------------"
+            ),
+            stage2,
+        )
+        stage4 = itertools.islice(stage3, 1, None)  # Skip the first line
+        stage5 = (x[7:] for x in stage4)
+        yield from (x.split("- ", maxsplit=1)[-1] for x in stage5)
+
+
+class PipfileLockExtractor:
+    @classmethod
+    def extract(cls, filename: str) -> Iterable[PackageURL]:
+        """
+        Extracts package URLs from a Pipfile.lock.
+        """
+        if not filename.endswith("Pipfile.lock"):
+            logger.error("Invalid Pipfile.lock: %s. It should end with 'Pipfile.lock'.", filename)
+            raise SystemExit(1)
+        with open(filename) as f:
+            data = json.load(f)
+            for package_name, package_info in data.get("default", {}).items():
+                version: str | None = package_info.get("version")
+                if version:
+                    yield PackageURL(
+                        type="pypi",
+                        namespace=None,
+                        name=package_name,
+                        version=version[2:],
+                        qualifiers=None,
+                        subpath=None,
+                    )
+                else:
+                    logger.warning("Package %s has no version specified.", package_name)
+
+
+class RequirementsExtractor:
+    @classmethod
+    def extract(cls, filename: str) -> Iterable[PackageURL]:
+        """
+        Extracts package URLs from a requirements.txt file.
+        """
+        if not filename.endswith("requirements.txt"):
+            logger.error(
+                "Invalid requirements file: %s. It should end with 'requirements.txt'.", filename
+            )
+            raise SystemExit(1)
+        with open(filename) as f:
+            for line in f:
+                _line = line.strip()
+                if not _line or _line.startswith(("#", "-r ", "-i ")):
+                    continue
+                parts = _line.split(";")[0].split("==")
+                if len(parts) == 2:  # noqa: PLR2004
+                    name, version = parts
+                    yield PackageURL(
+                        type="pypi",
+                        namespace=None,
+                        name=name,
+                        version=version,
+                        qualifiers=None,
+                        subpath=None,
+                    )
+
+
+def get_extractor(filename: str) -> MavenExtractor | PipfileLockExtractor | RequirementsExtractor:
+    """
+    Returns the appropriate extractor based on the file extension.
+    """
+    if filename.endswith("pom.xml"):
+        return MavenExtractor()
+    if filename.endswith("Pipfile.lock"):
+        return PipfileLockExtractor()
+    if filename.endswith("requirements.txt"):
+        return RequirementsExtractor()
+    logger.error("Unsupported file format: %s", filename)
+    raise SystemExit(1)

depsdev-0.0.4/src/depsdev/cli/vuln.py

@@ -0,0 +1,71 @@
+from __future__ import annotations
+
+import asyncio
+import itertools
+import logging
+from typing import TYPE_CHECKING
+
+from rich.console import Console
+from rich.table import Table
+
+from depsdev.osv import OSVClientV1
+
+if TYPE_CHECKING:
+    from depsdev.osv import OSVVulnerability
+    from depsdev.osv import V1Query
+
+logger = logging.getLogger(__name__)
+
+
+def get_version_fix(vuln: OSVVulnerability) -> str | None:
+    for affected in vuln.get("affected", []):
+        for _range in affected.get("ranges", []):
+            for event in _range.get("events", []):
+                if "fixed" in event:
+                    return event["fixed"]
+    return None
+
+
+async def get_vulns(purls: list[str], osv_client: OSVClientV1) -> dict[str, list[OSVVulnerability]]:
+    queries: list[V1Query] = [
+        {
+            "package": {"purl": purl},
+        }
+        for purl in purls
+    ]
+    result = await osv_client.querybatch({"queries": queries})
+    r = {k: [x["id"] for x in v["vulns"]] for k, v in zip(purls, result["results"]) if v}
+    all_result = await asyncio.gather(
+        *[osv_client.get_vuln(vuln_id) for vuln_id in itertools.chain.from_iterable(r.values())]
+    )
+    look_up = {vuln["id"]: vuln for vuln in all_result}
+    return {purl: [look_up[vuln_id] for vuln_id in vuln_ids] for purl, vuln_ids in r.items()}
+
+
+async def main_helper(packages: list[str]) -> int:
+    """Main function to analyze packages for vulnerabilities."""
+
+    console = Console()
+
+    console.print(f"Analysing {len(packages)} packages...")
+
+    osv_client = OSVClientV1()
+
+    results = await get_vulns(packages, osv_client)
+    console.print(f"Found {len(results)} packages with advisories.")
+
+    for purl, advisories in results.items():
+        table = Table(title=purl)
+
+        table.add_column("Id")
+        table.add_column("Summary", style="cyan", no_wrap=True)
+        table.add_column("Fixed", style="magenta")
+
+        for vuln in advisories:
+            table.add_row(
+                f"[link=https://github.com/advisories/{vuln['id']}]{vuln['id']}[/link]",
+                vuln["summary"],
+                get_version_fix(vuln) or "unknown",
+            )
+        console.print(table)
+    return 0

depsdev-0.0.4/src/depsdev/osv.py

@@ -0,0 +1,195 @@
+from __future__ import annotations
+
+import logging
+from dataclasses import dataclass
+from typing import TYPE_CHECKING
+
+from depsdev.base import BaseClient
+
+if TYPE_CHECKING:
+    from typing import Any
+    from typing import Literal
+
+    from typing_extensions import NotRequired
+    from typing_extensions import TypedDict
+
+    class OSVEvent(TypedDict):
+        introduced: NotRequired[str]
+        fixed: NotRequired[str]
+        limit: NotRequired[str]
+        lastAffected: NotRequired[str]
+
+    class OSVRange(TypedDict):
+        type: NotRequired[
+            Literal[
+                "UNSPECIFIED",
+                "GIT",
+                "SEMVER",
+                "ECOSYSTEM",
+            ]
+        ]
+        repo: NotRequired[str]
+        events: NotRequired[list[OSVEvent]]
+
+    class OSVPackage(TypedDict):
+        name: NotRequired[str]
+        ecosystem: NotRequired[str]
+        purl: NotRequired[str]
+
+    class OSVCredit(TypedDict):
+        name: NotRequired[str]
+        contact: NotRequired[list[str]]
+        type: NotRequired[
+            Literal[
+                "UNSPECIFIED",
+                "OTHER",
+                "FINDER",
+                "REPORTER",
+                "ANALYST",
+                "COORDINATOR",
+                "REMEDIATION_DEVELOPER",
+                "REMEDIATION_REVIEWER",
+                "REMEDIATION_VERIFIER",
+                "TOOL",
+                "SPONSOR",
+            ]
+        ]
+
+    class OSVSeverity(TypedDict):
+        type: NotRequired[
+            Literal[
+                "UNSPECIFIED",
+                "CVSS_V4",
+                "CVSS_V3",
+                "CVSS_V2",
+            ]
+        ]
+        score: NotRequired[str]
+
+    class OSVReference(TypedDict):
+        type: NotRequired[
+            Literal[
+                "NONE",
+                "WEB",
+                "ADVISORY",
+                "REPORT",
+                "FIX",
+                "PACKAGE",
+                "ARTICLE",
+                "EVIDENCE",
+            ]
+        ]
+        url: NotRequired[str]
+
+    class OSVAffected(TypedDict):
+        package: NotRequired[OSVPackage]
+        ranges: NotRequired[list[OSVRange]]
+        versions: NotRequired[list[str]]
+        ecosystemSpecific: NotRequired[dict[str, Any]]
+        databaseSpecific: NotRequired[dict[str, Any]]
+        severity: NotRequired[list[OSVSeverity]]
+
+    class OSVVulnerability(TypedDict):
+        id: str
+        summary: str
+        schemaVersion: NotRequired[str]
+        published: NotRequired[str]
+        modified: NotRequired[str]
+        withdrawn: NotRequired[str]
+        aliases: NotRequired[list[str]]
+        related: NotRequired[list[str]]
+        details: NotRequired[str]
+        affected: NotRequired[list[OSVAffected]]
+        references: NotRequired[list[OSVReference]]
+        databaseSpecific: NotRequired[dict[str, Any]]
+        severity: NotRequired[list[OSVSeverity]]
+        credits: NotRequired[list[OSVCredit]]
+
+    class V1VulnerabilityList(TypedDict):
+        vulns: NotRequired[list[OSVVulnerability]]
+        nextPageToken: NotRequired[str]
+
+    class V1Query(TypedDict):
+        commit: NotRequired[str]
+        version: NotRequired[str]
+        package: NotRequired[OSVPackage]
+        page_token: NotRequired[str]
+
+    #########################################
+
+    class V1Batchquery(TypedDict):
+        queries: list[V1Query]
+
+    class QueryBatchResult(TypedDict):
+        vulns: list[dict[Literal["id", "modified"], str]]
+        next_page_token: NotRequired[str]
+
+    class QueryBatchResponse(TypedDict):
+        results: list[QueryBatchResult]
+
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class OSVClientV1(BaseClient):
+    base_url: str = "https://api.osv.dev"
+
+    async def query(self, query: V1Query) -> V1VulnerabilityList:
+        """
+        Lists vulnerabilities for given package and version. May also be queried by commit hash.
+
+        POST /v1/query
+        """
+        return await self._requests(method="POST", url="/v1/query", json=query)  # type:ignore[return-value]
+
+    async def querybatch(self, query: V1Batchquery) -> QueryBatchResponse:
+        """
+        Query for multiple packages (by either package and version or git commit hash) at once. Returns vulnerability ids and modified field only. The response ordering will be guaranteed to match the input.
+
+        POST /v1/querybatc
+        """  # noqa: E501
+        return await self._requests(method="POST", url="/v1/querybatch", json=query)  # type:ignore[return-value]
+
+    async def get_vuln(self, vuln_id: str) -> OSVVulnerability:
+        """
+        Returns vulnerability information for a given vulnerability id.
+
+        GET /v1/vulns/{id}
+        """
+        return await self._requests(method="GET", url=f"/v1/vulns/{self.url_escape(vuln_id)}")  # type:ignore[return-value]
+
+    # async def import_findings(self) -> Incomplete:
+    #     """
+    #     Something like this:
+    #     """
+    #     return await self._requests(method="GET", url="/v1experimental/importfindings")
+
+    # async def determine_version(self) -> Incomplete:
+    #     """
+    #     Something like this:
+    #     """
+    #     return await self._requests(method="POST", url="/v1experimental/determineversion")
+
+
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.INFO)
+    client = OSVClientV1()
+    import asyncio
+    import json
+
+    query: V1Query = {
+        "package": {"name": "jinja2", "ecosystem": "PyPI"},
+        "version": "2.4.1",
+    }
+    loop = asyncio.get_event_loop()
+    a = client.query(query)
+    # a = client.get_vuln("GHSA-3mc7-4q67-w48m")
+    # # {"name": "org.yaml:snakeyaml", "version": "1.19", "system": "MAVEN"}
+    # a = client.query(
+    #     {"package": {"name": "org.yaml:snakeyaml", "ecosystem": "MAVEN"}, "version": "1.19"}
+    # )
+    a = client.query({"package": {"purl": "pkg:maven/org.yaml/snakeyaml@1.19"}})
+
+    result = loop.run_until_complete(a)
+    print(json.dumps(result))  # For demonstration purposes, print the result