PyPI - depsdev - Versions diffs - 0.0.3__tar.gz → 0.0.5__tar.gz - Mend

depsdev 0.0.3tar.gz → 0.0.5tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

{depsdev-0.0.3 → depsdev-0.0.5}/.pre-commit-config.yaml +3 -3
depsdev-0.0.5/PKG-INFO +143 -0
depsdev-0.0.5/README.md +98 -0
{depsdev-0.0.3 → depsdev-0.0.5}/pyproject.toml +1 -0
{depsdev-0.0.3 → depsdev-0.0.5}/src/depsdev/__main__.py +64 -16
{depsdev-0.0.3 → depsdev-0.0.5}/src/depsdev/_version.py +16 -3
depsdev-0.0.5/src/depsdev/base.py +47 -0
depsdev-0.0.5/src/depsdev/cli/purl.py +143 -0
depsdev-0.0.5/src/depsdev/cli/vuln.py +71 -0
depsdev-0.0.5/src/depsdev/osv.py +195 -0
depsdev-0.0.5/tests/__init__.py +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/tests/scripts_test.py +1 -1
depsdev-0.0.3/PKG-INFO +0 -72
depsdev-0.0.3/README.md +0 -28
{depsdev-0.0.3 → depsdev-0.0.5}/.github/copilot-instructions.md +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/.github/workflows/main.yaml +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/.gitignore +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/.python-version +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/LICENSE.txt +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/src/depsdev/__init__.py +0 -0
{depsdev-0.0.3/tests → depsdev-0.0.5/src/depsdev/cli}/__init__.py +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/src/depsdev/py.typed +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/src/depsdev/v3.py +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/src/depsdev/v3alpha.py +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/taplo.toml +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/tests/main_test.py +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/tests/v3_test.py +0 -0
{depsdev-0.0.3 → depsdev-0.0.5}/tests/v3alpha_test.py +0 -0

{depsdev-0.0.3 → depsdev-0.0.5}/.pre-commit-config.yaml RENAMED Viewed

@@ -9,7 +9,7 @@ ci:
     - uv-test
 repos:
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.8.8
+    rev: 0.9.5
     hooks:
       - id: uv-lock
       - id: uv-export
@@ -19,7 +19,7 @@ repos:
       - id: taplo-format
       - id: taplo-lint
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.12.8
+    rev: v0.14.1
     hooks:
       - id: ruff-check
         types_or: [python, pyi, jupyter]
@@ -36,7 +36,7 @@ repos:
       - id: name-tests-test
       - id: requirements-txt-fixer
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.17.1
+    rev: v1.18.2
     hooks:
       - id: mypy
   - repo: local

depsdev-0.0.5/PKG-INFO ADDED Viewed

@@ -0,0 +1,143 @@
+Metadata-Version: 2.4
+Name: depsdev
+Version: 0.0.5
+Summary: Python wrapper for https://deps.dev/ API
+Project-URL: Documentation, https://github.com/FlavioAmurrioCS/depsdev#readme
+Project-URL: Issues, https://github.com/FlavioAmurrioCS/depsdev/issues
+Project-URL: Source, https://github.com/FlavioAmurrioCS/depsdev
+Author-email: Flavio Amurrio <25621374+FlavioAmurrioCS@users.noreply.github.com>
+License-Expression: MIT
+License-File: LICENSE.txt
+Classifier: Development Status :: 4 - Beta
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Programming Language :: Python :: Implementation :: PyPy
+Requires-Python: >=3.9
+Requires-Dist: httpx
+Requires-Dist: packageurl-python
+Provides-Extra: cli
+Requires-Dist: rich; extra == 'cli'
+Requires-Dist: typer-slim; extra == 'cli'
+Provides-Extra: tests
+Requires-Dist: pytest; extra == 'tests'
+Requires-Dist: pytest-asyncio; extra == 'tests'
+Requires-Dist: rich; extra == 'tests'
+Requires-Dist: tomli; (python_version < '3.11') and extra == 'tests'
+Requires-Dist: typer-slim; extra == 'tests'
+Provides-Extra: types
+Requires-Dist: mypy; extra == 'types'
+Requires-Dist: pyrefly; extra == 'types'
+Requires-Dist: pyright[nodejs]; extra == 'types'
+Requires-Dist: pytest; extra == 'types'
+Requires-Dist: pytest-asyncio; extra == 'types'
+Requires-Dist: rich; extra == 'types'
+Requires-Dist: tomli; (python_version < '3.11') and extra == 'types'
+Requires-Dist: ty; extra == 'types'
+Requires-Dist: typer-slim; extra == 'types'
+Requires-Dist: typing-extensions; extra == 'types'
+Description-Content-Type: text/markdown
+# depsdev
+[![PyPI - Version](https://img.shields.io/pypi/v/depsdev.svg)](https://pypi.org/project/depsdev)
+[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/depsdev.svg)](https://pypi.org/project/depsdev)
+[![pre-commit.ci status](https://results.pre-commit.ci/badge/github/FlavioAmurrioCS/depsdev/main.svg)](https://results.pre-commit.ci/latest/github/FlavioAmurrioCS/depsdev/main)
+-----
+## Table of Contents
+- [depsdev](#depsdev)
+  - [Table of Contents](#table-of-contents)
+  - [Overview](#overview)
+  - [Installation](#installation)
+  - [CLI Usage](#cli-usage)
+    - [Report mode](#report-mode)
+  - [License](#license)
+## Overview
+Thin Python wrapper (async-first) around the public [deps.dev REST API](https://deps.dev) plus an optional Typer-based CLI. Provides straightforward methods mapping closely to the documented endpoints; responses are returned as decoded JSON (dict / list). Alpha endpoints can be enabled via `DEPSDEV_V3_ALPHA=true` and may change without notice.
+## Installation
+```bash
+pip install depsdev            # library only
+pipx install depsdev[cli]       # CLI
+uv tool install depsdev[cli]       # CLI
+```
+## CLI Usage
+```bash
+[flavio@Mac ~/dev/github.com/FlavioAmurrioCS/depsdev][main ✗]
+$ depsdev --help
+ Usage: depsdev [OPTIONS] COMMAND [ARGS]...
+╭─ Options ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
+│ --install-completion        [bash|zsh|fish|powershell|pwsh]  Install completion for the specified shell.                                        │
+│ --show-completion           [bash|zsh|fish|powershell|pwsh]  Show completion for the specified shell, to copy it or customize the installation. │
+│ --help                                                       Show this message and exit.                                                        │
+╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
+╭─ Commands ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
+│ report   Show vulnerabilities for packages in a file.                                                                                           │
+│ api      A CLI tool to interact with the https://docs.deps.dev/api/                                                                             │
+╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
+╭─ Utils ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
+│ purl     Extract package URLs from various formats.                                                                                             │
+│ vuln     Main function to analyze packages for vulnerabilities.                                                                                 │
+╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
+```
+### Report mode
+Parses depedency file and reports the vulnerabilities and the version where it was fixed.
+```bash
+[flavio@Mac ~/dev/github.com/FlavioAmurrioCS/depsdev][main ✗]
+$ depsdev report --help
+ Usage: depsdev report [OPTIONS] FILENAME
+ Show vulnerabilities for packages in a file.
+ Example usage:
+ depsdev report requirements.txt
+ depsdev report pom.xml
+ depsdev report Pipfile.lock
+╭─ Arguments ────────────────────────────────────────────────╮
+│ *    filename      TEXT  [required]                        │
+╰────────────────────────────────────────────────────────────╯
+╭─ Options ──────────────────────────────────────────────────╮
+│ --help          Show this message and exit.                │
+╰────────────────────────────────────────────────────────────╯
+[flavio@Mac ~/dev/github.com/FlavioAmurrioCS/depsdev][main ✗]
+$ uv export > requirements.txt
+Resolved 34 packages in 6ms
+[flavio@Mac ~/dev/github.com/FlavioAmurrioCS/depsdev][main ✗]
+$ depsdev report requirements.txt
+Analysing 10 packages...
+Found 1 packages with advisories.
+                                                                                      pkg:pypi/idna@3.6
+┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
+┃ Id                  ┃ Summary                                                                                                                            ┃ Fixed                          ┃
+┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
+│ GHSA-jjg7-2v4v-x38h │ Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode │ 3.7                            │
+│ PYSEC-2024-60       │                                                                                                                                    │ 1d365e17e10d72d0b7876316fc7b9… │
+└─────────────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────┘
+```
+## License
+`depsdev` is distributed under the terms of the [MIT](https://spdx.org/licenses/MIT.html) license.

depsdev-0.0.5/README.md ADDED Viewed

@@ -0,0 +1,98 @@
+# depsdev
+[![PyPI - Version](https://img.shields.io/pypi/v/depsdev.svg)](https://pypi.org/project/depsdev)
+[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/depsdev.svg)](https://pypi.org/project/depsdev)
+[![pre-commit.ci status](https://results.pre-commit.ci/badge/github/FlavioAmurrioCS/depsdev/main.svg)](https://results.pre-commit.ci/latest/github/FlavioAmurrioCS/depsdev/main)
+-----
+## Table of Contents
+- [depsdev](#depsdev)
+  - [Table of Contents](#table-of-contents)
+  - [Overview](#overview)
+  - [Installation](#installation)
+  - [CLI Usage](#cli-usage)
+    - [Report mode](#report-mode)
+  - [License](#license)
+## Overview
+Thin Python wrapper (async-first) around the public [deps.dev REST API](https://deps.dev) plus an optional Typer-based CLI. Provides straightforward methods mapping closely to the documented endpoints; responses are returned as decoded JSON (dict / list). Alpha endpoints can be enabled via `DEPSDEV_V3_ALPHA=true` and may change without notice.
+## Installation
+```bash
+pip install depsdev            # library only
+pipx install depsdev[cli]       # CLI
+uv tool install depsdev[cli]       # CLI
+```
+## CLI Usage
+```bash
+[flavio@Mac ~/dev/github.com/FlavioAmurrioCS/depsdev][main ✗]
+$ depsdev --help
+ Usage: depsdev [OPTIONS] COMMAND [ARGS]...
+╭─ Options ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
+│ --install-completion        [bash|zsh|fish|powershell|pwsh]  Install completion for the specified shell.                                        │
+│ --show-completion           [bash|zsh|fish|powershell|pwsh]  Show completion for the specified shell, to copy it or customize the installation. │
+│ --help                                                       Show this message and exit.                                                        │
+╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
+╭─ Commands ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
+│ report   Show vulnerabilities for packages in a file.                                                                                           │
+│ api      A CLI tool to interact with the https://docs.deps.dev/api/                                                                             │
+╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
+╭─ Utils ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
+│ purl     Extract package URLs from various formats.                                                                                             │
+│ vuln     Main function to analyze packages for vulnerabilities.                                                                                 │
+╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
+```
+### Report mode
+Parses depedency file and reports the vulnerabilities and the version where it was fixed.
+```bash
+[flavio@Mac ~/dev/github.com/FlavioAmurrioCS/depsdev][main ✗]
+$ depsdev report --help
+ Usage: depsdev report [OPTIONS] FILENAME
+ Show vulnerabilities for packages in a file.
+ Example usage:
+ depsdev report requirements.txt
+ depsdev report pom.xml
+ depsdev report Pipfile.lock
+╭─ Arguments ────────────────────────────────────────────────╮
+│ *    filename      TEXT  [required]                        │
+╰────────────────────────────────────────────────────────────╯
+╭─ Options ──────────────────────────────────────────────────╮
+│ --help          Show this message and exit.                │
+╰────────────────────────────────────────────────────────────╯
+[flavio@Mac ~/dev/github.com/FlavioAmurrioCS/depsdev][main ✗]
+$ uv export > requirements.txt
+Resolved 34 packages in 6ms
+[flavio@Mac ~/dev/github.com/FlavioAmurrioCS/depsdev][main ✗]
+$ depsdev report requirements.txt
+Analysing 10 packages...
+Found 1 packages with advisories.
+                                                                                      pkg:pypi/idna@3.6
+┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
+┃ Id                  ┃ Summary                                                                                                                            ┃ Fixed                          ┃
+┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
+│ GHSA-jjg7-2v4v-x38h │ Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode │ 3.7                            │
+│ PYSEC-2024-60       │                                                                                                                                    │ 1d365e17e10d72d0b7876316fc7b9… │
+└─────────────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────┘
+```
+## License
+`depsdev` is distributed under the terms of the [MIT](https://spdx.org/licenses/MIT.html) license.

{depsdev-0.0.3 → depsdev-0.0.5}/pyproject.toml RENAMED Viewed

@@ -27,6 +27,7 @@ classifiers = [
 ]
 dependencies = [
   "httpx",
+  "packageurl-python",
 ]
 [project.optional-dependencies]

{depsdev-0.0.3 → depsdev-0.0.5}/src/depsdev/__main__.py RENAMED Viewed

@@ -1,6 +1,21 @@
 from __future__ import annotations
 import logging
+import sys
+from depsdev.cli.purl import get_extractor
+from depsdev.cli.vuln import main_helper
+try:
+    import typer
+except ImportError:
+    msg = (
+        "The 'cli' optional dependency is not installed. "
+        "Please install it with 'pip install depsdev[cli]'."
+    )
+    print(msg, file=sys.stderr)
+    raise SystemExit(1) from None
 import os
 from textwrap import dedent
 from typing import TYPE_CHECKING
@@ -14,7 +29,6 @@ if TYPE_CHECKING:
     P = ParamSpec("P")
     R = TypeVar("R")
 logging.basicConfig(
     level=logging.ERROR,
     format="[%(asctime)s] [%(levelname)-7s] [%(name)s] %(message)s",
@@ -38,7 +52,9 @@ def to_sync() -> Callable[[Callable[P, R]], Callable[P, R]]:
                 from rich import print_json
-                print_json(data=asyncio.run(func(*args, **kwargs)))  # type: ignore[arg-type]
+                result: object = asyncio.run(func(*args, **kwargs))  # type: ignore[arg-type]
+                if result is not None:
+                    print_json(data=result)
             except Exception:
                 logger.exception("An error occurred while executing the command.")
                 raise SystemExit(1) from None
@@ -50,25 +66,14 @@ def to_sync() -> Callable[[Callable[P, R]], Callable[P, R]]:
     return decorator
-def main() -> None:
+def create_app() -> typer.Typer:
     """
     Main entry point for the CLI.
     """
-    try:
-        import typer
-    except ImportError:
-        msg = (
-            "The 'cli' optional dependency is not installed. "
-            "Please install it with 'pip install depsdev[cli]'."
-        )
-        logger.error(msg)  # noqa: TRY400
-        raise SystemExit(1) from None
     alpha = os.environ.get("DEPSDEV_V3_ALPHA", "false").lower() in ("true", "1", "yes")
     app = typer.Typer(
-        name="depsdev",
+        name="api",
         no_args_is_help=True,
         rich_markup_mode="rich",
         help=dedent(
@@ -125,7 +130,50 @@ def main() -> None:
         app.command(rich_help_panel="v3alpha")(to_sync()(client_v3_alpha.purl_lookup_batch))
         app.command(rich_help_panel="v3alpha")(to_sync()(client_v3_alpha.query_container_images))
-    return app()
+    return app
+main = typer.Typer(
+    name="depsdev",
+    no_args_is_help=True,
+    rich_markup_mode="rich",
+)
+main.add_typer(
+    create_app(),
+    name="api",
+)
+@main.command(name="purl", rich_help_panel="Utils")
+def purl(filename: str) -> None:
+    """
+    Extract package URLs from various formats.
+    """
+    extractor = get_extractor(filename)
+    for purl in extractor.extract(filename):
+        print(purl)
+main.command(name="vuln", rich_help_panel="Utils")(to_sync()(main_helper))
+@main.command()
+@to_sync()
+async def report(filename: str) -> None:
+    """
+    Show vulnerabilities for packages in a file.
+    Example usage:
+        depsdev report requirements.txt
+        depsdev report pom.xml
+        depsdev report Pipfile.lock
+    """
+    filename = os.path.abspath(filename)
+    extractor = get_extractor(filename)
+    packages = extractor.extract(filename)
+    await main_helper([x.to_string() for x in packages])
 if __name__ == "__main__":

{depsdev-0.0.3 → depsdev-0.0.5}/src/depsdev/_version.py RENAMED Viewed

@@ -1,7 +1,14 @@
 # file generated by setuptools-scm
 # don't change, don't track in version control
-__all__ = ["__version__", "__version_tuple__", "version", "version_tuple"]
+__all__ = [
+    "__version__",
+    "__version_tuple__",
+    "version",
+    "version_tuple",
+    "__commit_id__",
+    "commit_id",
+]
 TYPE_CHECKING = False
 if TYPE_CHECKING:
@@ -9,13 +16,19 @@ if TYPE_CHECKING:
     from typing import Union
     VERSION_TUPLE = Tuple[Union[int, str], ...]
+    COMMIT_ID = Union[str, None]
 else:
     VERSION_TUPLE = object
+    COMMIT_ID = object
 version: str
 __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
+commit_id: COMMIT_ID
+__commit_id__: COMMIT_ID
-__version__ = version = '0.0.3'
-__version_tuple__ = version_tuple = (0, 0, 3)
+__version__ = version = '0.0.5'
+__version_tuple__ = version_tuple = (0, 0, 5)
+__commit_id__ = commit_id = None

depsdev-0.0.5/src/depsdev/base.py ADDED Viewed

@@ -0,0 +1,47 @@
+from __future__ import annotations
+import logging
+from dataclasses import dataclass
+from dataclasses import field
+from typing import TYPE_CHECKING
+from urllib.parse import quote
+import httpx
+if TYPE_CHECKING:
+    from httpx._types import QueryParamTypes
+    from typing_extensions import Literal
+    from depsdev.v3 import Incomplete
+logger = logging.getLogger(__name__)
+@dataclass
+class BaseClient:
+    base_url: str
+    timeout: float = 5.0
+    client: httpx.AsyncClient = field(init=False, repr=False)
+    def __post_init__(self) -> None:
+        self.client = httpx.AsyncClient(base_url=self.base_url, timeout=self.timeout)
+    async def _requests(
+        self,
+        url: str = "",
+        method: Literal["GET", "POST"] = "GET",
+        params: QueryParamTypes | None = None,
+        json: object | None = None,
+    ) -> Incomplete:
+        logger.info(locals())
+        response = await self.client.request(method=method, url=url, params=params, json=json)
+        if not response.is_success:
+            logger.error(
+                "Request failed with status code %s: %s", response.status_code, response.text
+            )
+            response.raise_for_status()
+        return response.json()
+    @staticmethod
+    def url_escape(string: str) -> str:
+        return quote(string, safe="")

depsdev-0.0.5/src/depsdev/cli/purl.py ADDED Viewed

@@ -0,0 +1,143 @@
+from __future__ import annotations
+import itertools
+import json
+import logging
+import os
+import subprocess
+import sys
+from typing import TYPE_CHECKING
+from packageurl import PackageURL
+if TYPE_CHECKING:
+    from collections.abc import Iterable
+logger = logging.getLogger(__name__)
+class MavenExtractor:
+    @classmethod
+    def extract(cls, filename: str) -> Iterable[PackageURL]:
+        yield from (cls.parse_single_line(x) for x in cls._clean(cls._get_source(filename)))
+    @staticmethod
+    def _get_source(filename: str) -> Iterable[str]:
+        """
+        Read lines from stdin or a file.
+        """
+        if not filename.endswith("pom.xml"):
+            logger.error("Invalid POM file: %s. It should end with 'pom.xml'.", filename)
+            raise SystemExit(1)
+        result = subprocess.run(
+            ["mvn", "dependency:tree"],  # noqa: S607
+            check=False,
+            capture_output=True,
+            text=True,
+            cwd=os.path.dirname(os.path.abspath(filename)),
+        )
+        if result.returncode != 0:
+            print(result.stderr, file=sys.stderr)
+            raise SystemExit(1)
+        yield from result.stdout.splitlines()
+    @staticmethod
+    def parse_single_line(line: str) -> PackageURL:
+        """
+        Parse a single line of Maven dependency output and return a PackageURL object.
+        """
+        package, *rest = line.split()
+        _is_optional = bool(rest)
+        group, artifact, _type, version, *_classifier = package.split(":")
+        return PackageURL(
+            type="maven",
+            namespace=group,
+            name=artifact,
+            version=version,
+            qualifiers=None,
+            subpath=None,
+        )
+    @staticmethod
+    def _clean(lines: Iterable[str]) -> Iterable[str]:
+        stage1 = (x.rstrip() for x in lines if x.strip())
+        stage2 = itertools.dropwhile(lambda x: not x.startswith("[INFO] --- "), stage1)
+        stage3 = itertools.takewhile(
+            lambda x: not x.startswith(
+                "[INFO] ------------------------------------------------------------------------"
+            ),
+            stage2,
+        )
+        stage4 = itertools.islice(stage3, 1, None)  # Skip the first line
+        stage5 = (x[7:] for x in stage4)
+        yield from (x.split("- ", maxsplit=1)[-1] for x in stage5)
+class PipfileLockExtractor:
+    @classmethod
+    def extract(cls, filename: str) -> Iterable[PackageURL]:
+        """
+        Extracts package URLs from a Pipfile.lock.
+        """
+        if not filename.endswith("Pipfile.lock"):
+            logger.error("Invalid Pipfile.lock: %s. It should end with 'Pipfile.lock'.", filename)
+            raise SystemExit(1)
+        with open(filename) as f:
+            data = json.load(f)
+            for package_name, package_info in data.get("default", {}).items():
+                version: str | None = package_info.get("version")
+                if version:
+                    yield PackageURL(
+                        type="pypi",
+                        namespace=None,
+                        name=package_name,
+                        version=version[2:],
+                        qualifiers=None,
+                        subpath=None,
+                    )
+                else:
+                    logger.warning("Package %s has no version specified.", package_name)
+class RequirementsExtractor:
+    @classmethod
+    def extract(cls, filename: str) -> Iterable[PackageURL]:
+        """
+        Extracts package URLs from a requirements.txt file.
+        """
+        if not filename.endswith("requirements.txt"):
+            logger.error(
+                "Invalid requirements file: %s. It should end with 'requirements.txt'.", filename
+            )
+            raise SystemExit(1)
+        with open(filename) as f:
+            for line in f:
+                _line = line.strip()
+                if not _line or _line.startswith(("#", "-r ", "-i ")):
+                    continue
+                parts = _line.split(";")[0].split("==")
+                if len(parts) == 2:  # noqa: PLR2004
+                    name, version = parts
+                    version = version.strip(" \\")
+                    yield PackageURL(
+                        type="pypi",
+                        namespace=None,
+                        name=name,
+                        version=version,
+                        qualifiers=None,
+                        subpath=None,
+                    )
+def get_extractor(filename: str) -> MavenExtractor | PipfileLockExtractor | RequirementsExtractor:
+    """
+    Returns the appropriate extractor based on the file extension.
+    """
+    if filename.endswith("pom.xml"):
+        return MavenExtractor()
+    if filename.endswith("Pipfile.lock"):
+        return PipfileLockExtractor()
+    if filename.endswith("requirements.txt"):
+        return RequirementsExtractor()
+    logger.error("Unsupported file format: %s", filename)
+    raise SystemExit(1)

depsdev-0.0.5/src/depsdev/cli/vuln.py ADDED Viewed

@@ -0,0 +1,71 @@
+from __future__ import annotations
+import asyncio
+import itertools
+import logging
+from typing import TYPE_CHECKING
+from rich.console import Console
+from rich.table import Table
+from depsdev.osv import OSVClientV1
+if TYPE_CHECKING:
+    from depsdev.osv import OSVVulnerability
+    from depsdev.osv import V1Query
+logger = logging.getLogger(__name__)
+def get_version_fix(vuln: OSVVulnerability) -> str | None:
+    for affected in vuln.get("affected", []):
+        for _range in affected.get("ranges", []):
+            for event in _range.get("events", []):
+                if "fixed" in event:
+                    return event["fixed"]
+    return None
+async def get_vulns(purls: list[str], osv_client: OSVClientV1) -> dict[str, list[OSVVulnerability]]:
+    queries: list[V1Query] = [
+        {
+            "package": {"purl": purl},
+        }
+        for purl in purls
+    ]
+    result = await osv_client.querybatch({"queries": queries})
+    r = {k: [x["id"] for x in v["vulns"]] for k, v in zip(purls, result["results"]) if v}
+    all_result = await asyncio.gather(
+        *[osv_client.get_vuln(vuln_id) for vuln_id in itertools.chain.from_iterable(r.values())]
+    )
+    look_up = {vuln["id"]: vuln for vuln in all_result}
+    return {purl: [look_up[vuln_id] for vuln_id in vuln_ids] for purl, vuln_ids in r.items()}
+async def main_helper(packages: list[str]) -> int:
+    """Main function to analyze packages for vulnerabilities."""
+    console = Console()
+    console.print(f"Analysing {len(packages)} packages...")
+    osv_client = OSVClientV1()
+    results = await get_vulns(packages, osv_client)
+    console.print(f"Found {len(results)} packages with advisories.")
+    for purl, advisories in results.items():
+        table = Table(title=purl)
+        table.add_column("Id")
+        table.add_column("Summary", style="cyan", no_wrap=True)
+        table.add_column("Fixed", style="magenta")
+        for vuln in advisories:
+            table.add_row(
+                f"[link=https://github.com/advisories/{vuln['id']}]{vuln['id']}[/link]",
+                vuln.get("summary"),
+                get_version_fix(vuln) or "unknown",
+            )
+        console.print(table)
+    return 0

depsdev-0.0.5/src/depsdev/osv.py ADDED Viewed

@@ -0,0 +1,195 @@
+from __future__ import annotations
+import logging
+from dataclasses import dataclass
+from typing import TYPE_CHECKING
+from depsdev.base import BaseClient
+if TYPE_CHECKING:
+    from typing import Any
+    from typing import Literal
+    from typing_extensions import NotRequired
+    from typing_extensions import TypedDict
+    class OSVEvent(TypedDict):
+        introduced: NotRequired[str]
+        fixed: NotRequired[str]
+        limit: NotRequired[str]
+        lastAffected: NotRequired[str]
+    class OSVRange(TypedDict):
+        type: NotRequired[
+            Literal[
+                "UNSPECIFIED",
+                "GIT",
+                "SEMVER",
+                "ECOSYSTEM",
+            ]
+        ]
+        repo: NotRequired[str]
+        events: NotRequired[list[OSVEvent]]
+    class OSVPackage(TypedDict):
+        name: NotRequired[str]
+        ecosystem: NotRequired[str]
+        purl: NotRequired[str]
+    class OSVCredit(TypedDict):
+        name: NotRequired[str]
+        contact: NotRequired[list[str]]
+        type: NotRequired[
+            Literal[
+                "UNSPECIFIED",
+                "OTHER",
+                "FINDER",
+                "REPORTER",
+                "ANALYST",
+                "COORDINATOR",
+                "REMEDIATION_DEVELOPER",
+                "REMEDIATION_REVIEWER",
+                "REMEDIATION_VERIFIER",
+                "TOOL",
+                "SPONSOR",
+            ]
+        ]
+    class OSVSeverity(TypedDict):
+        type: NotRequired[
+            Literal[
+                "UNSPECIFIED",
+                "CVSS_V4",
+                "CVSS_V3",
+                "CVSS_V2",
+            ]
+        ]
+        score: NotRequired[str]
+    class OSVReference(TypedDict):
+        type: NotRequired[
+            Literal[
+                "NONE",
+                "WEB",
+                "ADVISORY",
+                "REPORT",
+                "FIX",
+                "PACKAGE",
+                "ARTICLE",
+                "EVIDENCE",
+            ]
+        ]
+        url: NotRequired[str]
+    class OSVAffected(TypedDict):
+        package: NotRequired[OSVPackage]
+        ranges: NotRequired[list[OSVRange]]
+        versions: NotRequired[list[str]]
+        ecosystemSpecific: NotRequired[dict[str, Any]]
+        databaseSpecific: NotRequired[dict[str, Any]]
+        severity: NotRequired[list[OSVSeverity]]
+    class OSVVulnerability(TypedDict):
+        id: str
+        summary: str
+        schemaVersion: NotRequired[str]
+        published: NotRequired[str]
+        modified: NotRequired[str]
+        withdrawn: NotRequired[str]
+        aliases: NotRequired[list[str]]
+        related: NotRequired[list[str]]
+        details: NotRequired[str]
+        affected: NotRequired[list[OSVAffected]]
+        references: NotRequired[list[OSVReference]]
+        databaseSpecific: NotRequired[dict[str, Any]]
+        severity: NotRequired[list[OSVSeverity]]
+        credits: NotRequired[list[OSVCredit]]
+    class V1VulnerabilityList(TypedDict):
+        vulns: NotRequired[list[OSVVulnerability]]
+        nextPageToken: NotRequired[str]
+    class V1Query(TypedDict):
+        commit: NotRequired[str]
+        version: NotRequired[str]
+        package: NotRequired[OSVPackage]
+        page_token: NotRequired[str]
+    #########################################
+    class V1Batchquery(TypedDict):
+        queries: list[V1Query]
+    class QueryBatchResult(TypedDict):
+        vulns: list[dict[Literal["id", "modified"], str]]
+        next_page_token: NotRequired[str]
+    class QueryBatchResponse(TypedDict):
+        results: list[QueryBatchResult]
+logger = logging.getLogger(__name__)
+@dataclass
+class OSVClientV1(BaseClient):
+    base_url: str = "https://api.osv.dev"
+    async def query(self, query: V1Query) -> V1VulnerabilityList:
+        """
+        Lists vulnerabilities for given package and version. May also be queried by commit hash.
+        POST /v1/query
+        """
+        return await self._requests(method="POST", url="/v1/query", json=query)  # type:ignore[return-value]
+    async def querybatch(self, query: V1Batchquery) -> QueryBatchResponse:
+        """
+        Query for multiple packages (by either package and version or git commit hash) at once. Returns vulnerability ids and modified field only. The response ordering will be guaranteed to match the input.
+        POST /v1/querybatc
+        """  # noqa: E501
+        return await self._requests(method="POST", url="/v1/querybatch", json=query)  # type:ignore[return-value]
+    async def get_vuln(self, vuln_id: str) -> OSVVulnerability:
+        """
+        Returns vulnerability information for a given vulnerability id.
+        GET /v1/vulns/{id}
+        """
+        return await self._requests(method="GET", url=f"/v1/vulns/{self.url_escape(vuln_id)}")  # type:ignore[return-value]
+    # async def import_findings(self) -> Incomplete:
+    #     """
+    #     Something like this:
+    #     """
+    #     return await self._requests(method="GET", url="/v1experimental/importfindings")
+    # async def determine_version(self) -> Incomplete:
+    #     """
+    #     Something like this:
+    #     """
+    #     return await self._requests(method="POST", url="/v1experimental/determineversion")
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.INFO)
+    client = OSVClientV1()
+    import asyncio
+    import json
+    query: V1Query = {
+        "package": {"name": "jinja2", "ecosystem": "PyPI"},
+        "version": "2.4.1",
+    }
+    loop = asyncio.get_event_loop()
+    a = client.query(query)
+    # a = client.get_vuln("GHSA-3mc7-4q67-w48m")
+    # # {"name": "org.yaml:snakeyaml", "version": "1.19", "system": "MAVEN"}
+    # a = client.query(
+    #     {"package": {"name": "org.yaml:snakeyaml", "ecosystem": "MAVEN"}, "version": "1.19"}
+    # )
+    a = client.query({"package": {"purl": "pkg:maven/org.yaml/snakeyaml@1.19"}})
+    result = loop.run_until_complete(a)
+    print(json.dumps(result))  # For demonstration purposes, print the result

depsdev-0.0.5/tests/__init__.py ADDED Viewed

File without changes

{depsdev-0.0.3 → depsdev-0.0.5}/tests/scripts_test.py RENAMED Viewed

@@ -26,7 +26,7 @@ def entrypoints() -> Generator[tuple[str, str], None, None]:
 @pytest.mark.parametrize("pair", entrypoints())
 def test_help(pair: tuple[str, str]) -> None:
-    k, v = pair
+    k, _v = pair
     result = subprocess.run([k, "--help"], check=False, capture_output=True, text=True)  # noqa: S603
     if result.returncode != 0:
         logger.error(result.stderr)

depsdev-0.0.3/PKG-INFO DELETED Viewed

@@ -1,72 +0,0 @@
-Metadata-Version: 2.4
-Name: depsdev
-Version: 0.0.3
-Summary: Python wrapper for https://deps.dev/ API
-Project-URL: Documentation, https://github.com/FlavioAmurrioCS/depsdev#readme
-Project-URL: Issues, https://github.com/FlavioAmurrioCS/depsdev/issues
-Project-URL: Source, https://github.com/FlavioAmurrioCS/depsdev
-Author-email: Flavio Amurrio <25621374+FlavioAmurrioCS@users.noreply.github.com>
-License-Expression: MIT
-License-File: LICENSE.txt
-Classifier: Development Status :: 4 - Beta
-Classifier: Programming Language :: Python
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Programming Language :: Python :: 3.13
-Classifier: Programming Language :: Python :: 3.14
-Classifier: Programming Language :: Python :: Implementation :: CPython
-Classifier: Programming Language :: Python :: Implementation :: PyPy
-Requires-Python: >=3.9
-Requires-Dist: httpx
-Provides-Extra: cli
-Requires-Dist: rich; extra == 'cli'
-Requires-Dist: typer-slim; extra == 'cli'
-Provides-Extra: tests
-Requires-Dist: pytest; extra == 'tests'
-Requires-Dist: pytest-asyncio; extra == 'tests'
-Requires-Dist: rich; extra == 'tests'
-Requires-Dist: tomli; (python_version < '3.11') and extra == 'tests'
-Requires-Dist: typer-slim; extra == 'tests'
-Provides-Extra: types
-Requires-Dist: mypy; extra == 'types'
-Requires-Dist: pyrefly; extra == 'types'
-Requires-Dist: pyright[nodejs]; extra == 'types'
-Requires-Dist: pytest; extra == 'types'
-Requires-Dist: pytest-asyncio; extra == 'types'
-Requires-Dist: rich; extra == 'types'
-Requires-Dist: tomli; (python_version < '3.11') and extra == 'types'
-Requires-Dist: ty; extra == 'types'
-Requires-Dist: typer-slim; extra == 'types'
-Requires-Dist: typing-extensions; extra == 'types'
-Description-Content-Type: text/markdown
-# depsdev
-[![PyPI - Version](https://img.shields.io/pypi/v/depsdev.svg)](https://pypi.org/project/depsdev)
-[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/depsdev.svg)](https://pypi.org/project/depsdev)
-[![pre-commit.ci status](https://results.pre-commit.ci/badge/github/FlavioAmurrioCS/depsdev/main.svg)](https://results.pre-commit.ci/latest/github/FlavioAmurrioCS/depsdev/main)
------
-## Table of Contents
-- [Overview](#overview)
-- [Installation](#installation)
-- [License](#license)
-## Overview
-Thin Python wrapper (async-first) around the public [deps.dev REST API](https://deps.dev) plus an optional Typer-based CLI. Provides straightforward methods mapping closely to the documented endpoints; responses are returned as decoded JSON (dict / list). Alpha endpoints can be enabled via `DEPSDEV_V3_ALPHA=true` and may change without notice.
-## Installation
-```bash
-pip install depsdev            # library only
-pip install depsdev[cli]       # library + CLI
-```
-## License
-`depsdev` is distributed under the terms of the [MIT](https://spdx.org/licenses/MIT.html) license.

depsdev-0.0.3/README.md DELETED Viewed

@@ -1,28 +0,0 @@
-# depsdev
-[![PyPI - Version](https://img.shields.io/pypi/v/depsdev.svg)](https://pypi.org/project/depsdev)
-[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/depsdev.svg)](https://pypi.org/project/depsdev)
-[![pre-commit.ci status](https://results.pre-commit.ci/badge/github/FlavioAmurrioCS/depsdev/main.svg)](https://results.pre-commit.ci/latest/github/FlavioAmurrioCS/depsdev/main)
------
-## Table of Contents
-- [Overview](#overview)
-- [Installation](#installation)
-- [License](#license)
-## Overview
-Thin Python wrapper (async-first) around the public [deps.dev REST API](https://deps.dev) plus an optional Typer-based CLI. Provides straightforward methods mapping closely to the documented endpoints; responses are returned as decoded JSON (dict / list). Alpha endpoints can be enabled via `DEPSDEV_V3_ALPHA=true` and may change without notice.
-## Installation
-```bash
-pip install depsdev            # library only
-pip install depsdev[cli]       # library + CLI
-```
-## License
-`depsdev` is distributed under the terms of the [MIT](https://spdx.org/licenses/MIT.html) license.