PyPI - fosslight-dependency - Versions diffs - 3.0.7__py3-none-any.whl → 4.1.30__py3-none-any.whl - Mend

fosslight-dependency 3.0.7py3-none-any.whl → 4.1.30py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

fosslight_dependency/LICENSES/LICENSE +201 -0
fosslight_dependency/LICENSES/LicenseRef-3rd_party_licenses.txt +1254 -0
fosslight_dependency/__init__.py +0 -1
fosslight_dependency/_analyze_dependency.py +130 -0
fosslight_dependency/_graph_convertor.py +67 -0
fosslight_dependency/_help.py +79 -0
fosslight_dependency/_package_manager.py +397 -0
fosslight_dependency/cli.py +127 -0
fosslight_dependency/constant.py +57 -0
fosslight_dependency/dependency_item.py +103 -0
fosslight_dependency/package_manager/Android.py +90 -0
fosslight_dependency/package_manager/Cargo.py +144 -0
fosslight_dependency/package_manager/Carthage.py +130 -0
fosslight_dependency/package_manager/Cocoapods.py +194 -0
fosslight_dependency/package_manager/Go.py +179 -0
fosslight_dependency/package_manager/Gradle.py +123 -0
fosslight_dependency/package_manager/Helm.py +106 -0
fosslight_dependency/package_manager/Maven.py +274 -0
fosslight_dependency/package_manager/Npm.py +296 -0
fosslight_dependency/package_manager/Nuget.py +368 -0
fosslight_dependency/package_manager/Pnpm.py +155 -0
fosslight_dependency/package_manager/Pub.py +241 -0
fosslight_dependency/package_manager/Pypi.py +395 -0
fosslight_dependency/package_manager/Swift.py +159 -0
fosslight_dependency/package_manager/Unity.py +118 -0
fosslight_dependency/package_manager/Yarn.py +231 -0
fosslight_dependency/package_manager/__init__.py +0 -0
fosslight_dependency/run_dependency_scanner.py +393 -0
fosslight_dependency-4.1.30.dist-info/METADATA +213 -0
fosslight_dependency-4.1.30.dist-info/RECORD +37 -0
{fosslight_dependency-3.0.7.dist-info → fosslight_dependency-4.1.30.dist-info}/WHEEL +1 -1
fosslight_dependency-4.1.30.dist-info/entry_points.txt +2 -0
fosslight_dependency-4.1.30.dist-info/licenses/LICENSES/Apache-2.0.txt +201 -0
fosslight_dependency-4.1.30.dist-info/licenses/LICENSES/LicenseRef-3rd_party_licenses.txt +1254 -0
fosslight_dependency-4.1.30.dist-info/licenses/LICENSES/MIT.txt +21 -0
fosslight_dependency/_version.py +0 -1
fosslight_dependency/analyze_dependency.py +0 -1090
fosslight_dependency/third_party/askalono/askalono.exe +0 -0
fosslight_dependency/third_party/askalono/askalono_macos +0 -0
fosslight_dependency/third_party/nomos/nomossa +0 -0
fosslight_dependency-3.0.7.dist-info/3rd_party_licenses.txt +0 -726
fosslight_dependency-3.0.7.dist-info/METADATA +0 -51
fosslight_dependency-3.0.7.dist-info/RECORD +0 -13
fosslight_dependency-3.0.7.dist-info/entry_points.txt +0 -3
{fosslight_dependency-3.0.7.dist-info → fosslight_dependency-4.1.30.dist-info/licenses}/LICENSE +0 -0
{fosslight_dependency-3.0.7.dist-info → fosslight_dependency-4.1.30.dist-info}/top_level.txt +0 -0

fosslight_dependency/package_manager/Swift.py ADDED Viewed

@@ -0,0 +1,159 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Copyright (c) 2021 LG Electronics Inc.
+# SPDX-License-Identifier: Apache-2.0
+import os
+import logging
+import json
+import subprocess
+import fosslight_util.constant as constant
+import fosslight_dependency.constant as const
+from fosslight_dependency._package_manager import PackageManager
+from fosslight_dependency._package_manager import connect_github, get_github_license
+from fosslight_dependency._package_manager import get_url_to_purl
+from fosslight_dependency.dependency_item import DependencyItem, change_dependson_to_purl
+from fosslight_util.oss_item import OssItem
+logger = logging.getLogger(constant.LOGGER_NAME)
+class Swift(PackageManager):
+    package_manager_name = const.SWIFT
+    input_file_name = const.SUPPORT_PACKAE.get(package_manager_name)
+    tmp_dep_tree_fname = 'show-dep.json'
+    def __init__(self, input_dir, output_dir, github_token):
+        super().__init__(self.package_manager_name, '', input_dir, output_dir)
+        self.github_token = github_token
+        self.check_input_file_path()
+        self.append_input_package_list_file(self.input_file_name)
+    def check_input_file_path(self):
+        if not os.path.isfile(self.input_file_name):
+            for file_in_swift in os.listdir("."):
+                if file_in_swift.endswith(".xcodeproj"):
+                    input_file_name_in_xcodeproj = os.path.join(file_in_swift,
+                                                                "project.xcworkspace/xcshareddata/swiftpm",
+                                                                self.input_file_name)
+                    if input_file_name_in_xcodeproj != self.input_file_name:
+                        if os.path.isfile(input_file_name_in_xcodeproj):
+                            self.input_file_name = input_file_name_in_xcodeproj
+                            logger.info(f"It uses the manifest file: {self.input_file_name}")
+    def parse_direct_dependencies(self):
+        ret = False
+        if os.path.isfile('Package.swift') or os.path.isfile(self.tmp_dep_tree_fname):
+            if not os.path.isfile(self.tmp_dep_tree_fname):
+                cmd = "swift package show-dependencies --format json"
+                try:
+                    ret_txt = subprocess.check_output(cmd, text=True, shell=True)
+                    if ret_txt is not None:
+                        deps_l = json.loads(ret_txt)
+                        ret = self.parse_dep_tree_json(deps_l)
+                except Exception as e:
+                    logger.warning(f'Fail to get swift dependency tree information: {e}')
+            else:
+                with open(self.tmp_dep_tree_fname) as f:
+                    try:
+                        deps_l = json.load(f)
+                        ret = self.parse_dep_tree_json(deps_l)
+                    except Exception as e:
+                        logger.warning(f'Fail to load swift dependency tree json: {e}')
+        else:
+            logger.info(f"No Package.swift or {self.tmp_dep_tree_fname}, skip to print direct/transitive.")
+        if not ret:
+            self.direct_dep = False
+    def get_dependencies(self, dependencies, package):
+        package_name = 'name'
+        deps = 'dependencies'
+        version = 'version'
+        pkg_name = package[package_name]
+        pkg_ver = package[version]
+        dependency_list = package[deps]
+        dependencies[f"{pkg_name}({pkg_ver})"] = []
+        for dependency in dependency_list:
+            dep_name = dependency[package_name]
+            dep_version = dependency[version]
+            dependencies[f"{pkg_name}({pkg_ver})"].append(f"{dep_name}({dep_version})")
+            if dependency[deps] != []:
+                dependencies = self.get_dependencies(dependencies, dependency)
+        return dependencies
+    def parse_dep_tree_json(self, rel_json):
+        ret = True
+        try:
+            for p in rel_json['dependencies']:
+                self.direct_dep_list.append(p['name'])
+                if p['dependencies'] == []:
+                    continue
+                self.relation_tree = self.get_dependencies(self.relation_tree, p)
+        except Exception as e:
+            logger.error(f'Failed to parse dependency tree: {e}')
+            ret = False
+        return ret
+    def parse_oss_information(self, f_name):
+        json_ver = 2
+        purl_dict = {}
+        with open(f_name, 'r', encoding='utf8') as json_file:
+            json_raw = json.load(json_file)
+            json_ver = json_raw['version']
+            if json_ver == 1:
+                json_data = json_raw["object"]["pins"]
+            elif json_ver == 2 or json_ver == 3:
+                json_data = json_raw["pins"]
+            else:
+                logger.warning(f'Not supported Package.resolved version {json_ver}')
+                logger.warning('Try to parse as version 2(or 3)')
+                json_data = json_raw["pins"]
+        g = connect_github(self.github_token)
+        for key in json_data:
+            dep_item = DependencyItem()
+            oss_item = OssItem()
+            if json_ver == 1:
+                oss_origin_name = key['package']
+                oss_item.homepage = key['repositoryURL']
+            else:
+                oss_origin_name = key['identity']
+                oss_item.homepage = key['location']
+            if oss_item.homepage.endswith('.git'):
+                oss_item.homepage = oss_item.homepage[:-4]
+            oss_item.name = f"{self.package_manager_name}:{oss_origin_name}"
+            oss_item.version = key['state'].get('version', None)
+            if oss_item.version is None:
+                oss_item.version = key['state'].get('revision', None)
+            oss_item.download_location = oss_item.homepage
+            github_repo = "/".join(oss_item.homepage.split('/')[-2:])
+            dep_item.purl = get_url_to_purl(oss_item.download_location, self.package_manager_name, github_repo, oss_item.version)
+            purl_dict[f'{oss_origin_name}({oss_item.version})'] = dep_item.purl
+            oss_item.license = get_github_license(g, github_repo)
+            if self.direct_dep and len(self.direct_dep_list) > 0:
+                if oss_origin_name in self.direct_dep_list:
+                    oss_item.comment = 'direct'
+                else:
+                    oss_item.comment = 'transitive'
+                if f'{oss_origin_name}({oss_item.version})' in self.relation_tree:
+                    dep_item.depends_on_raw = self.relation_tree[f'{oss_origin_name}({oss_item.version})']
+            dep_item.oss_items.append(oss_item)
+            self.dep_items.append(dep_item)
+        if self.direct_dep:
+            self.dep_items = change_dependson_to_purl(purl_dict, self.dep_items)
+        return

fosslight_dependency/package_manager/Unity.py ADDED Viewed

@@ -0,0 +1,118 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Copyright (c) 2024 LG Electronics Inc.
+# SPDX-License-Identifier: Apache-2.0
+import os
+import logging
+import re
+import yaml
+import requests
+import fosslight_util.constant as constant
+import fosslight_dependency.constant as const
+from fosslight_dependency._package_manager import PackageManager
+from fosslight_dependency._package_manager import check_license_name, get_url_to_purl
+from fosslight_dependency.dependency_item import DependencyItem
+from fosslight_util.oss_item import OssItem
+logger = logging.getLogger(constant.LOGGER_NAME)
+proprietary_license = 'Proprietary License'
+license_md = 'LICENSE.md'
+third_party_md = 'Third Party Notices.md'
+class Unity(PackageManager):
+    package_manager_name = const.UNITY
+    input_file_name = const.SUPPORT_PACKAE.get(package_manager_name)
+    packageCache_dir = os.path.join('Library', 'PackageCache')
+    mirror_url = 'https://github.com/needle-mirror/'
+    unity_internal_url = 'https://github.cds.internal.unity3d.com'
+    third_notice_txt = 'third_party_notice.txt'
+    def __init__(self, input_dir, output_dir):
+        super().__init__(self.package_manager_name, '', input_dir, output_dir)
+        self.append_input_package_list_file(self.input_file_name)
+    def parse_oss_information(self, f_name):
+        with open(f_name, 'r', encoding='utf8') as f:
+            f_yml = yaml.safe_load(f)
+            resolvedPkg = f_yml['m_ResolvedPackages']
+        try:
+            for pkg_data in resolvedPkg:
+                dep_item = DependencyItem()
+                oss_item = OssItem()
+                oss_item.name = pkg_data['name']
+                oss_item.version = pkg_data['version']
+                oss_packagecache_dir = os.path.join(self.packageCache_dir, f'{oss_item.name}@{oss_item.version}')
+                license_f = os.path.join(oss_packagecache_dir, license_md)
+                if os.path.isfile(license_f):
+                    license_name = check_license_name(license_f, True)
+                    if license_name == '':
+                        with open(license_f, 'r', encoding='utf-8') as f:
+                            for line in f:
+                                matched_l = re.search(r'Unity\s[\s\w]*\sLicense', line)
+                                if matched_l:
+                                    license_name = matched_l[0]
+                                    break
+                else:
+                    license_name = proprietary_license
+                oss_item.license = license_name
+                third_f = os.path.join(oss_packagecache_dir, third_party_md)
+                if os.path.isfile(third_f):
+                    with open(third_f, 'r', encoding='utf-8') as f:
+                        third_notice = f.readlines()
+                    with open(self.third_notice_txt, 'a+', encoding='utf-8') as tf:
+                        for line in third_notice:
+                            tf.write(line)
+                            tf.flush()
+                oss_item.homepage = pkg_data['repository']['url']
+                if oss_item.homepage and oss_item.homepage.startswith('git@'):
+                    oss_item.homepage = oss_item.homepage.replace('git@', 'https://')
+                if oss_item.homepage is None or oss_item.homepage.startswith(self.unity_internal_url):
+                    if (license_name != proprietary_license) and license_name != '':
+                        oss_item.homepage = f'{self.mirror_url}{oss_item.name}'
+                if oss_item.homepage is None:
+                    oss_item.homepage = ''
+                else:
+                    if not check_url_alive(oss_item.homepage):
+                        minor_version = '.'.join(oss_item.version.split('.')[0:2])
+                        oss_item.homepage = f'https://docs.unity3d.com/Packages/{oss_item.name}@{minor_version}'
+                oss_item.download_location = oss_item.homepage
+                dep_item.purl = get_url_to_purl(oss_item.download_location, self.package_manager_name)
+                if dep_item.purl == 'None':
+                    dep_item.purl = ''
+                if dep_item.purl != '':
+                    dep_item.purl = f'{dep_item.purl}@{oss_item.version}'
+                comment_list = []
+                if self.direct_dep:
+                    if pkg_data['isDirectDependency']:
+                        comment_list.append('direct')
+                    else:
+                        comment_list.append('transitive')
+                oss_item.comment = ','.join(comment_list)
+                dep_item.oss_items.append(oss_item)
+                self.dep_items.append(dep_item)
+        except Exception as e:
+            logger.error(f"Fail to parse unity oss information: {e}")
+        return
+def check_url_alive(url):
+    alive = False
+    try:
+        response = requests.get(url)
+        if response.status_code == 200:
+            alive = True
+        else:
+            logger.debug(f"{url} returned status code {response.status_code}")
+    except requests.exceptions.RequestException as e:
+        logger.debug(f"Check if url({url})is alive err: {e}")
+    return alive

fosslight_dependency/package_manager/Yarn.py ADDED Viewed

@@ -0,0 +1,231 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Copyright (c) 2025 LG Electronics Inc.
+# SPDX-License-Identifier: Apache-2.0
+import os
+import logging
+import subprocess
+import json
+import fosslight_util.constant as constant
+import fosslight_dependency.constant as const
+from fosslight_dependency.package_manager.Npm import Npm
+from fosslight_dependency.dependency_item import DependencyItem, change_dependson_to_purl
+from fosslight_util.oss_item import OssItem
+from fosslight_dependency._package_manager import get_url_to_purl
+from fosslight_dependency.package_manager.Npm import check_multi_license, check_unknown_license
+logger = logging.getLogger(constant.LOGGER_NAME)
+class Yarn(Npm):
+    def __init__(self, input_dir, output_dir):
+        super().__init__(input_dir, output_dir)
+        self.package_manager_name = const.YARN
+        self.yarn_version = None
+    def detect_yarn_version(self):
+        """Detect Yarn version (1.x = Classic, 2+ = Berry)"""
+        if self.yarn_version is not None:
+            return self.yarn_version
+        try:
+            result = subprocess.run('yarn -v', shell=True, capture_output=True, text=True, encoding='utf-8')
+            if result.returncode == 0:
+                version_str = result.stdout.strip()
+                major_version = int(version_str.split('.')[0])
+                self.yarn_version = major_version
+                logger.info(f"Detected Yarn version: {version_str} (major: {major_version})")
+                return major_version
+        except Exception as e:
+            logger.warning(f"Failed to detect Yarn version: {e}")
+        return None
+    def start_license_checker(self):
+        ret = True
+        license_checker_cmd = f'license-checker --production --json --out {self.input_file_name}'
+        custom_path_option = ' --customPath '
+        node_modules = 'node_modules'
+        self.detect_yarn_version()
+        # For Yarn Berry (2+), check if using PnP mode
+        is_pnp_mode = False
+        if self.yarn_version and self.yarn_version >= 2:
+            # Check if .pnp.cjs exists (PnP mode indicator)
+            if os.path.exists('.pnp.cjs') or os.path.exists('.pnp.js'):
+                is_pnp_mode = True
+                logger.info("Detected Yarn Berry with PnP mode")
+        if not os.path.isdir(node_modules):
+            logger.info("node_modules directory does not exist.")
+            self.flag_tmp_node_modules = True
+            # For PnP mode, try to force node_modules creation
+            if is_pnp_mode:
+                logger.info("Attempting to create node_modules for PnP project...")
+                yarn_install_cmd = 'YARN_NODE_LINKER=node-modules yarn install --production --ignore-scripts'
+                logger.info(f"Executing: {yarn_install_cmd}")
+            else:
+                yarn_install_cmd = 'yarn install --production --ignore-scripts'
+                logger.info(f"Executing: {yarn_install_cmd}")
+            cmd_ret = subprocess.call(yarn_install_cmd, shell=True)
+            if cmd_ret != 0:
+                logger.error(f"{yarn_install_cmd} failed")
+                if is_pnp_mode:
+                    logger.error("Yarn Berry PnP mode detected. Consider setting 'nodeLinker: node-modules' in .yarnrc.yml")
+                return False
+            else:
+                logger.info(f"Successfully executed {yarn_install_cmd}")
+        self.make_custom_json(self.tmp_custom_json)
+        cmd = license_checker_cmd + custom_path_option + self.tmp_custom_json
+        cmd_ret = subprocess.call(cmd, shell=True)
+        if cmd_ret != 0:
+            logger.error(f"It returns the error: {cmd}")
+            logger.error("Please check if the license-checker is installed.(sudo npm install -g license-checker)")
+            ret = False
+        else:
+            self.append_input_package_list_file(self.input_file_name)
+        if os.path.exists(self.tmp_custom_json):
+            os.remove(self.tmp_custom_json)
+        return ret
+    def parse_oss_information(self, f_name):
+        with open(f_name, 'r', encoding='utf8') as json_file:
+            json_data = json.load(json_file)
+        _licenses = 'licenses'
+        _repository = 'repository'
+        _private = 'private'
+        keys = [key for key in json_data]
+        purl_dict = {}
+        for i in range(0, len(keys)):
+            dep_item = DependencyItem()
+            oss_item = OssItem()
+            d = json_data.get(keys[i - 1])
+            oss_init_name = d['name']
+            oss_item.name = f'{const.NPM}:{oss_init_name}'
+            if d[_licenses]:
+                license_name = d[_licenses]
+            else:
+                license_name = ''
+            oss_item.version = d['version']
+            package_path = d['path']
+            private_pkg = False
+            if _private in d and d[_private]:
+                private_pkg = True
+            oss_item.download_location = ''
+            npm_dl_url = f"{self.dn_url}{oss_init_name}/v/{oss_item.version}"
+            npm_home_url = f"{self.dn_url}{oss_init_name}"
+            dep_item.purl = get_url_to_purl(npm_dl_url, self.package_manager_name)
+            purl_dict[f'{oss_init_name}({oss_item.version})'] = dep_item.purl
+            repo_url = d[_repository] if d[_repository] else ''
+            if private_pkg:
+                oss_item.homepage = repo_url or ''
+                oss_item.download_location = oss_item.homepage
+                oss_item.comment = 'private'
+            else:
+                npm_url_exists = False
+                if self._network_available is True:
+                    npm_url_exists = self._npm_url_exists(oss_init_name, oss_item.version)
+                if self._network_available and not npm_url_exists:
+                    oss_item.homepage = repo_url or ""
+                    oss_item.download_location = oss_item.homepage
+                else:
+                    oss_item.homepage = repo_url or npm_home_url
+                    oss_item.download_location = npm_dl_url
+            if self.package_name == f'{oss_init_name}({oss_item.version})':
+                oss_item.comment = 'root package'
+            elif self.direct_dep and len(self.relation_tree) > 0:
+                if f'{oss_init_name}({oss_item.version})' in self.relation_tree[self.package_name]:
+                    oss_item.comment = 'direct'
+                else:
+                    oss_item.comment = 'transitive'
+                if f'{oss_init_name}({oss_item.version})' in self.relation_tree:
+                    dep_item.depends_on_raw = self.relation_tree[f'{oss_init_name}({oss_item.version})']
+            # For Yarn, use 'package.json' instead of yarn.lock for license info
+            manifest_file_path = os.path.join(package_path, 'package.json')
+            multi_license, license_comment, multi_flag = check_multi_license(license_name, manifest_file_path)
+            if multi_flag:
+                oss_item.comment = license_comment
+                license_name = multi_license
+            else:
+                license_name = license_name.replace(",", "")
+                license_name = check_unknown_license(license_name, manifest_file_path)
+            oss_item.license = license_name
+            dep_item.oss_items.append(oss_item)
+            self.dep_items.append(dep_item)
+        if self.direct_dep:
+            self.dep_items = change_dependson_to_purl(purl_dict, self.dep_items)
+        return
+    def parse_rel_dependencies(self, rel_name, rel_ver, rel_dependencies):
+        """Override to handle missing packages and packages without version"""
+        _dependencies = 'dependencies'
+        _version = 'version'
+        _peer = 'peerMissing'
+        _missing = 'missing'
+        for rel_dep_name in rel_dependencies.keys():
+            # Optional, non-installed dependencies are listed as empty objects
+            if rel_dependencies[rel_dep_name] == {}:
+                continue
+            if _peer in rel_dependencies[rel_dep_name]:
+                if rel_dependencies[rel_dep_name][_peer]:
+                    continue
+            # Skip missing packages (not installed)
+            if _missing in rel_dependencies[rel_dep_name]:
+                if rel_dependencies[rel_dep_name][_missing]:
+                    continue
+            # Skip if version key doesn't exist
+            if _version not in rel_dependencies[rel_dep_name]:
+                continue
+            if f'{rel_name}({rel_ver})' not in self.relation_tree:
+                self.relation_tree[f'{rel_name}({rel_ver})'] = []
+            elif f'{rel_dep_name}({rel_dependencies[rel_dep_name][_version]})' in self.relation_tree[f'{rel_name}({rel_ver})']:
+                continue
+            self.relation_tree[f'{rel_name}({rel_ver})'].append(f'{rel_dep_name}({rel_dependencies[rel_dep_name][_version]})')
+            if _dependencies in rel_dependencies[rel_dep_name]:
+                self.parse_rel_dependencies(rel_dep_name, rel_dependencies[rel_dep_name][_version],
+                                            rel_dependencies[rel_dep_name][_dependencies])
+    def parse_direct_dependencies(self):
+        if not self.direct_dep:
+            return
+        try:
+            # For Yarn, check if package.json exists (not yarn.lock)
+            # input_package_list_file[0] is the license-checker output file path
+            manifest_dir = os.path.dirname(self.input_package_list_file[0])
+            package_json_path = os.path.join(manifest_dir, 'package.json')
+            if os.path.isfile(package_json_path):
+                ret, err_msg = self.parse_transitive_relationship()
+                if not ret:
+                    self.direct_dep = False
+                    logger.warning(f'It cannot print direct/transitive dependency: {err_msg}')
+            else:
+                logger.info('Direct/transitive support is not possible because the package.json file does not exist.')
+                self.direct_dep = False
+        except Exception as e:
+            logger.warning(f'Cannot print direct/transitive dependency: {e}')
+            self.direct_dep = False

fosslight_dependency/package_manager/__init__.py ADDED Viewed

File without changes

fosslight-dependency 3.0.7__py3-none-any.whl → 4.1.30__py3-none-any.whl

fosslight-dependency 3.0.7py3-none-any.whl → 4.1.30py3-none-any.whl