fosslight-dependency 4.1.8__py3-none-any.whl → 4.1.9__py3-none-any.whl

fosslight_dependency/_analyze_dependency.py

@@ -20,6 +20,7 @@ from fosslight_dependency.package_manager.Nuget import Nuget
 from fosslight_dependency.package_manager.Helm import Helm
 from fosslight_dependency.package_manager.Unity import Unity
 from fosslight_dependency.package_manager.Cargo import Cargo
+from fosslight_dependency.package_manager.Pnpm import Pnpm
 import fosslight_util.constant as constant
 
 logger = logging.getLogger(constant.LOGGER_NAME)
@@ -60,6 +61,8 @@ def analyze_dependency(package_manager_name, input_dir, output_dir, pip_activate
         package_manager = Unity(input_dir, output_dir)
     elif package_manager_name == const.CARGO:
         package_manager = Cargo(input_dir, output_dir)
+    elif package_manager_name == const.PNPM:
+        package_manager = Pnpm(input_dir, output_dir)
     else:
         logger.error(f"Not supported package manager name: {package_manager_name}")
         ret = False
@@ -84,7 +87,10 @@ def analyze_dependency(package_manager_name, input_dir, output_dir, pip_activate
             else:
                 logger.error(f"Failed to open input file: {f_name}")
                 ret = False
-
+        if package_manager_name == const.PNPM:
+            logger.info("Parse oss information for pnpm")
+            package_manager.parse_oss_information_for_pnpm()
+            package_dep_item_list.extend(package_manager.dep_items)
     if ret:
         logger.warning(f"### Complete to analyze: {package_manager_name}")
         if package_manager.cover_comment:

fosslight_dependency/_help.py

@@ -15,6 +15,7 @@ _HELP_MESSAGE_DEPENDENCY = """
         Gradle (Java)
         Maven (Java)
         NPM (Node.js)
+        PNPM (Node.js)
         PIP (Python)
         Pub (Dart with flutter)
         Cocoapods (Swift/Obj-C)
@@ -32,7 +33,7 @@ _HELP_MESSAGE_DEPENDENCY = """
             -v\t\t\t\t    Print the version of the script.
             -m <package_manager>\t    Enter the package manager.
                                         \t(npm, maven, gradle, pypi, pub, cocoapods, android, swift, carthage,
-                                        \t go, nuget, helm, unity, cargo)
+                                        \t go, nuget, helm, unity, cargo, pnpm)
             -p <input_path>\t\t    Enter the path where the script will be run.
             -e <exclude_path>\t\t    Enter the path where the analysis will not be performed.
             -o <output_path>\t\t    Output path

fosslight_dependency/constant.py

@@ -24,10 +24,12 @@ NUGET = 'nuget'
 HELM = 'helm'
 UNITY = 'unity'
 CARGO = 'cargo'
+PNPM = 'pnpm'
 
 # Supported package name and manifest file
 SUPPORT_PACKAE = {
     PYPI: ['requirements.txt', 'setup.py', 'pyproject.toml'],
+    PNPM: 'pnpm-lock.yaml',
     NPM: 'package.json',
     MAVEN: 'pom.xml',
     GRADLE: 'build.gradle',

fosslight_dependency/package_manager/Npm.py

@@ -46,7 +46,7 @@ class Npm(PackageManager):
         ret = True
         license_checker_cmd = f'license-checker --production --json --out {self.input_file_name}'
         custom_path_option = ' --customPath '
-        npm_install_cmd = 'npm install --production'
+        npm_install_cmd = 'npm install --production --ignore-scripts'
 
         if os.path.isdir(node_modules) != 1:
             logger.info(f"node_modules directory is not existed. So it executes '{npm_install_cmd}'.")

fosslight_dependency/package_manager/Pnpm.py

@@ -0,0 +1,155 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Copyright (c) 2025 LG Electronics Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+import os
+import logging
+import subprocess
+import json
+import shutil
+import fosslight_util.constant as constant
+import fosslight_dependency.constant as const
+from fosslight_dependency._package_manager import PackageManager, get_url_to_purl
+from fosslight_dependency.dependency_item import DependencyItem, change_dependson_to_purl
+from fosslight_dependency.package_manager.Npm import check_multi_license
+from fosslight_util.oss_item import OssItem
+
+logger = logging.getLogger(constant.LOGGER_NAME)
+node_modules = 'node_modules'
+
+
+class Pnpm(PackageManager):
+    package_manager_name = const.PNPM
+
+    dn_url = 'https://www.npmjs.com/package/'
+    input_file_name = 'tmp_pnpm_license_output.json'
+    flag_tmp_node_modules = False
+    project_name_list = []
+    pkg_list = {}
+
+    def __init__(self, input_dir, output_dir):
+        super().__init__(self.package_manager_name, self.dn_url, input_dir, output_dir)
+
+    def __del__(self):
+        if os.path.isfile(self.input_file_name):
+            os.remove(self.input_file_name)
+        if self.flag_tmp_node_modules:
+            shutil.rmtree(node_modules, ignore_errors=True)
+
+    def run_plugin(self):
+        ret = True
+
+        pnpm_install_cmd = 'pnpm install --prod --ignore-scripts --ignore-pnpmfile'
+        if os.path.isdir(node_modules) != 1:
+            logger.info(f"node_modules directory is not existed. So it executes '{pnpm_install_cmd}'.")
+            self.flag_tmp_node_modules = True
+            cmd_ret = subprocess.call(pnpm_install_cmd, shell=True)
+            if cmd_ret != 0:
+                logger.error(f"{pnpm_install_cmd} returns an error")
+                ret = False
+        if ret:
+            project_cmd = 'pnpm ls -r --depth -1 -P --json'
+            ret_txt = subprocess.check_output(project_cmd, text=True, shell=True)
+            if ret_txt is not None:
+                deps_l = json.loads(ret_txt)
+                for items in deps_l:
+                    self.project_name_list.append(items["name"])
+        return ret
+
+    def parse_direct_dependencies(self):
+        if not self.direct_dep:
+            return
+        try:
+            direct_cmd = 'pnpm ls -r --depth 0 -P --json'
+            ret_txt = subprocess.check_output(direct_cmd, text=True, shell=True)
+            if ret_txt is not None:
+                deps_l = json.loads(ret_txt)
+                for item in deps_l:
+                    if 'dependencies' in item and isinstance(item['dependencies'], dict):
+                        self.direct_dep_list.extend(item['dependencies'].keys())
+            else:
+                self.direct_dep = False
+                logger.warning('Cannot print direct/transitive dependency')
+        except Exception as e:
+            logger.warning(f'Fail to print direct/transitive dependency: {e}')
+            self.direct_dep = False
+        if self.direct_dep:
+            self.direct_dep_list = list(filter(lambda dep: dep not in self.project_name_list, self.direct_dep_list))
+
+    def extract_dependencies(self, dependencies, purl_dict):
+        dep_item_list = []
+        for dep_name, dep_info in dependencies.items():
+            if dep_name not in self.project_name_list:
+                if dep_name in self.pkg_list.keys():
+                    if dep_info.get('version') in self.pkg_list[dep_name]:
+                        continue
+                self.pkg_list.setdefault(dep_name, []).append(dep_info.get('version'))
+                dep_item = DependencyItem()
+                oss_item = OssItem()
+                oss_item.name = f'npm:{dep_name}'
+                oss_item.version = dep_info.get('version')
+
+                license_name = dep_info.get('license')
+                if license_name:
+                    multi_license, license_comment, multi_flag = check_multi_license(license_name, '')
+                    if multi_flag:
+                        oss_item.comment = license_comment
+                        license_name = multi_license
+                    else:
+                        license_name = license_name.replace(",", "")
+                    oss_item.license = license_name
+
+                oss_item.homepage = f'{self.dn_url}{dep_name}'
+                oss_item.download_location = dep_info.get('repository')
+                if oss_item.download_location:
+                    if oss_item.download_location.endswith('.git'):
+                        oss_item.download_location = oss_item.download_location[:-4]
+                    if oss_item.download_location.startswith('git://'):
+                        oss_item.download_location = 'https://' + oss_item.download_location[6:]
+                    elif oss_item.download_location.startswith('git+https://'):
+                        oss_item.download_location = 'https://' + oss_item.download_location[12:]
+                    elif oss_item.download_location.startswith('git+ssh://git@'):
+                        oss_item.download_location = 'https://' + oss_item.download_location[14:]
+                else:
+                    oss_item.download_location = f'{self.dn_url}{dep_name}/v/{oss_item.version}'
+
+                dn_loc = f'{oss_item.homepage}/v/{oss_item.version}'
+                dep_item.purl = get_url_to_purl(dn_loc, 'npm')
+                purl_dict[f'{dep_name}({oss_item.version})'] = dep_item.purl
+
+                if dep_name in self.direct_dep_list:
+                    oss_item.comment = 'direct'
+                else:
+                    oss_item.comment = 'transitive'
+
+                if 'dependencies' in dep_info:
+                    for dn, di in dep_info.get('dependencies').items():
+                        if dn not in self.project_name_list:
+                            dep_item.depends_on_raw.append(f"{dn}({di['version']})")
+
+                dep_item.oss_items.append(oss_item)
+                dep_item_list.append(dep_item)
+
+            if 'dependencies' in dep_info:
+                dep_item_list_inner, purl_dict_inner = self.extract_dependencies(dep_info['dependencies'], purl_dict)
+                dep_item_list.extend(dep_item_list_inner)
+                purl_dict.update(purl_dict_inner)
+
+        return dep_item_list, purl_dict
+
+    def parse_oss_information_for_pnpm(self):
+        project_cmd = 'pnpm ls --json -r --depth Infinity -P --long'
+        ret_txt = subprocess.check_output(project_cmd, text=True, shell=True)
+        if ret_txt is not None:
+            deps_l = json.loads(ret_txt)
+            purl_dict = {}
+            for items in deps_l:
+                if 'dependencies' in items:
+                    dep_item_list_inner, purl_dict_inner = self.extract_dependencies(items['dependencies'], purl_dict)
+                    self.dep_items.extend(dep_item_list_inner)
+                    purl_dict.update(purl_dict_inner)
+            if self.direct_dep:
+                self.dep_items = change_dependson_to_purl(purl_dict, self.dep_items)
+        else:
+            logger.warning(f'No output for {project_cmd}')

fosslight_dependency/run_dependency_scanner.py

@@ -100,8 +100,11 @@ def find_package_manager(input_dir, abs_path_to_exclude=[], manifest_file_name=[
                 if value == f_idx:
                     found_package_manager[key] = [f_idx]
 
+    # both npm and pnpm are detected, remove npm.
+    if 'npm' in found_package_manager and 'pnpm' in found_package_manager:
+        del found_package_manager['npm']
     if len(found_package_manager) >= 1:
-        manifest_file_w_path = map(lambda x: os.path.join(input_dir, x), found_manifest_file)
+        manifest_file_w_path = [os.path.join(input_dir, file) for pkg, files in found_package_manager.items() for file in files]
         logger.info(f"Found the manifest file({','.join(manifest_file_w_path)}) automatically.")
         logger.warning(f"### Set Package Manager = {', '.join(found_package_manager.keys())}")
     else:

{fosslight_dependency-4.1.8.dist-info → fosslight_dependency-4.1.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: fosslight-dependency
-Version: 4.1.8
+Version: 4.1.9
 Summary: FOSSLight Dependency Scanner
 Home-page: https://github.com/fosslight/fosslight_dependency_scanner
 Author: LG Electronics

{fosslight_dependency-4.1.8.dist-info → fosslight_dependency-4.1.9.dist-info}/RECORD

@@ -1,11 +1,11 @@
 fosslight_dependency/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-fosslight_dependency/_analyze_dependency.py,sha256=uYbHDlFfEf-LsCWc6hTKN-QCD1T_2jaEgBf3z4M_4Lk,4226
+fosslight_dependency/_analyze_dependency.py,sha256=AKwKPEjA5x4p3oCWMJugQjd4zX9WKy9zfUqp44gL63Q,4617
 fosslight_dependency/_graph_convertor.py,sha256=D8GwmJfuj9Wg3_DeKRPLGGdyHSLcoU2Q0VzKQbkJG4g,2267
-fosslight_dependency/_help.py,sha256=INeP24fFfV2HPhZJMqk_KCu08X7nneAumBqMWQ7Sbw8,3336
+fosslight_dependency/_help.py,sha256=S5tt26ccMLp-BEgWoXWyPxd8JzLtwZ5bIc-A2UTeM4k,3365
 fosslight_dependency/_package_manager.py,sha256=GUqMLidGGVrek0XpApron3SWFf66VsmfycsmnvxQOkY,14890
-fosslight_dependency/constant.py,sha256=FAkzrW1S6Ua_TAbvQ2y6d0dhEZcgonB11miKUj7lB98,1080
+fosslight_dependency/constant.py,sha256=nGa2Q_IWMojHEKkwdvoFvZrsqZZ4jMCk9h3M78j_lMc,1122
 fosslight_dependency/dependency_item.py,sha256=wNLWcsNycf3HQ5Pib2WrMeo2dn0eHCRg20NLcL95Qew,3345
-fosslight_dependency/run_dependency_scanner.py,sha256=zFlHAwj9fhsiaut_VhvQneX8Ngz82xgau4ThmHxk8pI,17399
+fosslight_dependency/run_dependency_scanner.py,sha256=rCHwKW2NsOSRyRxsFmUunKruK9vN24O2ucHghJYgey4,17600
 fosslight_dependency/LICENSES/LICENSE,sha256=xx0jnfkXJvxRnG63LTGOxlggYnIysveWIZ6H3PNdCrQ,11357
 fosslight_dependency/LICENSES/LicenseRef-3rd_party_licenses.txt,sha256=EcsFt7aE1rp3OXAdJgmXayfOZdpRdBMcmRnyoqWMCsw,95687
 fosslight_dependency/package_manager/Android.py,sha256=0UZFvbLxDIreerK4fR316YPyhUpPliV_kfZulrxkUyo,3218
@@ -16,19 +16,20 @@ fosslight_dependency/package_manager/Go.py,sha256=O-6DTTRM2EoTpCVmlIPKFy8ZTz64EH
 fosslight_dependency/package_manager/Gradle.py,sha256=IYmj9q3XiE_DPKdtll6lyRr98lFuyKWW2qz57X26Fn0,4359
 fosslight_dependency/package_manager/Helm.py,sha256=ucx2Y0tWX37UHIzIGaRyTe7uQ2vlu2nUuO09hOMq9ZU,4223
 fosslight_dependency/package_manager/Maven.py,sha256=XDVTmxRjeQmATpJDP__yw47Pk5e4utXAkkEkskXPQCQ,10443
-fosslight_dependency/package_manager/Npm.py,sha256=hwKC08m05KlHgfQpPX7lnDEJC-A7WKF9OniYW4n9TDM,10638
+fosslight_dependency/package_manager/Npm.py,sha256=EvXXJUJ3-4cyvGNQU2cXPGkOcOQPr4CkuxpNDKk-49w,10655
 fosslight_dependency/package_manager/Nuget.py,sha256=x1SPdxwXS2Oyi1RnLasvJJL-IFJl45VI2CXt3wReW24,8884
+fosslight_dependency/package_manager/Pnpm.py,sha256=LDKooFGQHui_Q5U7XqSJ8KcCPiLVndXf5oGKTJExh5w,7056
 fosslight_dependency/package_manager/Pub.py,sha256=Rrz8_6wdrmMU6f3vbbuAwyMbODBauXNnBbI619OQgDk,10184
 fosslight_dependency/package_manager/Pypi.py,sha256=A3pXJC_7H7PTa6i3B_PvJY85qsc6W9AqOze7kB8E3Ws,15831
 fosslight_dependency/package_manager/Swift.py,sha256=8fdbdAXTNlp2NDoSqQXm48JGAg9UhxA91M1-NhHkT40,6752
 fosslight_dependency/package_manager/Unity.py,sha256=n1006GZ6Qrk8wAdO6wla1Q-JD7Evin7REVj-HDeTARc,5142
 fosslight_dependency/package_manager/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-fosslight_dependency-4.1.8.dist-info/Apache-2.0.txt,sha256=xx0jnfkXJvxRnG63LTGOxlggYnIysveWIZ6H3PNdCrQ,11357
-fosslight_dependency-4.1.8.dist-info/LICENSE,sha256=xx0jnfkXJvxRnG63LTGOxlggYnIysveWIZ6H3PNdCrQ,11357
-fosslight_dependency-4.1.8.dist-info/LicenseRef-3rd_party_licenses.txt,sha256=EcsFt7aE1rp3OXAdJgmXayfOZdpRdBMcmRnyoqWMCsw,95687
-fosslight_dependency-4.1.8.dist-info/METADATA,sha256=t5oEFJ8QBw9OduU3e6TB_IaeC4EcABk13D9D0mfO87Q,4984
-fosslight_dependency-4.1.8.dist-info/MIT.txt,sha256=9cx4CbArgByWvkoEZNqpzbpJgA9TUe2D62rMocQpgfs,1082
-fosslight_dependency-4.1.8.dist-info/WHEEL,sha256=tZoeGjtWxWRfdplE7E3d45VPlLNQnvbKiYnx7gwAy8A,92
-fosslight_dependency-4.1.8.dist-info/entry_points.txt,sha256=e1QZbnCrQvfbwe9L6PxXnkRZMhl-PSo0QyUes0dGjU8,91
-fosslight_dependency-4.1.8.dist-info/top_level.txt,sha256=Jc0V7VcVCH0TEM8ksb8dwroTYz4AmRaQnlr3FB71Hcs,21
-fosslight_dependency-4.1.8.dist-info/RECORD,,
+fosslight_dependency-4.1.9.dist-info/Apache-2.0.txt,sha256=xx0jnfkXJvxRnG63LTGOxlggYnIysveWIZ6H3PNdCrQ,11357
+fosslight_dependency-4.1.9.dist-info/LICENSE,sha256=xx0jnfkXJvxRnG63LTGOxlggYnIysveWIZ6H3PNdCrQ,11357
+fosslight_dependency-4.1.9.dist-info/LicenseRef-3rd_party_licenses.txt,sha256=EcsFt7aE1rp3OXAdJgmXayfOZdpRdBMcmRnyoqWMCsw,95687
+fosslight_dependency-4.1.9.dist-info/METADATA,sha256=16aIkcJigbjdeWlh6yp9jFBwrQjjpEZR-yrpGA1ohDY,4984
+fosslight_dependency-4.1.9.dist-info/MIT.txt,sha256=9cx4CbArgByWvkoEZNqpzbpJgA9TUe2D62rMocQpgfs,1082
+fosslight_dependency-4.1.9.dist-info/WHEEL,sha256=tZoeGjtWxWRfdplE7E3d45VPlLNQnvbKiYnx7gwAy8A,92
+fosslight_dependency-4.1.9.dist-info/entry_points.txt,sha256=e1QZbnCrQvfbwe9L6PxXnkRZMhl-PSo0QyUes0dGjU8,91
+fosslight_dependency-4.1.9.dist-info/top_level.txt,sha256=Jc0V7VcVCH0TEM8ksb8dwroTYz4AmRaQnlr3FB71Hcs,21
+fosslight_dependency-4.1.9.dist-info/RECORD,,