PyPI - java-dependency-analyzer - Versions diffs - 1.0.0__py3-none-any.whl - Mend

java-dependency-analyzer 1.0.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

java_dependency_analyzer/__init__.py +11 -0
java_dependency_analyzer/cache/__init__.py +11 -0
java_dependency_analyzer/cache/db.py +101 -0
java_dependency_analyzer/cache/vulnerability_cache.py +156 -0
java_dependency_analyzer/cli.py +394 -0
java_dependency_analyzer/models/__init__.py +11 -0
java_dependency_analyzer/models/dependency.py +80 -0
java_dependency_analyzer/models/report.py +108 -0
java_dependency_analyzer/parsers/__init__.py +11 -0
java_dependency_analyzer/parsers/base.py +150 -0
java_dependency_analyzer/parsers/gradle_dep_tree_parser.py +125 -0
java_dependency_analyzer/parsers/gradle_parser.py +206 -0
java_dependency_analyzer/parsers/maven_dep_tree_parser.py +123 -0
java_dependency_analyzer/parsers/maven_parser.py +182 -0
java_dependency_analyzer/reporters/__init__.py +11 -0
java_dependency_analyzer/reporters/base.py +33 -0
java_dependency_analyzer/reporters/html_reporter.py +82 -0
java_dependency_analyzer/reporters/json_reporter.py +52 -0
java_dependency_analyzer/reporters/templates/report.html +406 -0
java_dependency_analyzer/resolvers/__init__.py +11 -0
java_dependency_analyzer/resolvers/transitive.py +276 -0
java_dependency_analyzer/scanners/__init__.py +11 -0
java_dependency_analyzer/scanners/base.py +102 -0
java_dependency_analyzer/scanners/ghsa_scanner.py +204 -0
java_dependency_analyzer/scanners/osv_scanner.py +167 -0
java_dependency_analyzer/util/__init__.py +11 -0
java_dependency_analyzer/util/logger.py +48 -0
java_dependency_analyzer-1.0.0.dist-info/METADATA +193 -0
java_dependency_analyzer-1.0.0.dist-info/RECORD +31 -0
java_dependency_analyzer-1.0.0.dist-info/WHEEL +4 -0
java_dependency_analyzer-1.0.0.dist-info/entry_points.txt +3 -0

java_dependency_analyzer/parsers/maven_dep_tree_parser.py ADDED Viewed

@@ -0,0 +1,123 @@
+"""
+maven_dep_tree_parser module.
+Parses the text output of ``mvn dependency:tree`` to reconstruct
+the full dependency tree including transitive dependencies.
+:author: Ron Webb
+:since: 1.0.0
+"""
+import re
+from ..models.dependency import Dependency
+from ..util.logger import setup_logger
+from .base import DepTreeParser
+__author__ = "Ron Webb"
+__since__ = "1.0.0"
+_logger = setup_logger(__name__)
+# Maven tree output prefix on every INFO line
+_INFO_PREFIX = "[INFO] "
+_INFO_PREFIX_LEN = len(_INFO_PREFIX)
+# Each level of indentation is 3 characters wide ("|  " or "   ")
+_INDENT_UNIT = 3
+# Matches the tree connector at the start of a dependency after stripping [INFO]
+# Groups: (1) indent text, (2) connector "+- " or "\- ", (3) coordinate string
+_CONNECTOR_RE = re.compile(r"^((?:[|\\+]\s{2}|\s{3})*)[+\\]- (.+)$")
+# Matches Maven coordinates: group:artifact:type:version:scope
+_COORD_RE = re.compile(r"^([^:]+):([^:]+):[^:]+:([^:]+):([^:]+)$")
+class MavenDepTreeParser(DepTreeParser):
+    """
+    Parses the plain-text output of ``mvn dependency:tree`` and reconstructs
+    the dependency tree as a list of :class:`~java_dependency_analyzer.models.dependency.Dependency`
+    objects with nested ``transitive_dependencies``.
+    Only lines with a ``+- `` or ``\\- `` connector are interpreted as
+    dependency entries; all other lines (headers, the root artifact line,
+    ``[INFO] BUILD SUCCESS``, etc.) are silently skipped.
+    :author: Ron Webb
+    :since: 1.0.0
+    """
+    # ------------------------------------------------------------------
+    # Private helpers
+    # ------------------------------------------------------------------
+    def _line_to_entry(
+        self, line: str
+    ) -> tuple[int, bool, Dependency] | None:
+        """
+        Convert a single Maven dep-tree line to a ``(depth, is_leaf, dep)``
+        entry, or return *None* to skip the line.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        stripped = self._strip_info_prefix(line)
+        if stripped is None:
+            return None
+        match = _CONNECTOR_RE.match(stripped)
+        if match is None:
+            return None
+        indent_str = match.group(1)
+        coord_str = match.group(2)
+        depth = len(indent_str) // _INDENT_UNIT
+        dep = self._parse_coordinate(coord_str, depth)
+        if dep is None:
+            return None
+        return depth, False, dep
+    def _strip_info_prefix(self, line: str) -> str | None:
+        """
+        Remove the ``[INFO] `` prefix from a Maven log line; return *None*
+        if the prefix is absent (i.e. the line is not a Maven INFO line).
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        if line.startswith(_INFO_PREFIX):
+            return line[_INFO_PREFIX_LEN:]
+        return None
+    def _parse_coordinate(self, coord_str: str, depth: int) -> Dependency | None:
+        """
+        Convert a Maven coordinate string (``group:artifact:type:version:scope``)
+        into a :class:`Dependency`.  Returns *None* if the string cannot be
+        parsed.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        coord_match = _COORD_RE.match(coord_str.strip())
+        if coord_match is None:
+            _logger.debug("Could not parse Maven coordinate: %s", coord_str)
+            return None
+        group_id = coord_match.group(1).strip()
+        artifact_id = coord_match.group(2).strip()
+        version = coord_match.group(3).strip()
+        scope = coord_match.group(4).strip()
+        if not group_id or not artifact_id or not version:
+            return None
+        return Dependency(
+            group_id=group_id,
+            artifact_id=artifact_id,
+            version=version,
+            scope=scope,
+            depth=depth,
+        )

java_dependency_analyzer/parsers/maven_parser.py ADDED Viewed

@@ -0,0 +1,182 @@
+"""
+maven_parser module.
+Parses Maven pom.xml files to extract runtime dependencies.
+:author: Ron Webb
+:since: 1.0.0
+"""
+import re
+from lxml import etree
+from ..models.dependency import Dependency
+from ..util.logger import setup_logger
+from .base import DependencyParser, RUNTIME_SCOPES
+__author__ = "Ron Webb"
+__since__ = "1.0.0"
+_logger = setup_logger(__name__)
+# POM XML namespace
+_POM_NS = "http://maven.apache.org/POM/4.0.0"
+class MavenParser(DependencyParser):
+    """
+    Parses a Maven pom.xml file and extracts runtime dependencies.
+    Handles property placeholder substitution (e.g., ${project.version})
+    and filters to compile/runtime scopes only.
+    :author: Ron Webb
+    :since: 1.0.0
+    """
+    def parse(self, file_path: str) -> list[Dependency]:
+        """
+        Parse the given pom.xml file and return a list of direct dependencies.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        _logger.info("Parsing Maven POM: %s", file_path)
+        try:
+            tree = etree.parse(file_path)  # nosec B320  # pylint: disable=c-extension-no-member
+        except etree.XMLSyntaxError as exc:  # pylint: disable=c-extension-no-member
+            _logger.error("Failed to parse POM XML: %s", exc)
+            return []
+        root = tree.getroot()
+        namespace = self._detect_namespace(root)
+        properties = self._extract_properties(root, namespace)
+        return self._extract_dependencies(root, namespace, properties)
+    def _detect_namespace(self, root: etree._Element) -> dict[str, str]:
+        """
+        Detect whether the POM uses the standard Maven namespace or none.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        if root.tag.startswith("{"):
+            return {"m": _POM_NS}
+        return {}
+    def _tag(self, name: str, namespace: dict[str, str]) -> str:
+        """
+        Return the namespaced or plain tag name for an element lookup.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        if namespace:
+            return f"{{{_POM_NS}}}{name}"
+        return name
+    def _extract_properties(
+        self, root: etree._Element, namespace: dict[str, str]
+    ) -> dict[str, str]:
+        """
+        Extract all <properties> entries from the POM for variable substitution.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        props: dict[str, str] = {}
+        props_el = root.find(self._tag("properties", namespace))
+        if props_el is not None:
+            for child in props_el:
+                local = etree.QName(child.tag).localname  # pylint: disable=c-extension-no-member
+                if child.text:
+                    props[local] = child.text.strip()
+        # Add standard project coordinates as substitutable properties
+        for coord in ("groupId", "artifactId", "version"):
+            coord_el = root.find(self._tag(coord, namespace))
+            if coord_el is not None and coord_el.text:
+                props[f"project.{coord}"] = coord_el.text.strip()
+                props[coord] = coord_el.text.strip()
+        return props
+    def _resolve_value(self, value: str, properties: dict[str, str]) -> str:
+        """
+        Replace ${property} placeholders with values from the properties map.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        pattern = re.compile(r"\$\{([^}]+)\}")
+        for match in pattern.finditer(value):
+            key = match.group(1)
+            replacement = properties.get(key, "")
+            value = value.replace(match.group(0), replacement)
+        return value
+    def _extract_dependencies(
+        self,
+        root: etree._Element,
+        namespace: dict[str, str],
+        properties: dict[str, str],
+    ) -> list[Dependency]:
+        """
+        Extract <dependency> elements, filter by scope, and return Dependency objects.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        deps: list[Dependency] = []
+        deps_container = root.find(self._tag("dependencies", namespace))
+        if deps_container is None:
+            return deps
+        for dep_el in deps_container.findall(self._tag("dependency", namespace)):
+            dep = self._parse_dependency_element(dep_el, namespace, properties)
+            if dep is not None:
+                deps.append(dep)
+        return deps
+    def _parse_dependency_element(
+        self,
+        dep_el: etree._Element,
+        namespace: dict[str, str],
+        properties: dict[str, str],
+    ) -> Dependency | None:
+        """
+        Parse a single <dependency> element into a Dependency object.
+        Returns None if the dependency should be skipped (wrong scope, missing fields).
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        def text(tag: str) -> str:
+            child_el = dep_el.find(self._tag(tag, namespace))
+            raw = child_el.text.strip() if child_el is not None and child_el.text else ""
+            return self._resolve_value(raw, properties)
+        group_id = text("groupId")
+        artifact_id = text("artifactId")
+        version = text("version")
+        scope = text("scope") or "compile"
+        if not group_id or not artifact_id:
+            return None
+        if scope not in RUNTIME_SCOPES:
+            _logger.debug("Skipping dependency %s:%s (scope=%s)", group_id, artifact_id, scope)
+            return None
+        if not version:
+            _logger.warning("No version for %s:%s — skipping", group_id, artifact_id)
+            return None
+        return Dependency(
+            group_id=group_id,
+            artifact_id=artifact_id,
+            version=version,
+            scope=scope,
+        )

java_dependency_analyzer/reporters/__init__.py ADDED Viewed

@@ -0,0 +1,11 @@
+"""
+reporters package.
+Provides output formatters for vulnerability scan results.
+:author: Ron Webb
+:since: 1.0.0
+"""
+__author__ = "Ron Webb"
+__since__ = "1.0.0"

java_dependency_analyzer/reporters/base.py ADDED Viewed

@@ -0,0 +1,33 @@
+"""
+base module.
+Defines the abstract base class for scan result reporters.
+:author: Ron Webb
+:since: 1.0.0
+"""
+from abc import ABC, abstractmethod
+from ..models.report import ScanResult
+__author__ = "Ron Webb"
+__since__ = "1.0.0"
+class Reporter(ABC):
+    """
+    Abstract base class for all scan result reporters.
+    :author: Ron Webb
+    :since: 1.0.0
+    """
+    @abstractmethod
+    def report(self, result: ScanResult, output_path: str) -> None:
+        """
+        Write the scan result to the given output path.
+        :author: Ron Webb
+        :since: 1.0.0
+        """

java_dependency_analyzer/reporters/html_reporter.py ADDED Viewed

@@ -0,0 +1,82 @@
+"""
+html_reporter module.
+Renders vulnerability scan results as an HTML report using Jinja2.
+:author: Ron Webb
+:since: 1.0.0
+"""
+from pathlib import Path
+from jinja2 import Environment, FileSystemLoader, select_autoescape
+from ..models.dependency import Dependency
+from ..models.report import ScanResult
+from ..util.logger import setup_logger
+from .base import Reporter
+__author__ = "Ron Webb"
+__since__ = "1.0.0"
+_logger = setup_logger(__name__)
+_TEMPLATES_DIR = Path(__file__).parent / "templates"
+class HtmlReporter(Reporter):
+    """
+    Renders a ScanResult to an HTML report file using the Jinja2 template engine.
+    :author: Ron Webb
+    :since: 1.0.0
+    """
+    def __init__(self) -> None:
+        """
+        Initialise the Jinja2 environment pointing at the bundled templates directory.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        self._env = Environment(
+            loader=FileSystemLoader(str(_TEMPLATES_DIR)),
+            autoescape=select_autoescape(["html"]),
+        )
+    def report(self, result: ScanResult, output_path: str) -> None:
+        """
+        Render the scan result to an HTML file at the given output path.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        template = self._env.get_template("report.html")
+        all_deps = self._flatten_dependencies(result.dependencies)
+        html = template.render(result=result, all_deps=all_deps)
+        _logger.info("Writing HTML report to %s", output_path)
+        with open(output_path, "w", encoding="utf-8") as file_handle:
+            file_handle.write(html)
+        _logger.info("HTML report written: %s", output_path)
+    def _flatten_dependencies(self, deps: list[Dependency]) -> list[Dependency]:
+        """
+        Flatten the dependency tree into a single ordered list for tabular display.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        result: list[Dependency] = []
+        self._collect(deps, result)
+        return result
+    def _collect(self, deps: list[Dependency], result: list[Dependency]) -> None:
+        """
+        Recursively append dependencies to the result list (pre-order traversal).
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        for dep in deps:
+            result.append(dep)
+            self._collect(dep.transitive_dependencies, result)

java_dependency_analyzer/reporters/json_reporter.py ADDED Viewed

@@ -0,0 +1,52 @@
+"""
+json_reporter module.
+Writes vulnerability scan results to a JSON file.
+:author: Ron Webb
+:since: 1.0.0
+"""
+import json
+from dataclasses import asdict
+from ..models.report import ScanResult
+from ..util.logger import setup_logger
+from .base import Reporter
+__author__ = "Ron Webb"
+__since__ = "1.0.0"
+_logger = setup_logger(__name__)
+class JsonReporter(Reporter):
+    """
+    Serialises a ScanResult to a formatted JSON file.
+    :author: Ron Webb
+    :since: 1.0.0
+    """
+    def report(self, result: ScanResult, output_path: str) -> None:
+        """
+        Write the scan result as pretty-printed JSON to the given path.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        data = {
+            "source_file": result.source_file,
+            "scanned_at": result.scanned_at,
+            "summary": {
+                "total_dependencies": result.total_dependencies,
+                "total_vulnerabilities": result.total_vulnerabilities,
+                "vulnerable_dependency_count": len(result.vulnerable_dependencies),
+            },
+            "dependencies": [asdict(dep) for dep in result.dependencies],
+        }
+        _logger.info("Writing JSON report to %s", output_path)
+        with open(output_path, "w", encoding="utf-8") as file_handle:
+            json.dump(data, file_handle, indent=2, default=str)
+        _logger.info("JSON report written: %s", output_path)