java-dependency-analyzer 1.0.0__py3-none-any.whl

java_dependency_analyzer-1.0.0.dist-info/METADATA

@@ -0,0 +1,193 @@
+Metadata-Version: 2.4
+Name: java-dependency-analyzer
+Version: 1.0.0
+Summary: Java Dependency Analyzer is a tool that inspects dependencies.
+Author: Ron Webb
+Author-email: ron@ronella.xyz
+Requires-Python: >=3.14
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.14
+Requires-Dist: beautifulsoup4 (>=4.14.3,<5.0.0)
+Requires-Dist: click (>=8.3.1,<9.0.0)
+Requires-Dist: httpx (>=0.28.1,<0.29.0)
+Requires-Dist: jinja2 (>=3.1.6,<4.0.0)
+Requires-Dist: lxml (>=6.0.2,<7.0.0)
+Requires-Dist: python-dotenv (>=1.2.2,<2.0.0)
+Description-Content-Type: text/markdown
+
+# Java Dependency Analyzer 1.0.0
+
+> A Python CLI tool that inspects Java dependency hierarchies in Maven and Gradle projects and reports known vulnerabilities.
+
+## Prerequisites
+
+- Python `^3.14`
+- [Poetry](https://python-poetry.org/) `2.2`
+
+## Installation
+
+Clone the repository and install all dependencies:
+
+```bash
+git clone <repository-url>
+cd java-dependency-analyzer
+poetry install
+```
+
+## Usage
+
+```
+jda <COMMAND> [OPTIONS] [FILE]
+```
+
+`COMMAND` is one of `gradle` or `maven`.
+
+### gradle
+
+```
+jda gradle [OPTIONS] [FILE]
+```
+
+`FILE` is the path to a `build.gradle` or `build.gradle.kts` file.
+Omit `FILE` when supplying `--dependencies`.
+
+### maven
+
+```
+jda maven [OPTIONS] [FILE]
+```
+
+`FILE` is the path to a `pom.xml` file.
+Omit `FILE` when supplying `--dependencies`.
+
+### Options (both subcommands)
+
+| Option | Short | Default | Description |
+|---|---|---|---|
+| `--dependencies` | `-d` | | Path to a pre-resolved dependency tree text file (see below). When supplied, parsing and transitive resolution are skipped. |
+| `--output-format` | `-f` | `all` | Report format: `json`, `html`, or `all` (both). |
+| `--output-dir` | `-o` | `.` | Directory to write the report file(s) into. |
+| `--no-transitive` | | `false` | Skip transitive dependency resolution; analyse direct dependencies only. |
+| `--verbose` | `-v` | `false` | Print progress messages to the console. |
+| `--rebuild-cache` | | `false` | Delete the vulnerability cache before scanning. |
+| `--cache-ttl` | | `7` | Cache TTL in days. Set to `0` to disable caching. |
+
+### Pre-resolved dependency trees (`--dependencies`)
+
+When a Gradle or Maven project already has a dependency tree available (e.g. from CI), you can pass it directly to skip the parser and transitive resolver:
+
+- **Gradle**: generate with `gradle dependencies --configuration runtimeClasspath > gradle.txt`
+- **Maven**: generate with `mvn dependency:tree -Dscope=runtime > maven.txt`
+
+The report will reflect the exact tree from the file, including all transitive dependencies.
+
+### Examples
+
+Analyse a Maven POM and produce both JSON and HTML reports in the current directory:
+
+```bash
+jda maven pom.xml
+```
+
+Analyse a Gradle build file and write only an HTML report to `./reports/`:
+
+```bash
+jda gradle build.gradle -f html -o reports/
+```
+
+Analyse direct dependencies only, with verbose output:
+
+```bash
+jda gradle build.gradle.kts --no-transitive -v
+```
+
+Scan using a pre-resolved Gradle dependency tree (skips transitive resolution):
+
+```bash
+jda gradle --dependencies runtime.txt -f json -o reports/
+```
+
+Scan using a pre-resolved Maven dependency tree (skips transitive resolution):
+
+```bash
+jda maven --dependencies maven.txt -f json -o reports/
+```
+
+## Architecture
+
+```mermaid
+graph TD
+    CLI["jda CLI (cli.py)"] --> Parser["DependencyParser (ABC)"]
+    Parser --> MavenParser
+    Parser --> GradleParser
+    Parser --> MavenDepTreeParser
+    Parser --> GradleDepTreeParser
+    CLI --> Resolver["TransitiveResolver<br/>(Maven Central)"]
+    CLI --> Scanner["VulnerabilityScanner (ABC)"]
+    Scanner --> OsvScanner["OsvScanner<br/>(OSV.dev API)"]
+    Scanner --> GhsaScanner["GhsaScanner<br/>(GitHub Advisory DB)"]
+    OsvScanner --> Cache["VulnerabilityCache<br/>(SQLite)"]
+    GhsaScanner --> Cache
+    CLI --> Reporter["Reporter (ABC)"]
+    Reporter --> JsonReporter
+    Reporter --> HtmlReporter
+    MavenParser --> Dependency["Dependency / Vulnerability<br/>Dataclasses"]
+    GradleParser --> Dependency
+    MavenDepTreeParser --> Dependency
+    GradleDepTreeParser --> Dependency
+    Resolver --> Dependency
+    OsvScanner --> Dependency
+    GhsaScanner --> Dependency
+    JsonReporter --> ScanResult["ScanResult"]
+    HtmlReporter --> ScanResult
+    Dependency --> ScanResult
+```
+
+### Components
+
+| Component | Location | Responsibility |
+|---|---|---|
+| CLI | `java_dependency_analyzer/cli.py` | Entry point (`gradle` / `maven` subcommands); orchestrates parsing, resolving, scanning, and reporting. |
+| `MavenParser` | `parsers/maven_parser.py` | Parses `pom.xml`, resolves `${property}` placeholders, filters by runtime scope. |
+| `GradleParser` | `parsers/gradle_parser.py` | Parses Groovy DSL (`build.gradle`) and Kotlin DSL (`build.gradle.kts`) files. |
+| `MavenDepTreeParser` | `parsers/maven_dep_tree_parser.py` | Parses `mvn dependency:tree` text output into a full dependency tree. |
+| `GradleDepTreeParser` | `parsers/gradle_dep_tree_parser.py` | Parses `gradle dependencies` text output into a full dependency tree. |
+| `TransitiveResolver` | `resolvers/transitive.py` | Fetches transitive dependencies by downloading POM files from Maven Central. |
+| `OsvScanner` | `scanners/osv_scanner.py` | Queries the [OSV.dev](https://osv.dev/) batch API for known CVEs. |
+| `GhsaScanner` | `scanners/ghsa_scanner.py` | Queries the [GitHub Advisory Database](https://github.com/advisories) REST API for security advisories. |
+| `VulnerabilityCache` | `cache/vulnerability_cache.py` | SQLite-backed cache for raw vulnerability API payloads with configurable TTL. |
+| `DatabaseManager` | `cache/db.py` | Manages SQLite connection lifecycle and schema initialisation. |
+| `JsonReporter` | `reporters/json_reporter.py` | Writes a `ScanResult` to a JSON file. |
+| `HtmlReporter` | `reporters/html_reporter.py` | Renders a `ScanResult` to a styled HTML report via a Jinja2 template. |
+
+## Development Setup
+
+Install all dependencies (including dev tools):
+
+```bash
+poetry install
+```
+
+### Running Tests
+
+Run the full test suite with coverage and generate an HTML report:
+
+```bash
+poetry run pytest --cov=java_dependency_analyzer tests --cov-report html
+```
+
+### Code Quality
+
+Format and lint the source code (linter must score 10/10):
+
+```bash
+poetry run black java_dependency_analyzer
+poetry run pylint java_dependency_analyzer
+```
+
+## [Changelog](CHANGELOG.md)
+
+## Author
+
+Ron Webb &lt;ron@ronella.xyz&gt;
+

java_dependency_analyzer-1.0.0.dist-info/RECORD

@@ -0,0 +1,31 @@
+java_dependency_analyzer/__init__.py,sha256=EpB4TwrdyAgI-DXti4XEL9h_Oyh-8rEz5qirBYXWIi8,195
+java_dependency_analyzer/cache/__init__.py,sha256=aYA6IQDrIy1CT5oK-xMIpJD8T6OjJxoFKVgrkxCn3mc,180
+java_dependency_analyzer/cache/db.py,sha256=P0KiQ0xBuYpuPwIbQPoLndGuEF6xa-Be18HIunPHh-g,2587
+java_dependency_analyzer/cache/vulnerability_cache.py,sha256=zrnG_zz5SLUWri0BECBh_vj3bXEFcYkRCcJssNG9G78,4652
+java_dependency_analyzer/cli.py,sha256=38FEjTPkCe6PF3fh2TgeXwvEkdUG15hLU7SW3R4pzzA,12035
+java_dependency_analyzer/models/__init__.py,sha256=c3QcGrhU3PvUJK8ieOsRu0Yg8GJkKZAVy_eYooUp_mw,160
+java_dependency_analyzer/models/dependency.py,sha256=3GhONgGMJENjnAKei4PAmZs2x7BV2-TC6oaOpbcPUnY,1959
+java_dependency_analyzer/models/report.py,sha256=NrSA-gZzL-nQEFWrLfLnLbsKNZ0HZmE9qz_tfLmviyY,3088
+java_dependency_analyzer/parsers/__init__.py,sha256=H60uzvqYemaMMMeGVRVruK7RtcsPNFez-y_VIOqPZXY,182
+java_dependency_analyzer/parsers/base.py,sha256=E3gXoH6DAy5L-cQ8WpKYvhHwaUYxwR46CIm5E63Gcps,4448
+java_dependency_analyzer/parsers/gradle_dep_tree_parser.py,sha256=UuBJpQwM0IbqCGKCTXrnDliM9sNART3bpIfflZ3K1Ec,4117
+java_dependency_analyzer/parsers/gradle_parser.py,sha256=tTv-2Ilpfy_8W4UhatmDY01vOrCvKsy2Gan7uSyvMC8,7260
+java_dependency_analyzer/parsers/maven_dep_tree_parser.py,sha256=jCOdKm1mWl2QACaDovI6d9OUTQ3OyPLFV-a70XeE3Ww,3902
+java_dependency_analyzer/parsers/maven_parser.py,sha256=eKh8WVVk7Uei6dLfmN4dE_9-eDTgNqwi8BLxt0gZqws,5856
+java_dependency_analyzer/reporters/__init__.py,sha256=V7nGkhWKG-GQ3x8E_rOb8gMBFBYnLFAPhmSktiQUGPc,176
+java_dependency_analyzer/reporters/base.py,sha256=ezl10h9m8VpszpXpzQGcnr0HFf3i8lleamW_pakO7nc,622
+java_dependency_analyzer/reporters/html_reporter.py,sha256=4YxgXO8ugAvOKmdoTVpE-amCZDTSF8J5k356bp7Xedc,2433
+java_dependency_analyzer/reporters/json_reporter.py,sha256=czNu9j0gnIldRC_cG6QSEBOATz0j-0UMQvhbMfbiGB8,1464
+java_dependency_analyzer/reporters/templates/report.html,sha256=dgjCKjgVLOXMEUzBf--bgNP676FuKrCF1Re7CAAAtOY,16754
+java_dependency_analyzer/resolvers/__init__.py,sha256=q84AgNohGOqHLQLxhbdCrhGw4Mmkrt1aaVKpROdIdSA,179
+java_dependency_analyzer/resolvers/transitive.py,sha256=fdjrCyUVHF5hEnTb-jSh7s4Nbsv2HmKz9gzy1kwQFzg,9246
+java_dependency_analyzer/scanners/__init__.py,sha256=F4_80_IODnykYcV7Mi-CTY9G1FdUePBvpj659f344QY,171
+java_dependency_analyzer/scanners/base.py,sha256=U0UFb8K_MmhfKsrE4B0NL8oMLZuWjxZxTpmfZ3tjg80,2968
+java_dependency_analyzer/scanners/ghsa_scanner.py,sha256=e9nQ15mFIb55C1d6jfcoUp_6O7sHF6fuZqjioXIz9P8,7208
+java_dependency_analyzer/scanners/osv_scanner.py,sha256=Vt254ycCCFXHpdqNa0btjqny-hwT25ZuAwRTY-jUtSg,5531
+java_dependency_analyzer/util/__init__.py,sha256=WzQ4gay47jqw7SNw_Ce104KMtBq-Eo_tSUb9UxU4tRA,179
+java_dependency_analyzer/util/logger.py,sha256=Elaz_R7QWAlZPSIo7n5n3idZx3kQdoXzhgLVwmCSi-A,1230
+java_dependency_analyzer-1.0.0.dist-info/entry_points.txt,sha256=2eMOLE0P_M_73If4bQWTPoMceUjBONHPzG_exwjdIH8,57
+java_dependency_analyzer-1.0.0.dist-info/METADATA,sha256=QIDR1QH3r2y5YpvZeIkkBjXfBaGWHv6KuJ-o3PmXg1g,6463
+java_dependency_analyzer-1.0.0.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+java_dependency_analyzer-1.0.0.dist-info/RECORD,,

java_dependency_analyzer-1.0.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: poetry-core 2.2.1
+Root-Is-Purelib: true
+Tag: py3-none-any

java_dependency_analyzer-1.0.0.dist-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+jda=java_dependency_analyzer.cli:main
+