PyPI - java-dependency-analyzer - Versions diffs - 1.1.0__tar.gz → 1.1.1__tar.gz - Mend

java-dependency-analyzer 1.1.0tar.gz → 1.1.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

{java_dependency_analyzer-1.1.0 → java_dependency_analyzer-1.1.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: java-dependency-analyzer
-Version: 1.1.0
+Version: 1.1.1
 Summary: Java Dependency Analyzer is a tool that inspects dependencies.
 License: MIT License
@@ -38,7 +38,7 @@ Requires-Dist: lxml (>=6.0.2,<7.0.0)
 Requires-Dist: python-dotenv (>=1.2.2,<2.0.0)
 Description-Content-Type: text/markdown
-# Java Dependency Analyzer 1.1.0
+# Java Dependency Analyzer 1.1.1
 > A Python CLI tool that inspects Java dependency hierarchies in Maven and Gradle projects and reports known vulnerabilities.
@@ -198,7 +198,7 @@ graph TD
 | `GradleDepTreeParser` | `parsers/gradle_dep_tree_parser.py` | Parses `gradle dependencies` text output into a full dependency tree. |
 | `TransitiveResolver` | `resolvers/transitive.py` | Fetches transitive dependencies by downloading POM files from Maven Central. |
 | `OsvScanner` | `scanners/osv_scanner.py` | Queries the [OSV.dev](https://osv.dev/) batch API for known CVEs. |
-| `GhsaScanner` | `scanners/ghsa_scanner.py` | Queries the [GitHub Advisory Database](https://github.com/advisories) REST API for security advisories. |
+| `GhsaScanner` | `scanners/ghsa_scanner.py` | Queries the [GitHub Advisory Database](https://github.com/advisories) REST API for security advisories; automatically falls back to OSV when rate-limited (HTTP 403/429). |
 | `VulnerabilityCache` | `cache/vulnerability_cache.py` | SQLite-backed cache for raw vulnerability API payloads with configurable TTL. |
 | `DatabaseManager` | `cache/db.py` | Manages SQLite connection lifecycle and schema initialisation. |
 | `JsonReporter` | `reporters/json_reporter.py` | Writes a `ScanResult` to a JSON file. |

{java_dependency_analyzer-1.1.0 → java_dependency_analyzer-1.1.1}/README.md RENAMED Viewed

@@ -1,4 +1,4 @@
-# Java Dependency Analyzer 1.1.0
+# Java Dependency Analyzer 1.1.1
 > A Python CLI tool that inspects Java dependency hierarchies in Maven and Gradle projects and reports known vulnerabilities.
@@ -158,7 +158,7 @@ graph TD
 | `GradleDepTreeParser` | `parsers/gradle_dep_tree_parser.py` | Parses `gradle dependencies` text output into a full dependency tree. |
 | `TransitiveResolver` | `resolvers/transitive.py` | Fetches transitive dependencies by downloading POM files from Maven Central. |
 | `OsvScanner` | `scanners/osv_scanner.py` | Queries the [OSV.dev](https://osv.dev/) batch API for known CVEs. |
-| `GhsaScanner` | `scanners/ghsa_scanner.py` | Queries the [GitHub Advisory Database](https://github.com/advisories) REST API for security advisories. |
+| `GhsaScanner` | `scanners/ghsa_scanner.py` | Queries the [GitHub Advisory Database](https://github.com/advisories) REST API for security advisories; automatically falls back to OSV when rate-limited (HTTP 403/429). |
 | `VulnerabilityCache` | `cache/vulnerability_cache.py` | SQLite-backed cache for raw vulnerability API payloads with configurable TTL. |
 | `DatabaseManager` | `cache/db.py` | Manages SQLite connection lifecycle and schema initialisation. |
 | `JsonReporter` | `reporters/json_reporter.py` | Writes a `ScanResult` to a JSON file. |

{java_dependency_analyzer-1.1.0 → java_dependency_analyzer-1.1.1}/java_dependency_analyzer/cli.py RENAMED Viewed

@@ -381,7 +381,17 @@ def _scan_all(
     for dep in dependencies:
         if verbose:
             click.echo(f"  Scanning {dep.coordinates}...")
-        ghsa_vulns = ghsa.scan(dep)
+        if not ghsa.rate_limited:
+            ghsa_vulns = ghsa.scan(dep)
+            if ghsa.rate_limited:
+                click.echo(
+                    "  GHSA rate limit exceeded; "
+                    "falling back to OSV for remaining dependencies.",
+                    err=True,
+                )
+                ghsa_vulns = []
+        else:
+            ghsa_vulns = []
         dep.vulnerabilities = ghsa_vulns if ghsa_vulns else osv.scan(dep)
         _scan_all(dep.transitive_dependencies, osv, ghsa, verbose)

{java_dependency_analyzer-1.1.0 → java_dependency_analyzer-1.1.1}/java_dependency_analyzer/parsers/gradle_dep_tree_parser.py RENAMED Viewed

@@ -1,123 +1,160 @@
-"""
-gradle_dep_tree_parser module.
-Parses the text output of ``gradle dependencies`` to reconstruct
-the full dependency tree including transitive dependencies.
-:author: Ron Webb
-:since: 1.0.0
-"""
-import re
-from ..models.dependency import Dependency
-from ..util.logger import setup_logger
-from .base import DepTreeParser
-__author__ = "Ron Webb"
-__since__ = "1.0.0"
-_logger = setup_logger(__name__)
-# Matches the tree connector characters at the start of a dependency line.
-# Each level of indentation is exactly 5 characters wide ("     " or "|    ").
-_INDENT_UNIT = 5
-_CONNECTOR_RE = re.compile(r"^((?:[|\\+]\s{3,4}|\s{5})*)([+\\])--- (.+)$")
-# Matches a resolved version arrow, e.g. "1.0 -> 2.0" or "RELEASE -> 4.16.0"
-_VERSION_ARROW_RE = re.compile(r"\s*->\s*(\S+)$")
-# Suffix appended to repeated subtree roots by Gradle
-_REPEATED_SUFFIX = " (*)"
-# Lines annotated as constraints (not actual dependencies)
-_CONSTRAINT_SUFFIX = " (c)"
-# Gradle coordinates: group:artifact:version
-_COORD_RE = re.compile(r"^([^:]+):([^:]+):(.+)$")
-class GradleDepTreeParser(DepTreeParser):
-    """
-    Parses the plain-text output of ``gradle dependencies`` and reconstructs
-    the dependency tree as a list of :class:`~java_dependency_analyzer.models.dependency.Dependency`
-    objects with nested ``transitive_dependencies``.
-    The parser is format-agnostic regarding the configuration name; it processes
-    the first dependency-tree block it encounters.  Users should redirect the
-    output of the configuration they care about (e.g. ``runtimeClasspath``) into
-    a text file and pass that file here.
-    :author: Ron Webb
-    :since: 1.0.0
-    """
-    # ------------------------------------------------------------------
-    # Private helpers
-    # ------------------------------------------------------------------
-    def _line_to_entry(self, line: str) -> tuple[int, bool, Dependency] | None:
-        """
-        Convert a single Gradle dep-tree line to a ``(depth, is_leaf, dep)``
-        entry, or return *None* to skip the line.
-        :author: Ron Webb
-        :since: 1.0.0
-        """
-        if line.rstrip().endswith(_CONSTRAINT_SUFFIX):
-            return None
-        match = _CONNECTOR_RE.match(line)
-        if match is None:
-            return None
-        indent_str, coord_str = match.group(1), match.group(3)
-        depth = len(indent_str) // _INDENT_UNIT
-        is_leaf = coord_str.endswith(_REPEATED_SUFFIX)
-        if is_leaf:
-            coord_str = coord_str[: -len(_REPEATED_SUFFIX)]
-        dep = self._parse_coordinate(coord_str, depth)
-        if dep is None:
-            return None
-        return depth, is_leaf, dep
-    def _parse_coordinate(self, coord_str: str, depth: int) -> Dependency | None:
-        """
-        Convert a Gradle coordinate string (with optional ``->`` resolution)
-        into a :class:`Dependency`.  Returns *None* if the string cannot be
-        parsed.
-        :author: Ron Webb
-        :since: 1.0.0
-        """
-        # Resolve version arrows: "group:artifact:1.0 -> 2.0"
-        arrow_match = _VERSION_ARROW_RE.search(coord_str)
-        if arrow_match:
-            resolved_version = arrow_match.group(1)
-            # Strip the arrow portion from the coordinate
-            coord_str = coord_str[: arrow_match.start()]
-        else:
-            resolved_version = None
-        coord_match = _COORD_RE.match(coord_str.strip())
-        if coord_match is None:
-            _logger.debug("Could not parse coordinate: %s", coord_str)
-            return None
-        group_id = coord_match.group(1).strip()
-        artifact_id = coord_match.group(2).strip()
-        version = resolved_version or coord_match.group(3).strip()
-        if not group_id or not artifact_id or not version:
-            return None
-        return Dependency(
-            group_id=group_id,
-            artifact_id=artifact_id,
-            version=version,
-            scope="runtime",
-            depth=depth,
-        )
+"""
+gradle_dep_tree_parser module.
+Parses the text output of ``gradle dependencies`` to reconstruct
+the full dependency tree including transitive dependencies.
+:author: Ron Webb
+:since: 1.0.0
+"""
+import re
+from ..models.dependency import Dependency
+from ..util.logger import setup_logger
+from .base import DepTreeParser
+__author__ = "Ron Webb"
+__since__ = "1.0.0"
+_logger = setup_logger(__name__)
+# Matches the tree connector characters at the start of a dependency line.
+# Each level of indentation is exactly 5 characters wide ("     " or "|    ").
+_INDENT_UNIT = 5
+_CONNECTOR_RE = re.compile(r"^((?:[|\\+]\s{3,4}|\s{5})*)([+\\])--- (.+)$")
+# Matches a resolved version arrow, e.g. "1.0 -> 2.0", "RELEASE -> 4.16.0", or "artifact -> 4.16.0"
+_VERSION_ARROW_RE = re.compile(r"\s*->\s*(\S+)$")
+# Gradle coordinates without an explicit version: group:artifact (version comes from arrow)
+_COORD_NO_VERSION_RE = re.compile(r"^([^:]+):([^:]+)$")
+# Suffix appended to repeated subtree roots by Gradle
+_REPEATED_SUFFIX = " (*)"
+# Lines annotated as constraints (not actual dependencies)
+_CONSTRAINT_SUFFIX = " (c)"
+# Gradle coordinates: group:artifact:version
+_COORD_RE = re.compile(r"^([^:]+):([^:]+):(.+)$")
+class GradleDepTreeParser(DepTreeParser):
+    """
+    Parses the plain-text output of ``gradle dependencies`` and reconstructs
+    the dependency tree as a list of :class:`~java_dependency_analyzer.models.dependency.Dependency`
+    objects with nested ``transitive_dependencies``.
+    The parser is format-agnostic regarding the configuration name; it processes
+    the first dependency-tree block it encounters.  Users should redirect the
+    output of the configuration they care about (e.g. ``runtimeClasspath``) into
+    a text file and pass that file here.
+    :author: Ron Webb
+    :since: 1.0.0
+    """
+    def __init__(self) -> None:
+        """
+        Initialise the parser with an empty version-resolution cache.
+        :author: Ron Webb
+        :since: 1.1.1
+        """
+        # Maps (group_id, artifact_id) -> resolved version from a -> arrow
+        self._resolutions: dict[tuple[str, str], str] = {}
+    def parse(self, file_path: str) -> list[Dependency]:
+        """
+        Reset the resolution cache and delegate to the base parser.
+        :author: Ron Webb
+        :since: 1.1.1
+        """
+        self._resolutions = {}
+        return super().parse(file_path)
+    # ------------------------------------------------------------------
+    # Private helpers
+    # ------------------------------------------------------------------
+    def _line_to_entry(self, line: str) -> tuple[int, bool, Dependency] | None:
+        """
+        Convert a single Gradle dep-tree line to a ``(depth, is_leaf, dep)``
+        entry, or return *None* to skip the line.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        if line.rstrip().endswith(_CONSTRAINT_SUFFIX):
+            return None
+        match = _CONNECTOR_RE.match(line)
+        if match is None:
+            return None
+        indent_str, coord_str = match.group(1), match.group(3)
+        depth = len(indent_str) // _INDENT_UNIT
+        is_leaf = coord_str.endswith(_REPEATED_SUFFIX)
+        if is_leaf:
+            coord_str = coord_str[: -len(_REPEATED_SUFFIX)]
+        dep = self._parse_coordinate(coord_str, depth)
+        if dep is None:
+            return None
+        return depth, is_leaf, dep
+    def _parse_coordinate(self, coord_str: str, depth: int) -> Dependency | None:
+        """
+        Convert a Gradle coordinate string (with optional ``->`` resolution)
+        into a :class:`Dependency`.  Returns *None* if the string cannot be
+        parsed.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        # Resolve version arrows: "group:artifact:1.0 -> 2.0" or "group:artifact -> 2.0"
+        arrow_match = _VERSION_ARROW_RE.search(coord_str)
+        if arrow_match:
+            resolved_version = arrow_match.group(1)
+            # Strip the arrow portion from the coordinate
+            coord_str = coord_str[: arrow_match.start()]
+        else:
+            resolved_version = None
+        coord_str = coord_str.strip()
+        coord_match = _COORD_RE.match(coord_str)
+        if coord_match is not None:
+            group_id = coord_match.group(1).strip()
+            artifact_id = coord_match.group(2).strip()
+            version = resolved_version or coord_match.group(3).strip()
+        else:
+            # Handle "group:artifact -> version" (no version before the arrow)
+            no_ver_match = _COORD_NO_VERSION_RE.match(coord_str)
+            if no_ver_match and resolved_version:
+                group_id = no_ver_match.group(1).strip()
+                artifact_id = no_ver_match.group(2).strip()
+                version = resolved_version
+            else:
+                _logger.debug("Could not parse coordinate: %s", coord_str)
+                return None
+        if not group_id or not artifact_id or not version:
+            return None
+        # Store the resolved version the first time a -> arrow is seen for this artifact
+        if resolved_version:
+            self._resolutions[(group_id, artifact_id)] = resolved_version
+        # Apply any cached resolution so (*) repeated entries use the resolved version
+        version = self._resolutions.get((group_id, artifact_id), version)
+        return Dependency(
+            group_id=group_id,
+            artifact_id=artifact_id,
+            version=version,
+            scope="runtime",
+            depth=depth,
+        )

{java_dependency_analyzer-1.1.0 → java_dependency_analyzer-1.1.1}/java_dependency_analyzer/scanners/ghsa_scanner.py RENAMED Viewed

@@ -1,205 +1,224 @@
-"""
-ghsa_scanner module.
-Queries the GitHub Advisory Database REST API to get vulnerability information
-for Maven packages.
-:author: Ron Webb
-:since: 1.0.0
-"""
-import json
-import os
-import httpx
-from dotenv import load_dotenv
-from ..cache.vulnerability_cache import VulnerabilityCache
-from ..models.dependency import Dependency, Vulnerability
-from ..util.logger import setup_logger
-from .base import VulnerabilityScanner
-__author__ = "Ron Webb"
-__since__ = "1.0.0"
-load_dotenv()
-_logger = setup_logger(__name__)
-_GHSA_API_URL = "https://api.github.com/advisories"
-_ACCEPT_HEADER = "application/vnd.github+json"
-_API_VERSION_HEADER = "2022-11-28"
-class GhsaScanner(VulnerabilityScanner):
-    """
-    Queries the GitHub Advisory Database REST API (https://api.github.com/advisories)
-    to find reviewed security advisories for a given Maven dependency version.
-    Supports optional authentication via the ``GITHUB_TOKEN`` environment variable to
-    increase the API rate limit from 60 to 5000 requests per hour.
-    :author: Ron Webb
-    :since: 1.0.0
-    """
-    def __init__(
-        self,
-        client: httpx.Client | None = None,
-        cache: VulnerabilityCache | None = None,
-    ) -> None:
-        """
-        Initialise the scanner with an optional shared httpx client and cache.
-        If ``GITHUB_TOKEN`` is set in the environment, it is forwarded as a
-        ``Bearer`` token to raise the GitHub API rate limit.
-        When *cache* is provided, scan results are read from and written to it.
-        :author: Ron Webb
-        :since: 1.0.0
-        """
-        headers = {
-            "Accept": _ACCEPT_HEADER,
-            "X-GitHub-Api-Version": _API_VERSION_HEADER,
-        }
-        token = os.environ.get("GITHUB_TOKEN")
-        if token:
-            headers["Authorization"] = f"Bearer {token}"
-        self._client = client or httpx.Client(timeout=30, headers=headers)
-        self._cache = cache
-    def scan(self, dependency: Dependency) -> list[Vulnerability]:
-        """
-        Query the GitHub Advisory Database for advisories affecting this dependency.
-        Checks the cache first when one is configured; only calls the API on a
-        cache miss and stores the raw response on success.
-        Uses the ``affects`` query parameter with ``group:artifact@version`` notation
-        and filters by ``ecosystem=maven`` and ``type=reviewed``.
-        :author: Ron Webb
-        :since: 1.0.0
-        """
-        _logger.debug("Querying GHSA for %s", dependency.coordinates)
-        cached = self._get_cached("ghsa", dependency)
-        if cached is not None:
-            return self._apply_cache_source(cached, "ghsa")
-        affects = f"{dependency.group_id}:{dependency.artifact_id}@{dependency.version}"
-        params = {
-            "ecosystem": "maven",
-            "affects": affects,
-            "type": "reviewed",
-        }
-        try:
-            response = self._client.get(_GHSA_API_URL, params=params)
-            if response.status_code == 429:
-                _logger.warning(
-                    "GitHub Advisory API rate limit exceeded for %s",
-                    dependency.coordinates,
-                )
-                return []
-            response.raise_for_status()
-            data = response.json()
-        except httpx.HTTPError as exc:
-            _logger.warning("GHSA query failed for %s: %s", dependency.coordinates, exc)
-            return []
-        self._put_cached("ghsa", dependency, json.dumps(data))
-        return self._parse_response(data)
-    def _parse_response(self, data: list) -> list[Vulnerability]:
-        """
-        Parse the GitHub Advisory API response (a JSON array) into Vulnerability objects.
-        :author: Ron Webb
-        :since: 1.0.0
-        """
-        vulns: list[Vulnerability] = []
-        for advisory in data:
-            vuln_obj = self._parse_advisory(advisory)
-            if vuln_obj is not None:
-                vulns.append(vuln_obj)
-        return vulns
-    def _parse_advisory(self, advisory: dict) -> Vulnerability | None:
-        """
-        Convert a single GitHub Advisory dict into a Vulnerability object.
-        The ``cve_id`` field prefers the CVE identifier when available and falls
-        back to the GHSA identifier so every returned advisory has a unique ID.
-        :author: Ron Webb
-        :since: 1.0.0
-        """
-        ghsa_id = advisory.get("ghsa_id", "UNKNOWN")
-        cve_id = advisory.get("cve_id") or ghsa_id
-        summary = advisory.get("summary", "No summary available")
-        severity = self._extract_severity(advisory)
-        affected_versions = self._extract_affected_versions(advisory)
-        reference_url = advisory.get("html_url", "")
-        return Vulnerability(
-            cve_id=cve_id,
-            summary=summary,
-            severity=severity,
-            affected_versions=affected_versions,
-            source="ghsa",
-            reference_url=reference_url,
-        )
-    def _extract_severity(self, advisory: dict) -> str:
-        """
-        Extract a human-readable severity string from a GitHub Advisory entry.
-        Tries, in order:
-        1. The top-level ``severity`` label (e.g. ``"high"``, ``"critical"``).
-        2. The CVSS v4 score from ``cvss_severities.cvss_v4.score``.
-        3. The CVSS v3 score from ``cvss_severities.cvss_v3.score``.
-        4. The legacy ``cvss.score`` field.
-        :author: Ron Webb
-        :since: 1.0.0
-        """
-        label = advisory.get("severity")
-        if label and label not in ("", "unknown"):
-            return label.upper()
-        cvss_severities = advisory.get("cvss_severities", {})
-        for key in ("cvss_v4", "cvss_v3"):
-            score = (cvss_severities.get(key) or {}).get("score")
-            if score is not None:
-                return str(score)
-        legacy_score = (advisory.get("cvss") or {}).get("score")
-        if legacy_score is not None:
-            return str(legacy_score)
-        return "UNKNOWN"
-    def _extract_affected_versions(self, advisory: dict) -> list[str]:
-        """
-        Extract affected version range strings from a GitHub Advisory entry.
-        Each entry in ``vulnerabilities`` may carry a ``vulnerable_version_range``
-        string (e.g. ``"< 2.17.0"`` or ``">= 2.0.0, < 2.15.0"``).  The method
-        splits compound ranges on commas so the returned list contains individual
-        constraint tokens.
-        :author: Ron Webb
-        :since: 1.0.0
-        """
-        affected_versions: list[str] = []
-        seen: set[str] = set()
-        for vuln_entry in advisory.get("vulnerabilities", []):
-            version_range = vuln_entry.get("vulnerable_version_range")
-            if not version_range:
-                continue
-            for part in version_range.split(","):
-                constraint = part.strip()
-                if constraint and constraint not in seen:
-                    affected_versions.append(constraint)
-                    seen.add(constraint)
-        return affected_versions
+"""
+ghsa_scanner module.
+Queries the GitHub Advisory Database REST API to get vulnerability information
+for Maven packages.
+:author: Ron Webb
+:since: 1.0.0
+"""
+import json
+import os
+import httpx
+from dotenv import load_dotenv
+from ..cache.vulnerability_cache import VulnerabilityCache
+from ..models.dependency import Dependency, Vulnerability
+from ..util.logger import setup_logger
+from .base import VulnerabilityScanner
+__author__ = "Ron Webb"
+__since__ = "1.0.0"
+load_dotenv()
+_logger = setup_logger(__name__)
+_GHSA_API_URL = "https://api.github.com/advisories"
+_ACCEPT_HEADER = "application/vnd.github+json"
+_API_VERSION_HEADER = "2022-11-28"
+class GhsaScanner(VulnerabilityScanner):
+    """
+    Queries the GitHub Advisory Database REST API (https://api.github.com/advisories)
+    to find reviewed security advisories for a given Maven dependency version.
+    Supports optional authentication via the ``GITHUB_TOKEN`` environment variable to
+    increase the API rate limit from 60 to 5000 requests per hour.
+    :author: Ron Webb
+    :since: 1.0.0
+    """
+    def __init__(
+        self,
+        client: httpx.Client | None = None,
+        cache: VulnerabilityCache | None = None,
+    ) -> None:
+        """
+        Initialise the scanner with an optional shared httpx client and cache.
+        If ``GITHUB_TOKEN`` is set in the environment, it is forwarded as a
+        ``Bearer`` token to raise the GitHub API rate limit.
+        When *cache* is provided, scan results are read from and written to it.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        headers = {
+            "Accept": _ACCEPT_HEADER,
+            "X-GitHub-Api-Version": _API_VERSION_HEADER,
+        }
+        token = os.environ.get("GITHUB_TOKEN")
+        if token:
+            headers["Authorization"] = f"Bearer {token}"
+        self._client = client or httpx.Client(timeout=30, headers=headers)
+        self._cache = cache
+        self._rate_limited: bool = False
+    @property
+    def rate_limited(self) -> bool:
+        """
+        Return ``True`` once the GitHub Advisory API has responded with a
+        rate-limit error (HTTP 403 or 429) so callers can skip further requests.
+        :author: Ron Webb
+        :since: 1.1.1
+        """
+        return self._rate_limited
+    def scan(self, dependency: Dependency) -> list[Vulnerability]:
+        """
+        Query the GitHub Advisory Database for advisories affecting this dependency.
+        Checks the cache first when one is configured; only calls the API on a
+        cache miss and stores the raw response on success.
+        Uses the ``affects`` query parameter with ``group:artifact@version`` notation
+        and filters by ``ecosystem=maven`` and ``type=reviewed``.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        _logger.debug("Querying GHSA for %s", dependency.coordinates)
+        cached = self._get_cached("ghsa", dependency)
+        if cached is not None:
+            return self._apply_cache_source(cached, "ghsa")
+        affects = f"{dependency.group_id}:{dependency.artifact_id}@{dependency.version}"
+        params = {
+            "ecosystem": "maven",
+            "affects": affects,
+            "type": "reviewed",
+        }
+        if self._rate_limited:
+            return []
+        try:
+            response = self._client.get(_GHSA_API_URL, params=params)
+            if response.status_code in (429, 403) and (
+                response.status_code == 429 or "rate limit" in response.text.lower()
+            ):
+                _logger.warning(
+                    "GitHub Advisory API rate limit exceeded (HTTP %s); "
+                    "disabling GHSA for this run",
+                    response.status_code,
+                )
+                self._rate_limited = True
+                return []
+            response.raise_for_status()
+            data = response.json()
+        except httpx.HTTPError as exc:
+            _logger.warning("GHSA query failed for %s: %s", dependency.coordinates, exc)
+            return []
+        self._put_cached("ghsa", dependency, json.dumps(data))
+        return self._parse_response(data)
+    def _parse_response(self, data: list) -> list[Vulnerability]:
+        """
+        Parse the GitHub Advisory API response (a JSON array) into Vulnerability objects.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        vulns: list[Vulnerability] = []
+        for advisory in data:
+            vuln_obj = self._parse_advisory(advisory)
+            if vuln_obj is not None:
+                vulns.append(vuln_obj)
+        return vulns
+    def _parse_advisory(self, advisory: dict) -> Vulnerability | None:
+        """
+        Convert a single GitHub Advisory dict into a Vulnerability object.
+        The ``cve_id`` field prefers the CVE identifier when available and falls
+        back to the GHSA identifier so every returned advisory has a unique ID.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        ghsa_id = advisory.get("ghsa_id", "UNKNOWN")
+        cve_id = advisory.get("cve_id") or ghsa_id
+        summary = advisory.get("summary", "No summary available")
+        severity = self._extract_severity(advisory)
+        affected_versions = self._extract_affected_versions(advisory)
+        reference_url = advisory.get("html_url", "")
+        return Vulnerability(
+            cve_id=cve_id,
+            summary=summary,
+            severity=severity,
+            affected_versions=affected_versions,
+            source="ghsa",
+            reference_url=reference_url,
+        )
+    def _extract_severity(self, advisory: dict) -> str:
+        """
+        Extract a human-readable severity string from a GitHub Advisory entry.
+        Tries, in order:
+        1. The top-level ``severity`` label (e.g. ``"high"``, ``"critical"``).
+        2. The CVSS v4 score from ``cvss_severities.cvss_v4.score``.
+        3. The CVSS v3 score from ``cvss_severities.cvss_v3.score``.
+        4. The legacy ``cvss.score`` field.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        label = advisory.get("severity")
+        if label and label not in ("", "unknown"):
+            return label.upper()
+        cvss_severities = advisory.get("cvss_severities", {})
+        for key in ("cvss_v4", "cvss_v3"):
+            score = (cvss_severities.get(key) or {}).get("score")
+            if score is not None:
+                return str(score)
+        legacy_score = (advisory.get("cvss") or {}).get("score")
+        if legacy_score is not None:
+            return str(legacy_score)
+        return "UNKNOWN"
+    def _extract_affected_versions(self, advisory: dict) -> list[str]:
+        """
+        Extract affected version range strings from a GitHub Advisory entry.
+        Each entry in ``vulnerabilities`` may carry a ``vulnerable_version_range``
+        string (e.g. ``"< 2.17.0"`` or ``">= 2.0.0, < 2.15.0"``).  The method
+        splits compound ranges on commas so the returned list contains individual
+        constraint tokens.
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        affected_versions: list[str] = []
+        seen: set[str] = set()
+        for vuln_entry in advisory.get("vulnerabilities", []):
+            version_range = vuln_entry.get("vulnerable_version_range")
+            if not version_range:
+                continue
+            for part in version_range.split(","):
+                constraint = part.strip()
+                if constraint and constraint not in seen:
+                    affected_versions.append(constraint)
+                    seen.add(constraint)
+        return affected_versions

{java_dependency_analyzer-1.1.0 → java_dependency_analyzer-1.1.1}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "java-dependency-analyzer"
-version = "1.1.0"
+version = "1.1.1"
 description = "Java Dependency Analyzer is a tool that inspects dependencies."
 authors = [
     {name = "Ron Webb",email = "ron@ronella.xyz"}