add to merge

chains-project · Oct 28, 2024 · d493650 · d493650
2 parents 660bdcd + da2749f
commit d493650
Show file tree

Hide file tree

Showing 11 changed files with 343 additions and 69 deletions.
diff --git a/.github/workflows/run-formatter.yml b/.github/workflows/run-formatter.yml
@@ -0,0 +1,35 @@
+name: Run Black Formatter throughout the codebase
+
+on:
+  push:
+    paths:
+      - '**.py'
+  pull_request:
+    paths:
+      - '**.py'
+
+jobs:
+  black:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install Black
+        run: pip install black
+
+      - name: Run Black formatter
+        run: black .
+
+      - name: Commit changes
+        uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          commit_message: "style: format Python code with Black"
+          branch: ${{ github.head_ref }}
diff --git a/.github/workflows/run-linter.yml b/.github/workflows/run-linter.yml
@@ -0,0 +1,38 @@
+name: Ruff Linter
+
+on:
+  push:
+    paths:
+      - '**.py'
+  pull_request:
+    paths:
+      - '**.py'
+
+jobs:
+  ruff:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          fetch-depth: 0
+
+      - name: Install Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install Ruff
+        run: pip install ruff
+
+      - name: Run Ruff Check
+        run: ruff check . --output-format=github
+        continue-on-error: true
+
+      - name: Commit fixes
+        uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          commit_message: 'style: fix code style issues with Ruff'
+          commit_user_name: 'GitHub Actions'
+          commit_user_email: '[email protected]'
+          commit_author: 'GitHub Actions <[email protected]>'
diff --git a/README.md b/README.md
@@ -53,7 +53,7 @@ python main.py -p <project_repo_name> -v <release_version_old> -s -pm <package_m
 #### Arguments:
 ```
 usage: main.py [-h] -p PROJECT_REPO_NAME -v RELEASE_VERSION_OLD [-vn RELEASE_VERSION_NEW] -s [-d] -pm
-               {yarn-classic,yarn-berry,pnpm}
+               {yarn-classic,yarn-berry,pnpm} [--pnpm-scope]
 
 options:
   -p PROJECT_REPO_NAME, --project-repo-name PROJECT_REPO_NAME
@@ -66,8 +66,11 @@ options:
                         Run static analysis and generate a markdown report of the project
   -d, --differential-analysis
                         Run differential analysis and generate a markdown report of the project
-  -pm {yarn-classic,yarn-berry,pnpm}, --package-manager {yarn-classic,yarn-berry,pnpm}
+  -pm {yarn-classic,yarn-berry,pnpm,npm}, --package-manager {yarn-classic,yarn-berry,pnpm,npm}
                         The package manager used in the project.
+  --pnpm-scope          Extract dependencies from pnpm with a specific scope
+                        using 'pnpm list --filter <scope> --depth Infinity'
+                        command. Configure the scope in tool_config.py file.
 ```
 
 
@@ -101,6 +104,9 @@ Notes:
 Usage:
 Example reports: TODO add link
 
+## Academic Work
+- [Dirty-Waters: Detecting Software Supply Chain Smells](https://arxiv.org/abs/2410.16049)
+
 
 ## Other issues not handled by dirty-waters
 

diff --git a/flake.lock b/flake.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -0,0 +1,49 @@
+[tool.ruff]
+# Enable pycodestyle (`E`), Pyflakes (`F`), and import sorting (`I`)
+select = ["E", "F", "I", "N", "S", "B", "COM", "C4", "SIM", "RET", "UP"]
+ignore = []
+
+# Allow autofix for all enabled rules (when `--fix`) is provided.
+fixable = ["ALL"]
+unfixable = []
+
+# Exclude a variety of commonly ignored directories.
+exclude = [
+    ".bzr",
+    ".direnv",
+    ".eggs",
+    ".git",
+    ".git-rewrite",
+    ".hg",
+    ".mypy_cache",
+    ".nox",
+    ".pants.d",
+    ".pytype",
+    ".ruff_cache",
+    ".svn",
+    ".tox",
+    ".venv",
+    "__pypackages__",
+    "_build",
+    "buck-out",
+    "build",
+    "dist",
+    "node_modules",
+    "venv",
+]
+
+# Allow unused variables when underscore-prefixed.
+dummy-variable-rgx = "^(_+|(_+[a-zA-Z0-9_]*[a-zA-Z0-9]+?))$"
+
+# Assume Python 3.10.
+target-version = "py310"
+
+[tool.ruff.mccabe]
+# Unlike Flake8, default to a complexity level of 10.
+max-complexity = 10
+
+[tool.ruff.isort]
+known-first-party = ["tool"]
+
+[tool.ruff.flake8-quotes]
+docstring-quotes = "double"
diff --git a/requirements.txt b/requirements.txt
@@ -17,4 +17,4 @@ tqdm==4.66.5
 typing_extensions==4.12.2
 tzdata==2024.2
 url-normalize==1.4.3
-urllib3==2.2.3
+urllib3==2.2.3
diff --git a/tool/extract_deps.py b/tool/extract_deps.py
@@ -1,4 +1,6 @@
-"""Module for extracting dependencies."""
+"""Module for extracting dependencies.
+Support npm, yarn classic, yarn berry, pnpm
+"""
 
 import re
 import os
@@ -7,13 +9,106 @@
 import logging
 import sys
 import shutil
+import yaml
 from collections import defaultdict
 
 from tool_config import PNPM_LIST_COMMAND
 
 logger = logging.getLogger(__name__)
 
 
+def extract_deps_from_pnpm_lockfile(pnpm_lockfile_yaml):
+    """
+    Extract dependencies from a pnpm-lock.yaml file.
+
+    Args:
+        pnpm_lockfile_yaml (str): The content of the pnpm lock file.
+
+    Returns:
+        dict: A dictionary containing the extracted dependencies and patches.
+    """
+    yaml_data = yaml.safe_load(pnpm_lockfile_yaml)
+    yaml_version = yaml_data.get("lockfileVersion")
+    if yaml_version != "9.0":
+        logging.error("Invalid pnpm lockfile version: %s", yaml_version)
+        print("The pnpm lockfile version is not supported(yet): ", yaml_version)
+        # end the process
+        sys.exit(1)
+
+    try:
+        # pkg_name_with_resolution = set()
+        deps_list_data = {}
+
+        package_keys = sorted(list(yaml_data.get("packages", {}).keys()))
+        patches = sorted(list(yaml_data.get("patchedDependencies", {}).keys()))
+
+        deps_list_data = {
+            "resolutions": package_keys,
+            "patches": patches,
+        }
+
+        return deps_list_data
+
+    except (IOError, ValueError, KeyError) as e:
+        logging.error(
+            "An error occurred while extracting dependencies from pnpm-lock.yaml: %s",
+            str(e),
+        )
+        return {"resolutions": [], "patches": []}
+
+
+def extract_deps_from_npm(npm_lock_file):
+    """
+    Extract dependencies from a "package-lock.json" file.
+
+    Args:
+        npm_lock_file (dict): The content of the npm lock file.
+
+    Returns:
+        dict: A dictionary containing the extracted dependencies and patches.
+
+    """
+
+    lock_file_json = json.loads(npm_lock_file)
+    try:
+        patches = []
+        pkg_name_with_resolution = set()
+        deps_list_data = {}
+
+        packages = {}
+
+        # Extract packages from the "packages" object
+        if lock_file_json.get("packages") and isinstance(
+            lock_file_json["packages"], dict
+        ):
+            for package_path, package_info in lock_file_json["packages"].items():
+                if package_path.startswith("node_modules/"):
+                    package_name = package_path.split("/", 1)[1]
+                    if "node_modules" in package_name:
+                        package_name = package_name.split("node_modules/")[-1]
+
+                    if package_info.get("version"):
+                        packages[package_name] = package_info["version"]
+                        pkg_name_with_resolution.add(
+                            f"{package_name}@{package_info['version']}"
+                        )
+
+            deps_list_data = {
+                "resolutions": sorted(list(pkg_name_with_resolution)),
+                "patches": patches,
+            }
+
+        return deps_list_data
+
+    except (IOError, ValueError, KeyError) as e:
+        logging.error(
+            "An error occurred while extracting dependencies from package-lock.json: %s",
+            str(e),
+        )
+
+    return {"resolutions": [], "patches": []}
+
+
 def extract_deps_from_yarn_berry(yarn_lock_file):
     """
     # JavaScript
@@ -91,6 +186,12 @@ def extract_deps_from_v1_yarn(yarn_lock_file):
         return {"resolutions": [], "patches": []}
 
 
+def extract_deps_from_pnpm_lock_yaml(pnpm_lock_yaml_file):
+    """
+    Extract dependencies from a pnpm-lock.yaml file.
+    """
+
+
 def get_pnpm_dep_tree(folder_path, version_tag, project_repo_name):
     """
     Get pnpm dependency tree for the given project.

diff --git a/tool/github_repo.py b/tool/github_repo.py
@@ -96,6 +96,15 @@ def process_package(
                     timeout=TIMEOUT,
                 )
 
+            elif pm == "npm":
+                result = subprocess.run(
+                    ["npm", "info", package, "repository.url"],
+                    capture_output=True,
+                    text=True,
+                    check=True,
+                    timeout=TIMEOUT,
+                )
+
             else:
                 raise ValueError(f"Unsupported package manager: {pm}")