Merge pull request #60 from chains-project/diogo/caching

refactor: cleanup codebase + use caching

README.md

@@ -53,7 +53,8 @@ Run the tool using the following command structure:
 ### Arguments:
 
 ```
-usage: main.py [-h] -p PROJECT_REPO_NAME -v RELEASE_VERSION_OLD [-vn RELEASE_VERSION_NEW] -s [-d] [-n] -pm {yarn-classic,yarn-berry,pnpm,npm,maven} [--pnpm-scope]
+usage: main.py [-h] -p PROJECT_REPO_NAME -v RELEASE_VERSION_OLD [-vn RELEASE_VERSION_NEW] -s [-d] [-n] -pm {yarn-classic,yarn-berry,pnpm,npm,maven} [--pnpm-scope] [--debug] [--check-source-code]
+               [--check-release-tags] [--check-deprecated] [--check-forks] [--check-provenance] [--check-code-signature]
 
 options:
   -h, --help            show this help message and exit
@@ -67,12 +68,20 @@ options:
                         Run static analysis and generate a markdown report of the project
   -d, --differential-analysis
                         Run differential analysis and generate a markdown report of the project
-  -n, --name-match      Compare the package names with the name in the in the package.json file. This option will slow down the execution time due to the API rate limit of
-                        code search.
+  -n, --name-match      Compare the package names with the name in the in the package.json file. This option will slow down the execution time due to the API rate limit of code search.
   -pm {yarn-classic,yarn-berry,pnpm,npm,maven}, --package-manager {yarn-classic,yarn-berry,pnpm,npm,maven}
                         The package manager used in the project.
-  --pnpm-scope          Extract dependencies from pnpm with a specific scope using 'pnpm list --filter <scope> --depth Infinity' command. Configure the scope in tool_config.py
-                        file.
+  --pnpm-scope          Extract dependencies from pnpm with a specific scope using 'pnpm list --filter <scope> --depth Infinity' command. Configure the scope in tool_config.py file.
+  --debug               Enable debug mode.
+
+smell checks:
+  --check-source-code   Check for dependencies with no link to source code repositories
+  --check-release-tags  Check for dependencies with no tag/commit sha for release
+  --check-deprecated    Check for deprecated dependencies
+  --check-forks         Check for dependencies that are forks
+  --check-provenance    Check for dependencies with no build attestation
+  --check-code-signature
+                        Check for dependencies with missing/invalid code signature
 ```
 
 ### Example usage:
@@ -147,6 +156,8 @@ specified in the lockfile/pom/similar is not found. They come from a combination
 work and our own research on this subject.
 These formats are the following:
 
+<details> <summary>Tag formats</summary>
+
 - `<tag>`
 - `v<tag>`
 - `r-<tag>`
@@ -157,11 +168,32 @@ These formats are the following:
 - `<package_name>_v<tag>`
 - `<package_name>-<tag>`
 - `<package_name>_<tag>`
+- `<repo_name>@<tag>`
+- `<repo_name>-v<tag>`
+- `<repo_name>_v<tag>`
+- `<repo_name>-<tag>`
+- `<repo_name>_<tag>`
+- `<project_name>@<tag>`
+- `<project_name>-v<tag>`
+- `<project_name>_v<tag>`
+- `<project_name>-<tag>`
+- `<project_name>_<tag>`
 - `release/<tag>`
 - `<tag>-release`
 - `v.<tag>`
 - `p1-p2-p3<tag>`
 
+As examples of what `package_name`, `repo_name`, and `project_name` could be, `maven-surefire`
+is an interesting dependency:
+
+- `maven-surefire-common` is the package name
+- `maven-surefire` is the repo name (we remove the owner prefix)
+- `surefire` is the project name
+
+In particular, there are many `maven-*` dependencies whose tags follow these last conventions.
+
+</details>
+
 Note than this does not mean that if `dirty-waters` does not find a tag, it doesn't exist:
 it means that it either doesn't exist, or that its format is not one of the above.
 

flake.nix

@@ -22,6 +22,6 @@
 
     in
     {
-      devShells.x86_64-linux.default = pkgs.mkShell { packages = [ pythonEnv pkgs.maven ]; };
+      devShells.x86_64-linux.default = pkgs.mkShell { packages = [ pythonEnv pkgs.maven pkgs.yarn pkgs.pnpm pkgs.act ]; };
     };
 }

pyproject.toml

@@ -6,7 +6,7 @@ readme = "README.md"
 requires-python = ">=3.12"
 keywords = [ "software supply chain", "ssc", "dependencies", "npm",]
 classifiers = [ "Intended Audience :: Developers", "Topic :: Software Development :: Build Tools", "Programming Language :: Python :: 3", "License :: OSI Approved :: MIT License", "Operating System :: OS Independent",]
-dependencies = [ "attrs == 24.2.0", "cattrs == 24.1.2", "certifi == 2024.8.30", "charset-normalizer == 3.4.0", "exceptiongroup == 1.2.2", "GitPython == 3.1.43", "idna == 3.10", "numpy == 2.1.2", "pandas == 2.2.3", "platformdirs == 4.3.6", "python-dateutil == 2.9.0.post0", "pytz == 2024.2", "requests == 2.32.3", "requests-cache == 1.2.1", "six == 1.16.0", "tabulate == 0.9.0", "tqdm == 4.66.5", "typing_extensions == 4.12.2", "tzdata == 2024.2", "url-normalize == 1.4.3", "urllib3 == 2.2.3",]
+dependencies = [ "attrs == 24.2.0", "cattrs == 24.1.2", "certifi == 2024.8.30", "charset-normalizer == 3.4.0", "exceptiongroup == 1.2.2", "GitPython == 3.1.43", "idna == 3.10", "numpy == 2.1.2", "pandas == 2.2.3", "platformdirs == 4.3.6", "python-dateutil == 2.9.0.post0", "pytz == 2024.2", "PyYAML == 6.0.2", "requests == 2.32.3", "requests-cache == 1.2.1", "six == 1.16.0", "tabulate == 0.9.0", "tqdm == 4.66.5", "typing_extensions == 4.12.2", "tzdata == 2024.2", "url-normalize == 1.4.3", "urllib3 == 2.2.3", "xmltodict == 0.14.2",]
 [[project.authors]]
 name = "Raphina Liu"
 email = "[email protected]"

requirements.txt

@@ -10,6 +10,7 @@ pandas==2.2.3
 platformdirs==4.3.6
 python-dateutil==2.9.0.post0
 pytz==2024.2
+PyYAML==6.0.2
 requests==2.32.3
 requests-cache==1.2.1
 six==1.16.0
@@ -19,3 +20,4 @@ typing_extensions==4.12.2
 tzdata==2024.2
 url-normalize==1.4.3
 urllib3==2.2.3
+xmltodict==0.14.2