Merge branch '12012-pipfile-lock' into 'master'v2.4.0

Add support for Pipfile.lock

See merge request gitlab-org/security-products/license-management!103

2 files changed, 108 insertions, 0 deletions

diff --git a/lib/license/management/python/pipenv.rb b/lib/license/management/python/pipenv.rb
new file mode 100644
index 0000000..482fd25
--- /dev/null
+++ b/lib/license/management/python/pipenv.rb
@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module License
+  module Management
+    class Pipenv < LicenseFinder::PackageManager
+      include Loggable
+
+      def initialize(options = {})
+        super
+        @lockfile = Pathname('Pipfile.lock')
+      end
+
+      def current_packages
+        @current_packages ||=
+          begin
+            packages = {}
+            each_dependency(groups: allowed_groups) do |name, data, group|
+              version = canonicalize(data['version'])
+              package = packages.fetch(key_for(name, version)) do |key|
+                packages[key] = build_package_for(name, version)
+              end
+              package.groups << group
+            end
+            packages.values
+          end
+      end
+
+      def possible_package_paths
+        project_path ? [project_path.join(@lockfile)] : [@lockfile]
+      end
+
+      private
+
+      def each_dependency(groups: [])
+        dependencies = JSON.parse(IO.read(detected_package_path))
+        groups.each do |group|
+          dependencies[group].each do |name, data|
+            yield name, data, group
+          end
+        end
+      end
+
+      def canonicalize(version)
+        version.sub(/^==/, '')
+      end
+
+      def build_package_for(name, version)
+        LicenseFinder::PipPackage.new(name, version, PyPI.definition(name, version))
+      end
+
+      def key_for(name, version)
+        "#{name}-#{version}"
+      end
+
+      def allowed_groups
+        %w[default develop] - ignored_groups
+      end
+
+      def ignored_groups
+        @ignored_groups.to_a || []
+      end
+    end
+  end
+end
diff --git a/lib/license/management/python/pypi.rb b/lib/license/management/python/pypi.rb
new file mode 100644
index 0000000..0397532
--- /dev/null
+++ b/lib/license/management/python/pypi.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'net/hippie'
+
+module License
+  module Management
+    class PyPI
+      include Loggable
+
+      def initialize(http)
+        @http = http
+      end
+
+      def definition_for(name, version)
+        uri = "https://pypi.org/pypi/#{name}/#{version}/json"
+        process(@http.with_retry { |client| client.get(uri) }).tap do |definition|
+          log_info([name, version, definition["license"]].inspect)
+        end
+      rescue *Net::Hippie::CONNECTION_ERRORS
+        {}
+      end
+
+      class << self
+        def definition(name, version)
+          @pypi ||= new(License::Management.http)
+          @pypi.definition_for(name, version)
+        end
+      end
+
+      private
+
+      def process(response)
+        return JSON.parse(response.body).fetch('info', {}) if ok?(response)
+
+        log_error([response.class, response.code, response.body].inspect)
+        {}
+      end
+
+      def ok?(response)
+        response.is_a?(Net::HTTPSuccess)
+      end
+    end
+  end
+end