github.com/google/osv-scalibr@v0.4.1/extractor/filesystem/language/python/pdmlock/pdmlock.go (about) 1 // Copyright 2025 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package pdmlock extracts pdm.lock files. 16 package pdmlock 17 18 import ( 19 "context" 20 "fmt" 21 "path/filepath" 22 23 "github.com/BurntSushi/toml" 24 "github.com/google/osv-scalibr/extractor" 25 "github.com/google/osv-scalibr/extractor/filesystem" 26 "github.com/google/osv-scalibr/extractor/filesystem/osv" 27 "github.com/google/osv-scalibr/inventory" 28 "github.com/google/osv-scalibr/plugin" 29 "github.com/google/osv-scalibr/purl" 30 ) 31 32 const ( 33 // Name is the unique name of this extractor. 34 Name = "python/pdmlock" 35 ) 36 37 type pdmLockPackage struct { 38 Name string `toml:"name"` 39 Version string `toml:"version"` 40 Groups []string `toml:"groups"` 41 Revision string `toml:"revision"` 42 } 43 44 type pdmLockFile struct { 45 Version string `toml:"lock-version"` 46 Packages []pdmLockPackage `toml:"package"` 47 } 48 49 // Extractor extracts python packages from pdm.lock files. 50 type Extractor struct{} 51 52 // New returns a new instance of the extractor. 53 func New() filesystem.Extractor { return &Extractor{} } 54 55 // Name of the extractor 56 func (e Extractor) Name() string { return Name } 57 58 // Version of the extractor 59 func (e Extractor) Version() int { return 0 } 60 61 // Requirements of the extractor 62 func (e Extractor) Requirements() *plugin.Capabilities { 63 return &plugin.Capabilities{} 64 } 65 66 // FileRequired returns true if the specified file matches PDM lockfile patterns. 67 func (e Extractor) FileRequired(api filesystem.FileAPI) bool { 68 return filepath.Base(api.Path()) == "pdm.lock" 69 } 70 71 // Extract extracts packages from pdm.lock files passed through the scan input. 72 func (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) { 73 var parsedLockFile *pdmLockFile 74 75 _, err := toml.NewDecoder(input.Reader).Decode(&parsedLockFile) 76 if err != nil { 77 return inventory.Inventory{}, fmt.Errorf("could not extract: %w", err) 78 } 79 packages := make([]*extractor.Package, 0, len(parsedLockFile.Packages)) 80 81 for _, parsedPKG := range parsedLockFile.Packages { 82 pkg := &extractor.Package{ 83 Name: parsedPKG.Name, 84 Version: parsedPKG.Version, 85 PURLType: purl.TypePyPi, 86 Locations: []string{input.Path}, 87 } 88 89 depGroups := parseGroupsToDepGroups(parsedPKG.Groups) 90 91 pkg.Metadata = osv.DepGroupMetadata{ 92 DepGroupVals: depGroups, 93 } 94 95 if parsedPKG.Revision != "" { 96 pkg.SourceCode = &extractor.SourceCodeIdentifier{ 97 Commit: parsedPKG.Revision, 98 } 99 } 100 101 packages = append(packages, pkg) 102 } 103 104 return inventory.Inventory{Packages: packages}, nil 105 } 106 107 // parseGroupsToDepGroups converts pdm lockfile groups to the standard DepGroups 108 func parseGroupsToDepGroups(groups []string) []string { 109 depGroups := []string{} 110 111 var optional = true 112 for _, gr := range groups { 113 // depGroups can either be: 114 // [], [dev], [optional] 115 // All packages not in the default group (or the dev group) 116 // are optional. 117 if gr == "dev" { 118 depGroups = append(depGroups, "dev") 119 optional = false 120 } else if gr == "default" { 121 optional = false 122 } 123 } 124 if optional { 125 depGroups = append(depGroups, "optional") 126 } 127 128 return depGroups 129 } 130 131 var _ filesystem.Extractor = Extractor{}