Add hash, scope and deps to dart (#1564)

* update pubspec to version which includes sha256 Signed-off-by: Paul <[email protected]> * update parsing of dart lock file to include hash, scope and bomref. Signed-off-by: Paul <[email protected]> * move assignment of bom ref Signed-off-by: Paul <[email protected]> --------- Signed-off-by: Paul <[email protected]>
CycloneDX · Jan 15, 2025 · b39709f · b39709f
1 parent 7a2c5d9
commit b39709f
Show file tree

Hide file tree

Showing 4 changed files with 162 additions and 88 deletions.
diff --git a/lib/cli/index.js b/lib/cli/index.js
@@ -3957,20 +3957,39 @@ export async function createDartBom(path, options) {
     `${options.multiProject ? "**/" : ""}pubspec.yaml`,
     options,
   );
+  let dependencies = [];
   let pkgList = [];
+  const parentComponent = determineParentComponent(options);
   if (pubFiles.length) {
     for (const f of pubFiles) {
       if (DEBUG_MODE) {
         console.log(`Parsing ${f}`);
       }
       const pubLockData = readFileSync(f, { encoding: "utf-8" });
-      const dlist = await parsePubLockData(pubLockData);
-      if (dlist?.length) {
-        pkgList = pkgList.concat(dlist);
+      const retMap = await parsePubLockData(pubLockData);
+      if (retMap.pkgList?.length) {
+        pkgList = pkgList.concat(retMap.pkgList);
+      }
+      if (retMap?.rootList?.length) {
+        const thisParentDependsOn = [
+          {
+            ref: parentComponent["bom-ref"],
+            dependsOn: [
+              ...new Set(retMap.rootList.map((c) => c["bom-ref"])),
+            ].sort(),
+          },
+        ];
+        dependencies = mergeDependencies(
+          dependencies,
+          thisParentDependsOn,
+          parentComponent,
+        );
       }
     }
     return buildBomNSData(options, pkgList, "pub", {
       src: path,
+      dependencies,
+      parentComponent,
       filename: pubFiles.join(", "),
     });
   }

diff --git a/lib/helpers/utils.js b/lib/helpers/utils.js
@@ -7415,42 +7415,43 @@ export async function parseCargoAuditableData(cargoData) {
 }
 
 export async function parsePubLockData(pubLockData) {
-  const pkgList = [];
   if (!pubLockData) {
-    return pkgList;
+    return [];
   }
-  let pkg = null;
-  pubLockData.split("\n").forEach((l) => {
-    let key = null;
-    let value = null;
-    l = l.replace("\r", "");
-    if (!pkg && (l.startsWith("sdks:") || !l.startsWith("  "))) {
-      return;
-    }
-    if (l.startsWith("  ") && !l.startsWith("    ")) {
-      pkg = {
-        name: l.trim().replace(":", ""),
-      };
+  let pkgList = [];
+  const rootList = [];
+  const data = _load(pubLockData);
+  const packages = data.packages;
+
+  for (const [packageName, packageData] of Object.entries(packages)) {
+    const pkg = { name: packageName, version: packageData.version };
+    // older dart versions don't have sha256
+    if (packageData.description?.sha256) {
+      pkg._integrity = `sha256-${packageData.description?.sha256}`;
     }
-    if (l.startsWith("    ")) {
-      const tmpA = l.split(":");
-      key = tmpA[0].trim();
-      value = tmpA[1].trim().replace(/"/g, "");
-      switch (key) {
-        case "version":
-          pkg.version = value;
-          if (pkg.name) {
-            pkgList.push(pkg);
-          }
-          pkg = {};
-          break;
-      }
+
+    const purlString = new PackageURL("dart", "", pkg.name, pkg.version)
+      .toString()
+      .replace(/%2F/g, "/");
+    pkg["bom-ref"] = decodeURIComponent(purlString);
+
+    if (packageData.dependency === "direct main") {
+      pkg.scope = "required";
+      rootList.push(pkg);
+    } else if (packageData.dependency === "transitive") {
+      pkg.scope = "required";
+    } else if (packageData.dependency === "direct dev") {
+      pkg.scope = "optional";
     }
-  });
+
+    pkgList.push(pkg);
+  }
+
   if (shouldFetchLicense()) {
-    return await getDartMetadata(pkgList);
+    pkgList = await getDartMetadata(pkgList);
   }
-  return pkgList;
+
+  return { rootList, pkgList };
 }
 
 export function parsePubYamlData(pubYamlData) {

diff --git a/lib/helpers/utils.test.js b/lib/helpers/utils.test.js
@@ -2075,13 +2075,28 @@ test("get crates metadata", async () => {
 
 test("parse pub lock", async () => {
   expect(await parsePubLockData(null)).toEqual([]);
-  let dep_list = await parsePubLockData(
+  const ret_val = await parsePubLockData(
     readFileSync("./test/data/pubspec.lock", { encoding: "utf-8" }),
   );
-  expect(dep_list.length).toEqual(26);
+  const root_list = ret_val.rootList;
+  let dep_list = ret_val.pkgList;
+  expect(dep_list.length).toEqual(28);
   expect(dep_list[0]).toEqual({
     name: "async",
-    version: "2.8.2",
+    version: "2.11.0",
+    _integrity:
+      "sha256-947bfcf187f74dbc5e146c9eb9c0f10c9f8b30743e341481c1e2ed3ecc18c20c",
+    "bom-ref": "pkg:dart/[email protected]",
+    scope: "required",
+  });
+  expect(root_list.length).toEqual(3);
+  expect(root_list[0]).toEqual({
+    name: "flare_flutter",
+    version: "3.0.2",
+    _integrity:
+      "sha256-99d63c60f00fac81249ce6410ee015d7b125c63d8278a30da81edf3317a1f6a0",
+    "bom-ref": "pkg:dart/[email protected]",
+    scope: "required",
   });
   dep_list = parsePubYamlData(
     readFileSync("./test/data/pubspec.yaml", { encoding: "utf-8" }),