Recurse on optional package tree (#1860)

* Recurse on optional package tree

Signed-off-by: Prabhu Subramanian <[email protected]>

* Update packages

Signed-off-by: Prabhu Subramanian <[email protected]>

* Ruby image fixes

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

Author: prabhu

ci/images/debian/Dockerfile.ruby26

@@ -17,7 +17,7 @@ ENV PATH=${NVM_DIR}/versions/node/v${NODE_VERSION}/bin:${PATH}:/usr/local/bin:/r
 COPY ci/images/debian/install.sh /tmp/
 
 RUN apt-get update && apt-get install -qq -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
-    && apt-get install -qq -y build-essential gcc-9 g++-9 python2 libmagic-dev locales nodejs \
+    && apt-get install -qq -y build-essential gcc-10 g++-10 python3 python3-pip python3-dev libmagic-dev locales \
     && gem install bundler -v 1.17.3 \
     && bundle config git.allow_insecure true \
     && chmod +x /tmp/install.sh \

ci/images/debian/Dockerfile.ruby33

@@ -16,7 +16,7 @@ ENV PATH=${PATH}:${NVM_DIR}/versions/node/v${NODE_VERSION}/bin:/usr/local/bin:/r
 COPY ci/images/debian/install.sh /tmp/
 
 RUN apt-get update && apt-get install -qq -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
-    && apt-get install -qq -y build-essential python3 python3-pip python3-dev libmagic-dev locales \
+    && apt-get install -qq -y build-essential python3 python3-pip python3-dev libmagic-dev locales libffi-dev \
     && chmod +x /tmp/install.sh \
     && /tmp/install.sh && rm /tmp/install.sh \
     && node -v \

ci/images/debian/Dockerfile.ruby34

@@ -14,7 +14,7 @@ ENV PATH=${PATH}:${NVM_DIR}/versions/node/v${NODE_VERSION}/bin:/usr/local/bin:/r
 COPY ci/images/debian/install.sh /tmp/
 
 RUN apt-get update && apt-get install -qq -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
-    && apt-get install -qq -y build-essential python3 python3-pip python3-dev libmagic-dev locales \
+    && apt-get install -qq -y build-essential python3 python3-pip python3-dev libmagic-dev locales libffi-dev \
     && chmod +x /tmp/install.sh \
     && /tmp/install.sh && rm /tmp/install.sh \
     && node -v \

contrib/piptree.py

@@ -42,48 +42,69 @@ def get_installed_distributions(python_path=None):
     return [d._dist for d in dists]
 
 
+def _get_extra_deps_from_dist(dist):
+    extra_deps = {}
+    if not dist:
+        return extra_deps
+    # all requirements, some of which may be extra-only:
+    reqs = dist.metadata.get_all('Requires-Dist') or []
+    # extras this package defines:
+    extras = dist.metadata.get_all('Provides-Extra') or []
+    for req_str in reqs:
+        req = Requirement(req_str)
+        if req.marker and 'extra' in str(req.marker):
+            # evaluate marker for each declared extra
+            for extra in extras:
+                if req.marker.evaluate({'extra': extra}):
+                    extra_deps.setdefault(extra, []).append({"name": str(req.name), "versionSpecifiers": str(req.specifier), "url": str(req.url) if req.url else None})
+    return extra_deps
+
+
+def _get_deps_from_extras(name_version_cache, name_dist_cache, extra_deps):
+    dependencies = []
+    if not extra_deps:
+        return dependencies
+    # Treat an extra with the name all as dependencies
+    all_deps = extra_deps.get("all", [])
+    for dep in all_deps:
+        dversion = name_version_cache.get(dep["name"])
+        if not dversion:
+            continue
+        dversionSpecifiers = dep.get("versionSpecifiers")
+        dpurl = f"""pkg:pypi/{dep["name"].lower()}@{dversion}"""
+        dextra_deps = _get_extra_deps_from_dist(name_dist_cache.get(dep["name"]))
+        ddependencies = _get_deps_from_extras(name_version_cache, name_dist_cache, dextra_deps)
+        dependencies.append({
+            "name": dep["name"],
+            "version": dversion,
+            "versionSpecifiers": dversionSpecifiers,
+            "purl": dpurl,
+            "extra_deps": dextra_deps,
+            "dependencies": ddependencies
+        })
+    return dependencies
+
+
 def get_installed_with_extras():
     result = {}
     if not REQUIREMENT_MODULE_FOUND:
         return result
     name_version_cache = {}
+    name_dist_cache = {}
     for dist in importlib_metadata.distributions():
         name = dist.metadata['Name']
         version = dist.version or ""
         name_version_cache[name] = version
+        name_dist_cache[name] = dist
     for dist in importlib_metadata.distributions():
         name = dist.metadata['Name']
         version = dist.version or ""
         # extras this package defines:
         extras = dist.metadata.get_all('Provides-Extra') or []
-        # all requirements, some of which may be extra-only:
-        reqs = dist.metadata.get_all('Requires-Dist') or []
-
         # map each extra → its extra-only dependencies
-        extra_deps = {}
-        for req_str in reqs:
-            req = Requirement(req_str)
-            if req.marker and 'extra' in str(req.marker):
-                # evaluate marker for each declared extra
-                for extra in extras:
-                    if req.marker.evaluate({'extra': extra}):
-                        extra_deps.setdefault(extra, []).append({"name": str(req.name), "versionSpecifiers": str(req.specifier), "url": str(req.url) if req.url else None})
+        extra_deps = _get_extra_deps_from_dist(dist)
         purl = f"pkg:pypi/{name.lower()}@{version}"
-        dependencies = []
-        # Treat an extra with the name all as dependencies
-        all_deps = extra_deps.get("all", [])
-        for dep in all_deps:
-            dversion = name_version_cache.get(dep["name"])
-            if not dversion:
-                continue
-            dversionSpecifiers = dep.get("versionSpecifiers")
-            dpurl = f"""pkg:pypi/{dep["name"].lower()}@{dversion}"""
-            dependencies.append({
-                "name": dep["name"],
-                "version": dversion,
-                "versionSpecifiers": dversionSpecifiers,
-                "purl": dpurl
-            })
+        dependencies = _get_deps_from_extras(name_version_cache, name_dist_cache, extra_deps)
         result[purl] = {
             'name': name,
             'version': version,
@@ -162,15 +183,8 @@ def main(argv):
                 "dependencies": dependencies + all_dependencies,
             }
         )
-    all_deps = {}
-    for t in tree:
-        for d in t["dependencies"]:
-            all_deps[d["name"]] = True
-    trimmed_tree = [
-        t for t in tree if t["name"] not in all_deps
-    ]
     with open(out_file, mode="w", encoding="utf-8") as fp:
-        json.dump(trimmed_tree, fp)
+        json.dump(tree, fp)
 
 
 if __name__ == "__main__":

deno.json

@@ -64,12 +64,12 @@
     "@appthreat/cdx-proto": "npm:@appthreat/[email protected]",
     "@babel/parser": "npm:@babel/parser@^7.27.2",
     "@babel/traverse": "npm:@babel/traverse@^7.27.1",
-    "@npmcli/arborist": "npm:@npmcli/arborist@^9.1.0",
+    "@npmcli/arborist": "npm:@npmcli/arborist@^9.1.2",
     "ajv": "npm:ajv@^8.16.0",
     "ajv-formats": "npm:ajv-formats@^3.0.1",
     "cheerio": "npm:cheerio@^1.1.0",
     "edn-data": "npm:[email protected]",
-    "glob": "npm:glob@^11.0.2",
+    "glob": "npm:glob@^11.0.3",
     "global-agent": "npm:global-agent@^3.0.0",
     "got": "npm:got@^14.4.5",
     "iconv-lite": "npm:iconv-lite@^0.6.3",

lib/managers/piptree.js

@@ -59,48 +59,69 @@ def get_installed_distributions(python_path=None):
     return [d._dist for d in dists]
 
 
+def _get_extra_deps_from_dist(dist):
+    extra_deps = {}
+    if not dist:
+        return extra_deps
+    # all requirements, some of which may be extra-only:
+    reqs = dist.metadata.get_all('Requires-Dist') or []
+    # extras this package defines:
+    extras = dist.metadata.get_all('Provides-Extra') or []
+    for req_str in reqs:
+        req = Requirement(req_str)
+        if req.marker and 'extra' in str(req.marker):
+            # evaluate marker for each declared extra
+            for extra in extras:
+                if req.marker.evaluate({'extra': extra}):
+                    extra_deps.setdefault(extra, []).append({"name": str(req.name), "versionSpecifiers": str(req.specifier), "url": str(req.url) if req.url else None})
+    return extra_deps
+
+
+def _get_deps_from_extras(name_version_cache, name_dist_cache, extra_deps):
+    dependencies = []
+    if not extra_deps:
+        return dependencies
+    # Treat an extra with the name all as dependencies
+    all_deps = extra_deps.get("all", [])
+    for dep in all_deps:
+        dversion = name_version_cache.get(dep["name"])
+        if not dversion:
+            continue
+        dversionSpecifiers = dep.get("versionSpecifiers")
+        dpurl = f"""pkg:pypi/{dep["name"].lower()}@{dversion}"""
+        dextra_deps = _get_extra_deps_from_dist(name_dist_cache.get(dep["name"]))
+        ddependencies = _get_deps_from_extras(name_version_cache, name_dist_cache, dextra_deps)
+        dependencies.append({
+            "name": dep["name"],
+            "version": dversion,
+            "versionSpecifiers": dversionSpecifiers,
+            "purl": dpurl,
+            "extra_deps": dextra_deps,
+            "dependencies": ddependencies
+        })
+    return dependencies
+
+
 def get_installed_with_extras():
     result = {}
     if not REQUIREMENT_MODULE_FOUND:
         return result
     name_version_cache = {}
+    name_dist_cache = {}
     for dist in importlib_metadata.distributions():
         name = dist.metadata['Name']
         version = dist.version or ""
         name_version_cache[name] = version
+        name_dist_cache[name] = dist
     for dist in importlib_metadata.distributions():
         name = dist.metadata['Name']
         version = dist.version or ""
         # extras this package defines:
         extras = dist.metadata.get_all('Provides-Extra') or []
-        # all requirements, some of which may be extra-only:
-        reqs = dist.metadata.get_all('Requires-Dist') or []
-
         # map each extra → its extra-only dependencies
-        extra_deps = {}
-        for req_str in reqs:
-            req = Requirement(req_str)
-            if req.marker and 'extra' in str(req.marker):
-                # evaluate marker for each declared extra
-                for extra in extras:
-                    if req.marker.evaluate({'extra': extra}):
-                        extra_deps.setdefault(extra, []).append({"name": str(req.name), "versionSpecifiers": str(req.specifier), "url": str(req.url) if req.url else None})
+        extra_deps = _get_extra_deps_from_dist(dist)
         purl = f"pkg:pypi/{name.lower()}@{version}"
-        dependencies = []
-        # Treat an extra with the name all as dependencies
-        all_deps = extra_deps.get("all", [])
-        for dep in all_deps:
-            dversion = name_version_cache.get(dep["name"])
-            if not dversion:
-                continue
-            dversionSpecifiers = dep.get("versionSpecifiers")
-            dpurl = f"""pkg:pypi/{dep["name"].lower()}@{dversion}"""
-            dependencies.append({
-                "name": dep["name"],
-                "version": dversion,
-                "versionSpecifiers": dversionSpecifiers,
-                "purl": dpurl
-            })
+        dependencies = _get_deps_from_extras(name_version_cache, name_dist_cache, extra_deps)
         result[purl] = {
             'name': name,
             'version': version,
@@ -179,15 +200,8 @@ def main(argv):
                 "dependencies": dependencies + all_dependencies,
             }
         )
-    all_deps = {}
-    for t in tree:
-        for d in t["dependencies"]:
-            all_deps[d["name"]] = True
-    trimmed_tree = [
-        t for t in tree if t["name"] not in all_deps
-    ]
     with open(out_file, mode="w", encoding="utf-8") as fp:
-        json.dump(trimmed_tree, fp)
+        json.dump(tree, fp)
 
 
 if __name__ == "__main__":

package.json

@@ -83,12 +83,12 @@
     "@babel/parser": "^7.27.4",
     "@babel/traverse": "^7.27.4",
     "@iarna/toml": "2.2.5",
-    "@npmcli/arborist": "^9.1.1",
+    "@npmcli/arborist": "^9.1.2",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
     "cheerio": "^1.1.0",
     "edn-data": "1.1.2",
-    "glob": "^11.0.2",
+    "glob": "^11.0.3",
     "global-agent": "^3.0.0",
     "got": "^14.4.7",
     "iconv-lite": "^0.6.3",
@@ -160,7 +160,7 @@
       "istanbul-lib-instrument": "^6.0.3",
       "json-parse-even-better-errors": "^4.0.0",
       "lru-cache": "^11.1.0",
-      "minimatch": "^10.0.1",
+      "minimatch": "^10.0.3",
       "minizlib": "^3.0.2",
       "mkdirp": "^3.0.1",
       "ms": "^2.1.3",
@@ -209,7 +209,7 @@
     "istanbul-lib-instrument": "^6.0.3",
     "json-parse-even-better-errors": "^4.0.0",
     "lru-cache": "^11.1.0",
-    "minimatch": "^10.0.1",
+    "minimatch": "^10.0.3",
     "minizlib": "^3.0.2",
     "mkdirp": "^3.0.1",
     "ms": "^2.1.3",