feat: support parsing pubspec.lock (#159)

README.md

@@ -61,6 +61,7 @@ The detector supports parsing the following lockfiles:
 | `go.mod`             | `Go`        | `go mod`   |
 | `mix.lock`           | `Hex`       | `mix`      |
 | `poetry.lock`        | `PyPI`      | `poetry`   |
+| `pubspec.lock`       | `Pub`       | `pub`      |
 | `pom.xml`\*          | `Maven`     | `maven`    |
 | `requirements.txt`\* | `PyPI`      | `pip`      |
 

internal/reporter/reporter_test.go

@@ -272,6 +272,7 @@ func TestReporter_PrintKnownEcosystems(t *testing.T) {
 		"  Hex",
 		"  Maven",
 		"  PyPI",
+		"  Pub",
 		"",
 	}, "\n")
 

main_test.go

@@ -131,6 +131,7 @@ func TestRun(t *testing.T) {
 					pnpm-lock.yaml
 					poetry.lock
 					pom.xml
+					pubspec.lock
 					requirements.txt
 					yarn.lock
 					csv-file

pkg/lockfile/ecosystems.go

@@ -10,5 +10,6 @@ func KnownEcosystems() []Ecosystem {
 		MixEcosystem,
 		MavenEcosystem,
 		PipEcosystem,
+		PubEcosystem,
 	}
 }

pkg/lockfile/fixtures/pub/mixed-packages.lock

@@ -0,0 +1,31 @@
+# Generated by pub
+# See http://pub.dartlang.org/doc/glossary.html#lockfile
+packages:
+  back_button_interceptor:
+    dependency: "direct main"
+    description:
+      name: back_button_interceptor
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "6.0.1"
+  build_runner:
+    dependency: "direct dev"
+    description:
+      name: build_runner
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "2.2.1"
+  shelf:
+    dependency: transitive
+    description:
+      name: shelf
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.3.2"
+  shelf_web_socket:
+    dependency: transitive
+    description:
+      name: shelf_web_socket
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.0.2"

pkg/lockfile/fixtures/pub/no-packages.lock

@@ -0,0 +1,3 @@
+# Generated by pub
+# See http://pub.dartlang.org/doc/glossary.html#lockfile
+packages: {}

pkg/lockfile/fixtures/pub/not-yaml.txt

@@ -0,0 +1 @@
+this is not valid yaml!

pkg/lockfile/fixtures/pub/one-package-dev.lock

@@ -0,0 +1,10 @@
+# Generated by pub
+# See http://pub.dartlang.org/doc/glossary.html#lockfile
+packages:
+  build_runner:
+    dependency: "direct dev"
+    description:
+      name: build_runner
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "2.2.1"

pkg/lockfile/fixtures/pub/one-package.lock

@@ -0,0 +1,10 @@
+# Generated by pub
+# See http://pub.dartlang.org/doc/glossary.html#lockfile
+packages:
+  back_button_interceptor:
+    dependency: "direct main"
+    description:
+      name: back_button_interceptor
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "6.0.1"

pkg/lockfile/fixtures/pub/source-git.lock

@@ -0,0 +1,46 @@
+# Generated by pub
+# See https://dart.dev/tools/pub/glossary#lockfile
+packages:
+  flutter_rust_bridge:
+    dependency: "direct main"
+    description:
+      path: frb_dart
+      ref: master
+      resolved-ref: e5adce55eea0b74d3680e66a2c5252edf17b07e1
+      url: "https://github.com/SoLongAndThanksForAllThePizza/flutter_rust_bridge"
+    source: git
+    version: "1.32.0"
+  screen_retriever:
+    dependency: transitive
+    description:
+      path: "."
+      ref: "406b9b0"
+      resolved-ref: "406b9b038b2c1d779f1e7bf609c8c248be247372"
+      url: "https://github.com/Kingtous/rustdesk_screen_retriever.git"
+    source: git
+    version: "0.1.2"
+  toggle_switch:
+    dependency: "direct main"
+    description:
+      name: toggle_switch
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.4.0"
+  tray_manager:
+    dependency: "direct main"
+    description:
+      path: "."
+      ref: "3aa37c86e47ea748e7b5507cbe59f2c54ebdb23a"
+      resolved-ref: "3aa37c86e47ea748e7b5507cbe59f2c54ebdb23a"
+      url: "https://github.com/Kingtous/rustdesk_tray_manager"
+    source: git
+    version: "0.1.8"
+  window_manager:
+    dependency: "direct main"
+    description:
+      path: "."
+      ref: "88487257cbafc501599ab4f82ec343b46acec020"
+      resolved-ref: "88487257cbafc501599ab4f82ec343b46acec020"
+      url: "https://github.com/Kingtous/rustdesk_window_manager"
+    source: git
+    version: "0.2.7"

pkg/lockfile/fixtures/pub/source-path.lock

@@ -0,0 +1,10 @@
+# Generated by pub
+# See https://dart.dev/tools/pub/glossary#lockfile
+packages:
+ maa_core:
+    dependency: "direct main"
+    description:
+      path: ".."
+      relative: true
+    source: path
+    version: "0.0.1"

pkg/lockfile/fixtures/pub/source-sdk.lock

@@ -0,0 +1,11 @@
+# Generated by pub
+# See http://pub.dartlang.org/doc/glossary.html#lockfile
+packages:
+  flutter_web_plugins:
+    dependency: transitive
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+sdks:
+  dart: ">=2.17.1 <3.0.0"
+  flutter: ">=3.0.0"

pkg/lockfile/fixtures/pub/two-packages.lock

@@ -0,0 +1,17 @@
+# Generated by pub
+# See http://pub.dartlang.org/doc/glossary.html#lockfile
+packages:
+  shelf:
+    dependency: transitive
+    description:
+      name: shelf
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.3.2"
+  shelf_web_socket:
+    dependency: transitive
+    description:
+      name: shelf_web_socket
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.0.2"

pkg/lockfile/parse-pubspec-lock.go

@@ -0,0 +1,93 @@
+package lockfile
+
+import (
+	"fmt"
+	"gopkg.in/yaml.v2"
+	"os"
+)
+
+type PubspecLockDescription struct {
+	Name string `yaml:"name"`
+	URL  string `yaml:"url"`
+	Path string `yaml:"path"`
+	Ref  string `yaml:"resolved-ref"`
+}
+
+var _ yaml.Unmarshaler = &PubspecLockDescription{}
+
+func (pld *PubspecLockDescription) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var m struct {
+		Name string `yaml:"name"`
+		URL  string `yaml:"url"`
+		Path string `yaml:"path"`
+		Ref  string `yaml:"resolved-ref"`
+	}
+
+	err := unmarshal(&m)
+
+	if err == nil {
+		pld.Name = m.Name
+		pld.Path = m.Path
+		pld.URL = m.URL
+		pld.Ref = m.Ref
+
+		return nil
+	}
+
+	var str *string
+
+	err = unmarshal(&str)
+
+	if err != nil {
+		return err
+	}
+
+	pld.Path = *str
+
+	return nil
+}
+
+type PubspecLockPackage struct {
+	Source      string                 `yaml:"source"`
+	Description PubspecLockDescription `yaml:"description"`
+	Version     string                 `yaml:"version"`
+}
+
+type PubspecLockfile struct {
+	Packages map[string]PubspecLockPackage `yaml:"packages,omitempty"`
+	Sdks     map[string]string             `yaml:"sdks"`
+}
+
+const PubEcosystem Ecosystem = "Pub"
+
+func ParsePubspecLock(pathToLockfile string) ([]PackageDetails, error) {
+	var parsedLockfile *PubspecLockfile
+
+	lockfileContents, err := os.ReadFile(pathToLockfile)
+
+	if err != nil {
+		return []PackageDetails{}, fmt.Errorf("could not read %s: %w", pathToLockfile, err)
+	}
+
+	err = yaml.Unmarshal(lockfileContents, &parsedLockfile)
+
+	if err != nil {
+		return []PackageDetails{}, fmt.Errorf("could not parse %s: %w", pathToLockfile, err)
+	}
+	if parsedLockfile == nil {
+		return []PackageDetails{}, nil
+	}
+
+	packages := make([]PackageDetails, 0, len(parsedLockfile.Packages))
+
+	for name, pkg := range parsedLockfile.Packages {
+		packages = append(packages, PackageDetails{
+			Name:      name,
+			Version:   pkg.Version,
+			Commit:    pkg.Description.Ref,
+			Ecosystem: PubEcosystem,
+		})
+	}
+
+	return packages, nil
+}