macaron.dependency_analyzer package

This package contains the dependency resolvers.

Submodules

macaron.dependency_analyzer.cyclonedx module

This module contains helper functions to process CycloneDX SBOM.

macaron.dependency_analyzer.cyclonedx.deserialize_bom_json(file_path)

Deserialize the bom.json file.

Parameters:

file_path (str) – Path to the bom.json file.

Returns:

The CycloneDX Bom object.

Return type:

Bom

Raises:

CycloneDXParserError – If the bom.json file cannot be located or deserialized.

class macaron.dependency_analyzer.cyclonedx.DependencyInfo

Bases: TypedDict

The information of a resolved dependency.

purl: PackageURL
url: str
note: str
available: SCMStatus
class macaron.dependency_analyzer.cyclonedx.DependencyAnalyzer(resources_path, file_name, tool_name, tool_version)

Bases: object

This base class is used to implement dependency analyzers for CyclondDx SBOMs.

__init__(resources_path, file_name, tool_name, tool_version)

Initialize the dependency analyzer instance.

Parameters:
  • resources_path (str) – The path to the resources directory.

  • file_name (str) – The name of dependency output file.

  • tool_name (str) – The name of the dependency analyzer.

  • tool_version (str) – The version of the dependency analyzer.

static get_purl_from_cdx_component(component, purl_type)

Construct and return a PackageURL from a CycloneDX component.

Parameters:
  • component (CDXComponent) – The CycloneDX component

  • purl_type (str) – The PURL type, e.g., maven, pypi, npm.

Returns:

The PackageURL object constructed from the CycloneDX component.

Return type:

PackageURL

collect_dependencies(target_component, recursive=False)

Process the dependency JSON files and collect direct dependencies.

Parameters:
  • target_component (Component) – The analyzed target software component.

  • recursive (bool) – Whether to get all transitive dependencies, otherwise only the direct dependencies will be returned (default: False).

Returns:

A dictionary where artifacts are grouped based on “artifactId:groupId”.

Return type:

dict

get_cmd()

Return the CLI command to run the dependency analyzer.

Returns:

The command line arguments.

Return type:

list

static add_latest_version(item, key, all_versions, latest_deps, url_to_artifact)

Find and add the unique URL for the latest version of the artifact.

Parameters:
  • item (DependencyInfo) – The dictionary containing info about the dependency to be added.

  • key (str) – The ID of the artifact.

  • all_versions (dict[str, str]) – Stores all the versions of dependencies for debugging.

  • latest_deps (dict[str, DependencyInfo]) – Stores the latest version of dependencies.

  • url_to_artifact (dict[str, set]) – Used to detect artifacts that have similar repos.

Return type:

None

static to_configs(resolved_deps)

Convert the resolved dependencies into the format used by the Analyzer.

Parameters:

resolved_deps (dict[str, DependencyInfo]) – The automatically resolved dependencies.

Returns:

The dependency list to be used by the Analyzer.

Return type:

list[Configuration]

static resolve_dependencies(main_ctx, sbom_path, recursive=False)

Resolve the dependencies of the main target repo.

Parameters:
  • main_ctx (Any (AnalyzeContext)) – The context of object of the target repository.

  • sbom_path (str) – The path to the SBOM.

  • recursive (bool) – Whether to get all transitive dependencies, otherwise only the direct dependencies will be returned (default: False).

Returns:

A dictionary where artifacts are grouped based on artifactId:groupId.

Return type:

dict[str, DependencyInfo]

get_root_component(root_bom_path)

Get the root dependency component.

Parameters:

root_bom_path (str) – Path to the root bom.json file.

Returns:

The root CycloneDX component.

Return type:

CDXComponent | None

static get_target_cdx_component(root_bom, target_component)

Get the CycloneDX component that matches the analyzed target software component.

Parameters:
  • root_bom (Bom) – The top-level BOM file.

  • target_component (Component) – The analyzed target software component.

Returns:

The CycloneDX component or None if it cannot be found.

Return type:

CDXComponent | None

static get_dep_components(target_component, root_bom_path, child_bom_paths=None, recursive=False)

Get CycloneDX components that are dependencies of the analyzed target software component.

Parameters:
  • target_component (Component) – The analyzed target software component.

  • root_bom_path (str) – Path to the root bom.json file.

  • child_bom_paths (list[Path] | None) – The list of paths to sub-project bom.json files.

  • recursive (bool) – Whether to get all transitive dependencies, otherwise only the direct dependencies will be returned (default: False).

Yields:

CDXComponent – The dependencies as CycloneDX components.

Return type:

Iterable[Component]

static convert_components_to_artifacts(components, purl_type, root_component=None)

Convert CycloneDX components using internal artifact representation.

Parameters:
  • components (Iterable[CDXComponent]) – The dependency components.

  • purl_type (str) – The PURL type for the main target software component

  • root_component (CDXComponent | None) – The root CycloneDX component.

Returns:

A dictionary where dependency artifacts are grouped based on “groupId:artifactId”.

Return type:

dict

static get_deps_from_sbom(sbom_path, target_component, recursive=False)

Get the dependencies from a provided SBOM.

Parameters:
  • sbom_path (str | Path) – The path to the SBOM file.

  • target_component (Component) – The analyzed target software component.

  • recursive (bool) – Whether to get all transitive dependencies, otherwise only the direct dependencies will be returned (default: False).

Return type:

dict[str, DependencyInfo]

Returns:

A dictionary where dependency artifacts are grouped based on “groupId:artifactId”.

class macaron.dependency_analyzer.cyclonedx.NoneDependencyAnalyzer

Bases: DependencyAnalyzer

This class is used to implement an empty dependency analyzers.

__init__()

Initialize the dependency analyzer instance.

macaron.dependency_analyzer.cyclonedx_python module

This module processes the JSON dependency output files generated by CycloneDX Maven plugin.

It also collects the direct dependencies that should be processed by Macaron. See https://github.com/CycloneDX/cyclonedx-maven-plugin.

class macaron.dependency_analyzer.cyclonedx_python.CycloneDxPython(resources_path, file_name, tool_name, tool_version)

Bases: DependencyAnalyzer

This class implements the CycloneDX Maven plugin analyzer.

get_cmd()

Return the CLI command to run the CycloneDX Maven plugin.

Returns:

The command line arguments.

Return type:

list