macaron.dependency_analyzer package
This package contains the dependency resolvers.
Submodules
macaron.dependency_analyzer.cyclonedx module
This module contains helper functions to process CycloneDX SBOM.
- macaron.dependency_analyzer.cyclonedx.deserialize_bom_json(file_path)
Deserialize the bom.json file.
- Parameters:
file_path (str) – Path to the bom.json file.
- Returns:
The CycloneDX Bom object.
- Return type:
Bom
- Raises:
CycloneDXParserError – If the bom.json file cannot be located or deserialized.
- class macaron.dependency_analyzer.cyclonedx.DependencyInfo
Bases:
TypedDict
The information of a resolved dependency.
-
purl:
PackageURL
-
purl:
- class macaron.dependency_analyzer.cyclonedx.DependencyAnalyzer(resources_path, file_name, tool_name, tool_version)
Bases:
object
This base class is used to implement dependency analyzers for CyclondDx SBOMs.
- __init__(resources_path, file_name, tool_name, tool_version)
Initialize the dependency analyzer instance.
- static get_purl_from_cdx_component(component, purl_type)
Construct and return a PackageURL from a CycloneDX component.
- Parameters:
component (CDXComponent) – The CycloneDX component
purl_type (str) – The PURL type, e.g., maven, pypi, npm.
- Returns:
The PackageURL object constructed from the CycloneDX component.
- Return type:
PackageURL
- collect_dependencies(target_component, recursive=False)
Process the dependency JSON files and collect direct dependencies.
- Parameters:
- Returns:
A dictionary where artifacts are grouped based on “artifactId:groupId”.
- Return type:
- get_cmd()
Return the CLI command to run the dependency analyzer.
- Returns:
The command line arguments.
- Return type:
- static add_latest_version(item, key, all_versions, latest_deps, url_to_artifact)
Find and add the unique URL for the latest version of the artifact.
- Parameters:
item (DependencyInfo) – The dictionary containing info about the dependency to be added.
key (str) – The ID of the artifact.
all_versions (dict[str, str]) – Stores all the versions of dependencies for debugging.
latest_deps (dict[str, DependencyInfo]) – Stores the latest version of dependencies.
url_to_artifact (dict[str, set]) – Used to detect artifacts that have similar repos.
- Return type:
- static to_configs(resolved_deps)
Convert the resolved dependencies into the format used by the Analyzer.
- Parameters:
resolved_deps (dict[str, DependencyInfo]) – The automatically resolved dependencies.
- Returns:
The dependency list to be used by the Analyzer.
- Return type:
- static resolve_dependencies(main_ctx, sbom_path, recursive=False)
Resolve the dependencies of the main target repo.
- Parameters:
main_ctx (Any (AnalyzeContext)) – The context of object of the target repository.
sbom_path (str) – The path to the SBOM.
recursive (bool) – Whether to get all transitive dependencies, otherwise only the direct dependencies will be returned (default: False).
- Returns:
A dictionary where artifacts are grouped based on
artifactId:groupId
.- Return type:
- get_root_component(root_bom_path)
Get the root dependency component.
- Parameters:
root_bom_path (str) – Path to the root bom.json file.
- Returns:
The root CycloneDX component.
- Return type:
CDXComponent | None
- static get_target_cdx_component(root_bom, target_component)
Get the CycloneDX component that matches the analyzed target software component.
- Parameters:
root_bom (Bom) – The top-level BOM file.
target_component (Component) – The analyzed target software component.
- Returns:
The CycloneDX component or None if it cannot be found.
- Return type:
CDXComponent | None
- static get_dep_components(target_component, root_bom_path, child_bom_paths=None, recursive=False)
Get CycloneDX components that are dependencies of the analyzed target software component.
- Parameters:
target_component (Component) – The analyzed target software component.
root_bom_path (str) – Path to the root bom.json file.
child_bom_paths (list[Path] | None) – The list of paths to sub-project bom.json files.
recursive (bool) – Whether to get all transitive dependencies, otherwise only the direct dependencies will be returned (default: False).
- Yields:
CDXComponent – The dependencies as CycloneDX components.
- Return type:
Iterable
[Component
]
- static convert_components_to_artifacts(components, purl_type, root_component=None)
Convert CycloneDX components using internal artifact representation.
- Parameters:
components (Iterable[CDXComponent]) – The dependency components.
purl_type (str) – The PURL type for the main target software component
root_component (CDXComponent | None) – The root CycloneDX component.
- Returns:
A dictionary where dependency artifacts are grouped based on “groupId:artifactId”.
- Return type:
- static get_deps_from_sbom(sbom_path, target_component, recursive=False)
Get the dependencies from a provided SBOM.
- Parameters:
- Return type:
- Returns:
A dictionary where dependency artifacts are grouped based on “groupId:artifactId”.
- class macaron.dependency_analyzer.cyclonedx.NoneDependencyAnalyzer
Bases:
DependencyAnalyzer
This class is used to implement an empty dependency analyzers.
- __init__()
Initialize the dependency analyzer instance.
macaron.dependency_analyzer.cyclonedx_python module
This module processes the JSON dependency output files generated by CycloneDX Maven plugin.
It also collects the direct dependencies that should be processed by Macaron. See https://github.com/CycloneDX/cyclonedx-maven-plugin.
- class macaron.dependency_analyzer.cyclonedx_python.CycloneDxPython(resources_path, file_name, tool_name, tool_version)
Bases:
DependencyAnalyzer
This class implements the CycloneDX Maven plugin analyzer.