Merge pull request #53 from snyk/feat/pip-report-to-graph

feat: convert pip report into a graph

Author: james-snyk

pkg/ecosystems/python/pip/depgraph.go

@@ -0,0 +1,106 @@
+package pip
+
+import (
+	"fmt"
+	"log/slog"
+	"regexp"
+	"strings"
+
+	"github.com/snyk/cli-extension-dep-graph/pkg/ecosystems"
+)
+
+// depStringPattern extracts the package name from a dependency string.
+// Example: "urllib3 (<3,>=1.21.1)" -> "urllib3".
+// Example: "certifi (>=2017.4.17)" -> "certifi".
+// Example: "idna (<4,>=2.5)" -> "idna".
+var depStringPattern = regexp.MustCompile(`^([a-zA-Z0-9._-]+)`)
+
+// ToDepgraph converts a pip install Report into a Depgraph.
+// The root package ID is "root" and points to all direct dependencies.
+func (r *Report) ToDepgraph() (*ecosystems.Depgraph, error) {
+	if r == nil {
+		return nil, fmt.Errorf("report cannot be nil")
+	}
+
+	slog.Debug("Converting pip report to depgraph", slog.Int("total_packages", len(r.Install)))
+
+	// First pass: index packages by name for dependency resolution
+	// Pip's dependency resolver ensures only one version of each package is installed
+	slog.Debug("Building package name index for dependency resolution")
+	packageByName := make(map[string]InstallItem)
+	for _, item := range r.Install {
+		packageByName[strings.ToLower(item.Metadata.Name)] = item
+	}
+
+	// Second pass: build packages, graph, and collect direct dependencies
+	slog.Debug("Building dependency graph")
+	packages := make(map[ecosystems.PackageID]ecosystems.Package)
+	graph := make(map[ecosystems.PackageID][]ecosystems.PackageID)
+	var directDeps []ecosystems.PackageID
+
+	for _, item := range r.Install {
+		version := item.Metadata.Version
+		if version == "" {
+			slog.Debug("Package has empty version, using fallback",
+				slog.String("package", item.Metadata.Name))
+			version = "?"
+		}
+		pkgID := toPackageID(item.Metadata.Name, version)
+
+		// Add to packages map
+		packages[pkgID] = ecosystems.Package{
+			PackageID:   pkgID,
+			PackageName: item.Metadata.Name,
+			Version:     version,
+		}
+
+		// Track direct dependencies
+		if item.IsDirectDependency() {
+			directDeps = append(directDeps, pkgID)
+		}
+
+		// Build dependency list for this package
+		var deps []ecosystems.PackageID
+		for _, depString := range item.Metadata.RequiresDist {
+			if depName := extractPackageName(depString); depName != "" {
+				if depItem, found := packageByName[strings.ToLower(depName)]; found {
+					depVersion := depItem.Metadata.Version
+					if depVersion == "" {
+						depVersion = "?"
+					}
+					deps = append(deps, toPackageID(depItem.Metadata.Name, depVersion))
+				}
+			}
+		}
+		graph[pkgID] = deps
+	}
+
+	// Add root pointing to direct dependencies
+	graph["root"] = directDeps
+
+	slog.Debug("Successfully converted pip report to depgraph",
+		slog.Int("total_packages", len(packages)),
+		slog.Int("direct_dependencies", len(directDeps)),
+		slog.Int("graph_nodes", len(graph)))
+
+	return &ecosystems.Depgraph{
+		Packages:      packages,
+		Graph:         graph,
+		RootPackageID: "root",
+	}, nil
+}
+
+// toPackageID creates a PackageID in the format "name@version".
+func toPackageID(name, version string) ecosystems.PackageID {
+	return ecosystems.PackageID(fmt.Sprintf("%s@%s", name, version))
+}
+
+// extractPackageName extracts the package name from a dependency string.
+// Example: "urllib3 (<3,>=1.21.1)" -> "urllib3".
+func extractPackageName(depString string) string {
+	matches := depStringPattern.FindStringSubmatch(depString)
+	if len(matches) > 1 {
+		return matches[1]
+	}
+	return ""
+}

pkg/ecosystems/python/pip/depgraph_test.go

@@ -0,0 +1,175 @@
+//go:build !integration
+// +build !integration
+
+package pip
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/snyk/cli-extension-dep-graph/pkg/ecosystems"
+)
+
+func TestReport_ToDepgraph(t *testing.T) {
+	t.Run("simple report with direct and transitive deps", func(t *testing.T) {
+		report := &Report{
+			Install: []InstallItem{
+				{
+					Metadata: PackageMetadata{
+						Name:    "requests",
+						Version: "2.31.0",
+						RequiresDist: []string{
+							"urllib3 (<3,>=1.21.1)",
+							"certifi (>=2017.4.17)",
+						},
+					},
+					Requested: true, // Direct dependency
+				},
+				{
+					Metadata: PackageMetadata{
+						Name:    "urllib3",
+						Version: "2.0.4",
+						RequiresDist: []string{
+							"certifi",
+						},
+					},
+					Requested: false, // Transitive dependency
+				},
+				{
+					Metadata: PackageMetadata{
+						Name:         "certifi",
+						Version:      "2023.7.22",
+						RequiresDist: []string{}, // Leaf package
+					},
+					Requested: false, // Transitive dependency
+				},
+			},
+		}
+
+		depgraph, err := report.ToDepgraph()
+		require.NoError(t, err)
+
+		// Verify structure
+		assert.Equal(t, ecosystems.PackageID("root"), depgraph.RootPackageID)
+		assert.Len(t, depgraph.Packages, 3)
+		assert.Len(t, depgraph.Graph, 4) // 3 packages + root
+
+		// Verify root points to direct dependency
+		assert.Equal(t, []ecosystems.PackageID{"[email protected]"}, depgraph.Graph["root"])
+
+		// Verify dependency chain
+		assert.ElementsMatch(t, []ecosystems.PackageID{"[email protected]", "[email protected]"},
+			depgraph.Graph["[email protected]"])
+		assert.Equal(t, []ecosystems.PackageID{"[email protected]"},
+			depgraph.Graph["[email protected]"])
+		assert.Empty(t, depgraph.Graph["[email protected]"])
+	})
+
+	t.Run("multiple direct dependencies", func(t *testing.T) {
+		report := &Report{
+			Install: []InstallItem{
+				{
+					Metadata: PackageMetadata{
+						Name:         "requests",
+						Version:      "2.31.0",
+						RequiresDist: []string{},
+					},
+					Requested: true,
+				},
+				{
+					Metadata: PackageMetadata{
+						Name:         "flask",
+						Version:      "2.3.0",
+						RequiresDist: []string{},
+					},
+					Requested: true,
+				},
+			},
+		}
+
+		depgraph, err := report.ToDepgraph()
+		require.NoError(t, err)
+
+		assert.Len(t, depgraph.Packages, 2)
+		assert.ElementsMatch(t, []ecosystems.PackageID{"[email protected]", "[email protected]"},
+			depgraph.Graph["root"])
+	})
+
+	t.Run("empty report", func(t *testing.T) {
+		report := &Report{
+			Install: []InstallItem{},
+		}
+
+		depgraph, err := report.ToDepgraph()
+		require.NoError(t, err)
+
+		assert.Empty(t, depgraph.Packages)
+		assert.Empty(t, depgraph.Graph["root"])
+	})
+
+	t.Run("nil report", func(t *testing.T) {
+		var report *Report
+		_, err := report.ToDepgraph()
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "cannot be nil")
+	})
+}
+
+func TestExtractPackageName(t *testing.T) {
+	tests := map[string]struct {
+		depString string
+		want      string
+	}{
+		"with_constraints":        {"urllib3 (<3,>=1.21.1)", "urllib3"},
+		"with_extras":             {"requests[security] (>=2.20.0)", "requests"},
+		"special_chars":           {"some-package_name.py (>=1.0)", "some-package_name.py"},
+		"no_constraints":          {"certifi", "certifi"},
+		"empty":                   {"", ""},
+		"no_space_version":        {"idna>=3.3", "idna"},
+		"with_extra_marker":       {"mypy; extra == \"dev\"", "mypy"},
+		"hyphenated_with_extra":   {"pre-commit; extra == \"dev\"", "pre-commit"},
+		"hyphenated_with_marker":  {"pytest-cov; extra == \"dev\"", "pytest-cov"},
+		"multiple_hyphens":        {"pytest-socket; extra == \"dev\"", "pytest-socket"},
+		"simple_with_extra":       {"pytest; extra == \"dev\"", "pytest"},
+		"single_char_with_marker": {"ruff; extra == \"dev\"", "ruff"},
+	}
+
+	for name, tt := range tests {
+		t.Run(name, func(t *testing.T) {
+			assert.Equal(t, tt.want, extractPackageName(tt.depString))
+		})
+	}
+}
+
+func TestToPackageID(t *testing.T) {
+	tests := map[string]struct {
+		name    string
+		version string
+		want    ecosystems.PackageID
+	}{
+		"standard package": {
+			name:    "requests",
+			version: "2.31.0",
+			want:    "[email protected]",
+		},
+		"package with dash": {
+			name:    "some-package",
+			version: "1.0.0",
+			want:    "[email protected]",
+		},
+		"empty version": {
+			name:    "package",
+			version: "",
+			want:    "package@", // toPackageID doesn't handle fallback
+		},
+	}
+
+	for name, tt := range tests {
+		t.Run(name, func(t *testing.T) {
+			got := toPackageID(tt.name, tt.version)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}