Support Ruby GIT remote dependencies (#1406)

zlav · web-flow · commit f3e6b7a796a7 · 2024-04-18T20:26:10.000Z
* basic fix

* handle exclamation, tests, docs

* CR changes
diff --git a/Changelog.md b/Changelog.md
@@ -1,8 +1,8 @@
 # FOSSA CLI Changelog
 
-## Unreleased
-
-- Reports: Increase the timeout when hitting the report generation API endpoint
+## v3.9.13
+- Support GIT dependencies in Bundler projects ([#1403](https://github.com/fossas/fossa-cli/pull/1403/files))
+- Reports: Increase the timeout when hitting the report generation API endpoint ([#1412](https://github.com/fossas/fossa-cli/pull/1412)).
 
 ## v3.9.12
 - `--detect-dynamic`: Fix deb tatic parsing ([#1401](https://github.com/fossas/fossa-cli/pull/1401)).
diff --git a/docs/references/strategies/languages/ruby/ruby.md b/docs/references/strategies/languages/ruby/ruby.md
@@ -20,6 +20,7 @@ parse a lockfile or run the `bundle` cli to determine dependencies.
  
 The lockfile strategy attempts to parse Bundler's `Gemfile.lock` lockfile. This file is created by bundler itself after a build is completed and can be distributed in order to maintain reproducible builds. It contains the following information about a Ruby project:
 - The location for each dependency. These locations are each separate sections and the ones of note are `GIT`, `PATH`, and `GEM` which provide their remote in the `remote: <location>` line.
+  - `GIT` and `GEM` type dependencies are supported. `PATH` and any others are not and will show up as `GEM` type dependencies.
 - Each dependencies required dependencies. These required dependencies are listed in the remote sections directly following each dependency from that remote.
 - All direct dependencies, listed in the `DEPENDENCIES` section.
 - Platforms that this ruby project is compatible with, listed in the `PLATFORMS` sections.
diff --git a/integration-test/Analysis/RubySpec.hs b/integration-test/Analysis/RubySpec.hs
@@ -24,4 +24,4 @@ rails =
 
 spec :: Spec
 spec = do
-  testSuiteDepResultSummary rails BundlerProjectType (DependencyResultsSummary 210 70 293 1 Complete)
+  testSuiteDepResultSummary rails BundlerProjectType (DependencyResultsSummary 206 70 293 1 Complete)
diff --git a/src/Strategy/Ruby/GemfileLock.hs b/src/Strategy/Ruby/GemfileLock.hs
@@ -8,15 +8,17 @@ module Strategy.Ruby.GemfileLock (
   Section (..),
 ) where
 
-import Control.Effect.Diagnostics
+import Control.Effect.Diagnostics (Diagnostics, context)
 import Data.Char qualified as C
 import Data.Foldable (traverse_)
 import Data.Functor (void)
 import Data.Map.Strict (Map)
 import Data.Map.Strict qualified as Map
+import Data.Maybe (fromMaybe)
 import Data.Set (Set)
 import Data.String.Conversion (toString)
 import Data.Text (Text)
+import Data.Text qualified as Text
 import Data.Void (Void)
 import DepTypes
 import Effect.Grapher
@@ -89,9 +91,9 @@ toDependency pkg = foldr applyLabel start
         }
 
     applyLabel :: GemfileLabel -> Dependency -> Dependency
-    applyLabel (GemfileVersion ver) dep = dep{dependencyVersion = Just (CEq ver)}
+    applyLabel (GemfileVersion ver) dep = dep{dependencyVersion = dependencyVersion dep <|> (Just . CEq) ver}
     applyLabel (GitRemote repo maybeRevision) dep =
-      dep{dependencyLocations = maybe repo (\revision -> repo <> "@" <> revision) maybeRevision : dependencyLocations dep}
+      dep{dependencyType = GitType, dependencyName = repo, dependencyVersion = (Just . CEq) =<< maybeRevision, dependencyLocations = maybe repo (\revision -> repo <> "@" <> revision) maybeRevision : dependencyLocations dep}
     applyLabel (OtherRemote loc) dep =
       dep{dependencyLocations = loc : dependencyLocations dep}
 
@@ -257,8 +259,12 @@ dependenciesSectionParser = L.nonIndented scn $
     _ <- chunk "DEPENDENCIES"
     pure $ L.IndentMany Nothing (pure . DependencySection) findDependency
 
+-- Check for the Bundler convention that uses !'s to signify if a dep is from remote.
+-- We already check to see if the dep is part of another remote, so we can remove it.
+-- https://groups.google.com/g/ruby-bundler/c/QxlNGzK3rEY
+-- One supporting repository example: https://github.com/percy/example-rails/tree/master
 findDependency :: Parser DirectDep
 findDependency = do
   dep <- findDep
   _ <- ignored
-  pure $ DirectDep dep
+  pure $ DirectDep $ fromMaybe dep $ Text.stripSuffix "!" dep
diff --git a/test/Ruby/GemfileLockSpec.hs b/test/Ruby/GemfileLockSpec.hs
@@ -13,10 +13,10 @@ import Text.Megaparsec
 dependencyOne :: Dependency
 dependencyOne =
   Dependency
-    { dependencyType = GemType
-    , dependencyName = "dep-one"
-    , dependencyVersion = Just (CEq "1.0.0")
-    , dependencyLocations = ["temp@12345"]
+    { dependencyType = GitType
+    , dependencyName = "url-for-dep-one"
+    , dependencyVersion = Just (CEq "12345")
+    , dependencyLocations = ["url-for-dep-one@12345"]
     , dependencyEnvironments = mempty
     , dependencyTags = Map.empty
     }
@@ -46,7 +46,7 @@ dependencyThree =
 gitSection :: Section
 gitSection =
   GitSection
-    "temp"
+    "url-for-dep-one"
     (Just "12345")
     (Just "branch")
     [ Spec
diff --git a/test/Ruby/testdata/gemfileLock b/test/Ruby/testdata/gemfileLock
@@ -1,5 +1,5 @@
 GIT
-  remote: temp
+  remote: url-for-dep-one
   revision: 12345
   branch: branch
   specs:
@@ -18,7 +18,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  dep-one (~> 0.8.13)
+  dep-one! (~> 0.8.13)
   dep-two (>= 4.2.1, < 5.0.0)
 
 BUNDLED WITH
