Skip to content

feat(lockfile): add lockfile positions for transitive dependencies across all parsers #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
anderruiz wants to merge 36 commits into
base: main
Choose a base branch
from
Open

feat(lockfile): add lockfile positions for transitive dependencies across all parsers #127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
ac34e98
Set BlockLocation for all packages in gradle-lock extractor
anderruiz Apr 14, 2026
ee0ca84
Add BlockLocation assertion test for gradle-lock extractor
anderruiz Apr 14, 2026
596a206
Set BlockLocation for all packages in mix-lock extractor
anderruiz Apr 14, 2026
7ab8e8c
Add BlockLocation test and update mix-lock test expectations
anderruiz Apr 14, 2026
91b896c
Set BlockLocation for all packages in gemfile-lock extractor
anderruiz Apr 14, 2026
744364a
Add BlockLocation test and update gemfile-lock test expectations
anderruiz Apr 14, 2026
f33adbd
Set BlockLocation for all packages in cargo-lock extractor
anderruiz Apr 14, 2026
213f7a7
Add BlockLocation test and update cargo-lock test expectations
anderruiz Apr 14, 2026
44f1ea1
Set BlockLocation for all packages in poetry-lock extractor
anderruiz Apr 14, 2026
c74dd63
Add BlockLocation test and update poetry-lock test expectations
anderruiz Apr 14, 2026
00c92b9
Set BlockLocation for all packages in pdm-lock extractor
anderruiz Apr 14, 2026
33b602a
Add BlockLocation test and update pdm-lock test expectations
anderruiz Apr 14, 2026
5dc4871
Set BlockLocation for all packages in uv-lock extractor
anderruiz Apr 14, 2026
5319be0
Add BlockLocation test and update uv-lock test expectations
anderruiz Apr 14, 2026
562ac20
Set BlockLocation for all packages in composer-lock extractor
anderruiz Apr 14, 2026
385c4e2
Add BlockLocation test and update composer-lock test expectations
anderruiz Apr 14, 2026
bb61609
feat(lockfile): add BlockLocation to pipenv-lock extractor
anderruiz Apr 14, 2026
4f77a01
test(lockfile): update pipenv-lock tests with BlockLocation assertions
anderruiz Apr 14, 2026
5f42fe2
feat(lockfile): add BlockLocation to renv-lock extractor
anderruiz Apr 14, 2026
c624db4
test(lockfile): update renv-lock tests with BlockLocation assertions
anderruiz Apr 14, 2026
2b95b15
feat(lockfile): add BlockLocation to nuget-lock extractor
anderruiz Apr 14, 2026
cfbdacc
test(lockfile): update nuget-lock tests with BlockLocation assertions
anderruiz Apr 14, 2026
b297d12
Add BlockLocation to conan-lock extractor for both V1 and V2 formats
anderruiz Apr 14, 2026
e797df5
test(lockfile): update conan-lock tests with BlockLocation assertions
anderruiz Apr 14, 2026
61bd5d8
feat(lockfile): add BlockLocation to gradle-verification-metadata ext…
anderruiz Apr 14, 2026
f1634f1
test(lockfile): update gradle-verification-metadata tests with BlockL…
anderruiz Apr 14, 2026
43528e8
feat(lockfile): add BlockLocation to pubspec-lock extractor
anderruiz Apr 14, 2026
5708e2e
test(lockfile): update pubspec-lock tests with BlockLocation assertions
anderruiz Apr 14, 2026
710069e
feat(lockfile): add BlockLocation to pnpm-lock extractor
anderruiz Apr 15, 2026
a68e58d
test(lockfile): update pnpm-lock tests with BlockLocation assertions
anderruiz Apr 15, 2026
dfae2ac
feat(lockfile): add BlockLocation to yarn-lock extractor
anderruiz Apr 15, 2026
267b70c
test(lockfile): update yarn-lock tests with BlockLocation assertions
anderruiz Apr 15, 2026
dd1095b
test: update snapshots and fix lint warnings in BlockLocation tests
anderruiz Apr 15, 2026
4456a0b
feat(swift): add BlockLocation to Package.resolved extractor
anderruiz May 6, 2026
b69267a
test(swift): update Package.resolved tests with BlockLocation assertions
anderruiz May 6, 2026
26f333d
test: regenerate integration snapshots after rebase onto main (#141)
anderruiz May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6,458 changes: 5,759 additions & 699 deletions cmd/datadog-sbom-generator/__snapshots__/main_test.snap
View file
Open in desktop

Large diffs are not rendered by default.

49 changes: 44 additions & 5 deletions pkg/lockfile/cpp/parse-conan-lock-v1-revisions_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,11 @@ package cpp_test

import (
"io/fs"
"path/filepath"
"testing"

"github.com/stretchr/testify/assert"

"github.com/DataDog/datadog-sbom-generator/pkg/lockfile"
"github.com/DataDog/datadog-sbom-generator/pkg/lockfile/cpp"
"github.com/DataDog/datadog-sbom-generator/pkg/lockfile/internal/testutil"
Expand Down Expand Up @@ -49,7 +52,7 @@ func TestParseConanLock_v1_revisions_OnePackage(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -68,7 +71,7 @@ func TestParseConanLock_v1_revisions_NoName(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -87,7 +90,7 @@ func TestParseConanLock_v1_revisions_TwoPackages(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -112,7 +115,7 @@ func TestParseConanLock_v1_revisions_NestedDependencies(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.13",
Expand Down Expand Up @@ -155,7 +158,7 @@ func TestParseConanLock_v1_revisions_OnePackageDev(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "ninja",
Version: "1.11.1",
Expand All @@ -164,3 +167,39 @@ func TestParseConanLock_v1_revisions_OnePackageDev(t *testing.T) {
},
})
}

func TestParseConanLock_v1_revisions_TwoPackages_BlockLocation(t *testing.T) {
t.Parallel()

packages, err := cpp.ParseConanLock("../fixtures/conan/two-packages.v1.revisions.json")

if err != nil {
t.Errorf("Got unexpected error: %v", err)
}

packagesByName := make(map[string]lockfile.PackageDetails)
for _, pkg := range packages {
packagesByName[pkg.Name] = pkg
}

absoluteLockfilePath, err := filepath.Abs("../fixtures/conan/two-packages.v1.revisions.json")
if err != nil {
t.Fatalf("Could not get absolute path: %v", err)
}

// Node "1": zlib, lines 14-20, column 7-8
zlibPkg := packagesByName["zlib"]
assert.Equal(t, absoluteLockfilePath, zlibPkg.BlockLocation.Filename)
assert.Equal(t, 14, zlibPkg.BlockLocation.Line.Start)
assert.Equal(t, 20, zlibPkg.BlockLocation.Line.End)
assert.Equal(t, 7, zlibPkg.BlockLocation.Column.Start)
assert.Equal(t, 8, zlibPkg.BlockLocation.Column.End)

// Node "2": bzip2, lines 21-27, column 7-8
bzip2Pkg := packagesByName["bzip2"]
assert.Equal(t, absoluteLockfilePath, bzip2Pkg.BlockLocation.Filename)
assert.Equal(t, 21, bzip2Pkg.BlockLocation.Line.Start)
assert.Equal(t, 27, bzip2Pkg.BlockLocation.Line.End)
assert.Equal(t, 7, bzip2Pkg.BlockLocation.Column.Start)
assert.Equal(t, 8, bzip2Pkg.BlockLocation.Column.End)
}
57 changes: 48 additions & 9 deletions pkg/lockfile/cpp/parse-conan-lock-v1_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,11 @@ package cpp_test

import (
"io/fs"
"path/filepath"
"testing"

"github.com/stretchr/testify/assert"

"github.com/DataDog/datadog-sbom-generator/pkg/lockfile"
"github.com/DataDog/datadog-sbom-generator/pkg/lockfile/cpp"
"github.com/DataDog/datadog-sbom-generator/pkg/lockfile/internal/testutil"
Expand Down Expand Up @@ -49,7 +52,7 @@ func TestParseConanLock_v1_OnePackage(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -68,7 +71,7 @@ func TestParseConanLock_v1_NoName(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -87,7 +90,7 @@ func TestParseConanLock_v1_TwoPackages(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -112,7 +115,7 @@ func TestParseConanLock_v1_NestedDependencies(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.13",
Expand Down Expand Up @@ -155,7 +158,7 @@ func TestParseConanLock_v1_OnePackageDev(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "ninja",
Version: "1.11.1",
Expand All @@ -174,7 +177,7 @@ func TestParseConanLock_v1_OldFormat00(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -193,7 +196,7 @@ func TestParseConanLock_v1_OldFormat01(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -212,7 +215,7 @@ func TestParseConanLock_v1_OldFormat02(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -231,7 +234,7 @@ func TestParseConanLock_v1_OldFormat03(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -240,3 +243,39 @@ func TestParseConanLock_v1_OldFormat03(t *testing.T) {
},
})
}

func TestParseConanLock_v1_TwoPackages_BlockLocation(t *testing.T) {
t.Parallel()

packages, err := cpp.ParseConanLock("../fixtures/conan/two-packages.v1.json")

if err != nil {
t.Errorf("Got unexpected error: %v", err)
}

packagesByName := make(map[string]lockfile.PackageDetails)
for _, pkg := range packages {
packagesByName[pkg.Name] = pkg
}

absoluteLockfilePath, err := filepath.Abs("../fixtures/conan/two-packages.v1.json")
if err != nil {
t.Fatalf("Could not get absolute path: %v", err)
}

// Node "1": zlib, lines 14-20, column 7-8
zlibPkg := packagesByName["zlib"]
assert.Equal(t, absoluteLockfilePath, zlibPkg.BlockLocation.Filename)
assert.Equal(t, 14, zlibPkg.BlockLocation.Line.Start)
assert.Equal(t, 20, zlibPkg.BlockLocation.Line.End)
assert.Equal(t, 7, zlibPkg.BlockLocation.Column.Start)
assert.Equal(t, 8, zlibPkg.BlockLocation.Column.End)

// Node "2": bzip2, lines 21-27, column 7-8
bzip2Pkg := packagesByName["bzip2"]
assert.Equal(t, absoluteLockfilePath, bzip2Pkg.BlockLocation.Filename)
assert.Equal(t, 21, bzip2Pkg.BlockLocation.Line.Start)
assert.Equal(t, 27, bzip2Pkg.BlockLocation.Line.End)
assert.Equal(t, 7, bzip2Pkg.BlockLocation.Column.Start)
assert.Equal(t, 8, bzip2Pkg.BlockLocation.Column.End)
}
45 changes: 40 additions & 5 deletions pkg/lockfile/cpp/parse-conan-lock-v2_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,11 @@ package cpp_test

import (
"io/fs"
"path/filepath"
"testing"

"github.com/stretchr/testify/assert"

"github.com/DataDog/datadog-sbom-generator/pkg/lockfile"
"github.com/DataDog/datadog-sbom-generator/pkg/lockfile/cpp"
"github.com/DataDog/datadog-sbom-generator/pkg/lockfile/internal/testutil"
Expand Down Expand Up @@ -49,7 +52,7 @@ func TestParseConanLock_v2_OnePackage(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -69,7 +72,7 @@ func TestParseConanLock_v2_NoName(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -89,7 +92,7 @@ func TestParseConanLock_v2_TwoPackages(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.11",
Expand All @@ -116,7 +119,7 @@ func TestParseConanLock_v2_NestedDependencies(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "zlib",
Version: "1.2.13",
Expand Down Expand Up @@ -164,7 +167,7 @@ func TestParseConanLock_v2_OnePackageDev(t *testing.T) {
t.Errorf("Got unexpected error: %v", err)
}

testutil.ExpectPackages(t, packages, []lockfile.PackageDetails{
testutil.ExpectPackagesWithoutLocations(t, packages, []lockfile.PackageDetails{
{
Name: "ninja",
Version: "1.11.1",
Expand All @@ -174,3 +177,35 @@ func TestParseConanLock_v2_OnePackageDev(t *testing.T) {
},
})
}

func TestParseConanLock_v2_TwoPackages_BlockLocation(t *testing.T) {
t.Parallel()

packages, err := cpp.ParseConanLock("../fixtures/conan/two-packages.v2.json")

if err != nil {
t.Errorf("Got unexpected error: %v", err)
}

packagesByName := make(map[string]lockfile.PackageDetails)
for _, pkg := range packages {
packagesByName[pkg.Name] = pkg
}

absoluteLockfilePath, err := filepath.Abs("../fixtures/conan/two-packages.v2.json")
if err != nil {
t.Fatalf("Could not get absolute path: %v", err)
}

// zlib on line 4: "zlib/1.2.11#ffa77daf83a57094149707928bdce823%1667396813.184"
zlibPkg := packagesByName["zlib"]
assert.Equal(t, absoluteLockfilePath, zlibPkg.BlockLocation.Filename)
assert.Equal(t, 4, zlibPkg.BlockLocation.Line.Start)
assert.Equal(t, 4, zlibPkg.BlockLocation.Line.End)

// bzip2 on line 5: "bzip2/1.0.8#464be69744fa6d48ed01928cfe470008%1666580345.213"
bzip2Pkg := packagesByName["bzip2"]
assert.Equal(t, absoluteLockfilePath, bzip2Pkg.BlockLocation.Filename)
assert.Equal(t, 5, bzip2Pkg.BlockLocation.Line.Start)
assert.Equal(t, 5, bzip2Pkg.BlockLocation.Line.End)
}
Loading
Loading