feat: support for pipenv.lock file parsing

madpah · madpah · commit 68a2dffc770d · 2021-10-11T16:26:52.000+01:00
Signed-off-by: Paul Horton &lt;phorton@sonatype.com&gt;
diff --git a/README.md b/README.md
@@ -192,6 +192,14 @@ _Note: We refer throughout using XPath, but the same is true for both XML and JS
          <td>Y</td><td>Y</td><td>Y</td><td>Y</td>
          <td>&nbsp;</td>
       </tr>
+      <tr>
+         <td><code>./hashes</code></td>
+         <td>Y</td><td>Y</td><td>Y</td><td>Y</td>
+         <td>
+            These are supported when programmatically creating a <code>Bom</code> - these will not currently be 
+            automatically populated when using a <code>Parser</code>.
+         </td>
+      </tr>
    </tbody>
 </table>
 
diff --git a/cyclonedx/parser/pipenv.py b/cyclonedx/parser/pipenv.py
@@ -0,0 +1,48 @@
+# encoding: utf-8
+
+# This file is part of CycloneDX Python Lib
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+import json
+
+from . import BaseParser
+from ..model.component import Component
+
+
+class PipEnvParser(BaseParser):
+
+    def __init__(self, pipenv_contents: str):
+        super().__init__()
+        pipfile_lock_contents = json.loads(pipenv_contents)
+
+        for package_name in pipfile_lock_contents['default'].keys():
+            print('Processing {}'.format(package_name))
+            package_data = pipfile_lock_contents['default'][package_name]
+            c = Component(
+                name=package_name, version=str(package_data['version']).strip('='),
+            )
+
+            # @todo: Add hashes
+
+            self._components.append(c)
+
+
+class PipEnvFileParser(PipEnvParser):
+
+    def __init__(self, pipenv_lock_filename: str):
+        with open(pipenv_lock_filename) as r:
+            super(PipEnvFileParser, self).__init__(pipenv_contents=r.read())
+        r.close()
diff --git a/tests/fixtures/pipfile-lock-simple.txt b/tests/fixtures/pipfile-lock-simple.txt
@@ -0,0 +1,29 @@
+{
+    "_meta": {
+        "hash": {
+            "sha256": "8ca3da46acf801a7780c6781bed1d6b7012664226203447640cda114b13aa8aa"
+        },
+        "pipfile-spec": 6,
+        "requires": {
+            "python_version": "3.9"
+        },
+        "sources": [
+            {
+                "name": "pypi",
+                "url": "https://pypi.org/simple",
+                "verify_ssl": true
+            }
+        ]
+    },
+    "default": {
+        "toml": {
+            "hashes": [
+                "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b",
+                "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"
+            ],
+            "index": "pypi",
+            "version": "==0.10.2"
+        }
+    },
+    "develop": {}
+}
diff --git a/tests/test_parser_pipenv.py b/tests/test_parser_pipenv.py
@@ -0,0 +1,35 @@
+# encoding: utf-8
+
+# This file is part of CycloneDX Python Lib
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+import os
+from unittest import TestCase
+
+from cyclonedx.parser.pipenv import PipEnvFileParser
+
+
+class TestPipEnvParser(TestCase):
+
+    def test_simple(self):
+        tests_pipfile_lock = os.path.join(os.path.dirname(__file__), 'fixtures/pipfile-lock-simple.txt')
+
+        parser = PipEnvFileParser(pipenv_lock_filename=tests_pipfile_lock)
+        self.assertEqual(1, parser.component_count())
+        components = parser.get_components()
+        self.assertEqual('toml', components[0].get_name())
+        self.assertEqual('0.10.2', components[0].get_version())
