Enable Python (#10)

* Enable Python Support using the standard library AST parser

Author: 101arrowz

README.md

@@ -4,19 +4,21 @@ This extension provides automatic reporting of security concerns from [Socket Se
 
 ## Ahead of Package Installation
 
-* `import` and `require` in Javascript are detected and given summary scores to show concerns with configurable overlays. These overlays will persist even after package installation.
+* Package imports in JavaScript and Python are detected and given summary scores to show concerns with configurable overlays. These overlays will persist even after package installation.
+
+* Socket detects multiple alternate forms of package imports, including dynamic `import()` or `require` in JavaScript or `importlib.import_module` in Python.
 
 ## After Package Installation
 
-Workspaces are against Socket's reporting utilities upon detection of `package.json` files. Note these also run prior to actual installation as the presence in `package.json` is enough.
+Workspaces are run against Socket's reporting utilities upon detection of JavaScript or Python dependencies. Note these also run prior to actual installation: presence in `package.json`, `requirements.txt`, or any other supported file is enough.
 
-* `package.json` files and packages listed within are detected and run against more thorough issue reporting to see exact issues. These are listed in the "Problems" tab for easy access.
+* Package dependency files like `package.json` and `pyproject.toml` are run against more thorough issue reporting to see exact issues for each dependency. These are listed in the "Problems" tab for easy access.
 
-* `import` and `require` of packages with issues found in reporting are provided hovers which also summarize their issues.
+* You can hover over package imports in JavaScript or Python code to see a summary of their issues.
 
 ## Pull Requests
 
-* Simplified github application installation is provided as a code lense inside of `package.json` files by detecting the user/organization and setting up the installation workflow automatically with a simple click. These reports are more fully featured and include things such as transitive issue aggregation and diffing from one commit to another. If you want these features please install [the github app](https://github.com/marketplace/socket-security).
+* Simplified GitHub application installation is available as a code lens. It detects your username/organization and sets up the installation workflow automatically with a simple click. These reports are more extensive than the ones provided within the extension and include things such as transitive issue aggregation and diffing from one commit to another. If you want these features, please install [the GitHub app](https://github.com/marketplace/socket-security).
 
 # Team Guide
 

package-lock.json

@@ -13,6 +13,7 @@
         "Code Analysis",
         "Code Quality",
         "JavaScript",
+        "Python",
         "Security",
         "Static Code Analysis",
         "TypeScript"
@@ -21,6 +22,7 @@
         "Code Analysis",
         "Code Quality",
         "JavaScript",
+        "Python",
         "Security",
         "Static Code Analysis",
         "TypeScript"
@@ -31,8 +33,12 @@
     },
     "icon": "socket-square.png",
     "activationEvents": [
-        "workspaceContains:**/package.json",
-        "workspaceContains:**/socket.yml",
+        "workspaceContains:**/[pP][aA][cC][kK][aA][gG][eE].[jJ][sS][oO][nN]",
+        "workspaceContains:**/[sS][oO][cC][kK][eE][tT].[yY][mM][lL]",
+        "workspaceContains:**/{*[rR][eE][qQ][uU][iI][rR][eE][mM][eE][nN][tT][sS].[tT][xX][tT],[rR][eE][qQ][uU][iI][rR][eE][mM][eE][nN][tT][sS]/*.[tT][xX][tT],[rR][eE][qQ][uU][iI][rR][eE][mM][eE][nN][tT][sS]-*.[tT][xX][tT],[rR][eE][qQ][uU][iI][rR][eE][mM][eE][nN][tT][sS].[fF][rR][oO][zZ][eE][nN]}",
+        "workspaceContains:**/[pP][yY][pP][rR][oO][jJ][eE][cC][tT].[tT][oO][mM][lL]",
+        "workspaceContains:**/[pP][iI][pP][fF][iI][lL][eE]",
+        "onLanguage:python",
         "onLanguage:javascript"
     ],
     "type": "commonjs",
@@ -95,6 +101,14 @@
                     "type": "boolean",
                     "default": true,
                     "description": "Create reports from package manifest files (package.json / package-lock.json) that require sending data remotely. Disabling this will disable all issues but keep scores listed."
+                },
+                "socket-security.pythonInterpreter": {
+                    "order": 5,
+                    "type": "string",
+                    "description": "Path to a Python interpreter to use for Socket dependency analysis.",
+                    "examples": [
+                        "/usr/bin/python"
+                    ]
                 }
             }
         }
@@ -117,11 +131,13 @@
         "@babel/parser": "^7.20.7",
         "@socketsecurity/config": "^2.0.0",
         "acorn-walk": "^8.2.0",
+        "antlr4": "^4.13.0",
         "ast-types": "^0.14.2",
         "form-data-encoder": "^3.0.0",
         "formdata-node": "^5.0.1",
         "ini": "^3.0.1",
         "json-to-ast": "^2.1.0",
+        "micromatch": "^4.0.5",
         "octokit": "^2.0.10",
         "safe-stable-stringify": "^2.4.1",
         "semver": "^7.3.8",
@@ -136,6 +152,7 @@
         "@typescript-eslint/parser": "^5.42.0",
         "esbuild": "^0.16.7",
         "eslint": "^8.26.0",
+        "toml-eslint-parser": "^0.6.0",
         "typescript": "^4.8.4",
         "vsce": "^2.15.0"
     },

package.json

@@ -1,5 +1,5 @@
 import * as vscode from 'vscode'
-import {workspace} from 'vscode'
+import { parseTOML, getStaticTOMLValue } from 'toml-eslint-parser';
 import ini from 'ini'
 import { Octokit } from 'octokit';
 import { getWorkspaceFolderURI } from '../util';
@@ -22,7 +22,7 @@ async function sniffForGithubOrgOrUser(workspaceRootURI: vscode.Uri): Promise<st
     // package.json repository
     try {
         const pkg = JSON.parse(
-            Buffer.from(await workspace.fs.readFile(
+            Buffer.from(await vscode.workspace.fs.readFile(
                 vscode.Uri.joinPath(workspaceRootURI, 'package.json')
             )).toString()
         )
@@ -37,12 +37,32 @@ async function sniffForGithubOrgOrUser(workspaceRootURI: vscode.Uri): Promise<st
             const found = orgOrUserFromString(url)
             if (found) return found
         }
-    } catch (e) {
-    }
+    } catch (e) {}
+
+    // poetry in pyproject.toml
+    try {
+        const pyproject = getStaticTOMLValue(parseTOML(
+            Buffer.from(await vscode.workspace.fs.readFile(
+                vscode.Uri.joinPath(workspaceRootURI, 'pyproject.toml')
+            )).toString()
+        )) as {
+            tool?: {
+                poetry?: {
+                    repository?: string;
+                }
+            }
+        };
+        const url = pyproject.tool?.poetry?.repository;
+        if (url) {
+            const found = orgOrUserFromString(url)
+            if (found) return found
+        }
+    } catch (e) {}
+
     // git remotes?
     try {
         const gitConfig = ini.parse(
-            Buffer.from(await workspace.fs.readFile(
+            Buffer.from(await vscode.workspace.fs.readFile(
                 vscode.Uri.joinPath(workspaceRootURI, '.git', 'config')
             )).toString()
         )
@@ -55,7 +75,7 @@ async function sniffForGithubOrgOrUser(workspaceRootURI: vscode.Uri): Promise<st
                 }
             }
         }
-    } catch {}
+    } catch (e) {}
 }
 
 export function installGithubApp(uri: vscode.Uri) {

src/data/github.ts

@@ -0,0 +1,51 @@
+import { IncomingMessage } from 'node:http';
+import * as https from 'node:https';
+import { once } from 'node:stream';
+import { text } from 'stream/consumers';
+
+export type GlobPatterns = Record<string, Record<string, { pattern: string }>>
+
+let globPatternsPromise: Promise<GlobPatterns> | undefined;
+
+const replaceCasedChars = (chars: string) =>
+    chars.replace(/[a-zA-Z]/g, c => `[${c.toLowerCase()}${c.toUpperCase()}]`)
+
+// TODO: can VSCode do case insensitive match without this?
+function caseDesensitize(pattern: string) {
+    let out = '';
+    const charGroup = /\[[^\]]+?\]/g
+    let lastIndex = 0;
+    for (let match: RegExpExecArray | null = null; match = charGroup.exec(pattern);) {
+        out += replaceCasedChars(pattern.slice(lastIndex, match.index)) + match[0];
+        lastIndex = match.index + match[0].length;
+    }
+    out += replaceCasedChars(pattern.slice(lastIndex));
+    return out;
+}
+
+export async function getGlobPatterns() {
+    if (!globPatternsPromise) {
+        const req = https.get('https://api.socket.dev/v0/report/supported')
+        req.end()
+        globPatternsPromise = (once(req, 'response') as Promise<[IncomingMessage]>)
+            .then(async ([res]) => {
+                const result = JSON.parse(await text(res))
+                if (res.statusCode !== 200) {
+                    throw new Error(result.error.message)
+                }
+                for (const eco in result) {
+                    for (const name in result[eco]) {
+                        const target = result[eco][name];
+                        target.pattern = caseDesensitize(target.pattern)
+                    }
+                }
+                return result
+            }).
+            catch(err => {
+                // allow retry
+                globPatternsPromise = undefined
+                throw err
+            })
+    }
+    return globPatternsPromise
+}