refactor: SCA-83 unify dependency relation tracking and replace IsDirectDependency field

Author: iseki0

envinspection/inspection.go

@@ -104,7 +104,7 @@ func inspectInstalledSoftware(ctx context.Context, module *model.Module) {
 	}
 	for i := range module.Dependencies {
 		module.Dependencies[i].IsOnline.SetOnline(false)
-		module.Dependencies[i].IsDirectDependency = true
+		module.Dependencies[i].DependencyRelation = model.DependencyRelationDirect
 		module.Dependencies[i].EcoRepo.Repository = module.PackageManager
 	}
 	task.Modules = append(task.Modules, *module)

model/dependency.go

@@ -2,8 +2,8 @@ package model
 
 type DependencyItem struct {
 	Component
-	Dependencies       []DependencyItem `json:"dependencies,omitempty"`
-	IsDirectDependency bool             `json:"is_direct_dependency,omitempty"`
-	MavenScope         string           `json:"maven_scope,omitempty"`
-	IsOnline           IsOnline         `json:"is_online"`
+	Dependencies       []DependencyItem   `json:"dependencies,omitempty"`
+	DependencyRelation DependencyRelation `json:"dependency_relation"`
+	MavenScope         string             `json:"maven_scope,omitempty"`
+	IsOnline           IsOnline           `json:"is_online"`
 }

model/dependency_relation.go

@@ -0,0 +1,38 @@
+package model
+
+import (
+	"encoding"
+	"errors"
+)
+
+//go:generate stringer -linecomment -type DependencyRelation -output dependency_relation_string.go
+type DependencyRelation int
+
+func (i DependencyRelation) MarshalText() (text []byte, err error) {
+	return []byte(i.String()), nil
+}
+
+func (i *DependencyRelation) UnmarshalText(text []byte) error {
+	switch string(text) {
+	case DependencyRelationUnknown.String():
+		*i = DependencyRelationUnknown
+		return nil
+	case DependencyRelationDirect.String():
+		*i = DependencyRelationDirect
+		return nil
+	case DependencyRelationTransitive.String():
+		*i = DependencyRelationTransitive
+		return nil
+	default:
+		return errors.New("bad dependency relation")
+	}
+}
+
+const (
+	DependencyRelationUnknown    DependencyRelation = 1 // Unknown
+	DependencyRelationDirect     DependencyRelation = 2 // Direct
+	DependencyRelationTransitive DependencyRelation = 3 // Transitive
+)
+
+var _ encoding.TextUnmarshaler = (*DependencyRelation)(nil)
+var _ encoding.TextMarshaler = DependencyRelation(0)

model/dependency_relation_string.go

@@ -2,16 +2,17 @@ package arkts
 
 import (
 	"context"
-	"github.com/murphysecurity/murphysec/infra/logctx"
-	"github.com/murphysecurity/murphysec/model"
-	"github.com/murphysecurity/murphysec/utils"
-	"github.com/samber/lo"
-	"github.com/titanous/json5"
 	"io"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
+
+	"github.com/murphysecurity/murphysec/infra/logctx"
+	"github.com/murphysecurity/murphysec/model"
+	"github.com/murphysecurity/murphysec/utils"
+	"github.com/samber/lo"
+	"github.com/titanous/json5"
 )
 
 const (
@@ -77,7 +78,7 @@ func _buildDepTreeVisit(visited map[[2]string]struct{}, next [2]string, root *lo
 			EcoRepo:     ecoRepo,
 		},
 		Dependencies:       nil,
-		IsDirectDependency: false,
+		DependencyRelation: model.DependencyRelationTransitive,
 	}
 
 	if _, ok := visited[next]; ok {
@@ -181,7 +182,7 @@ func analyze(ctx context.Context) (e error) {
 		m.Dependencies = append(m.Dependencies, _buildDepTreeVisit(map[[2]string]struct{}{}, it, &lock))
 	}
 	for i := range m.Dependencies {
-		m.Dependencies[i].IsDirectDependency = true
+		m.Dependencies[i].DependencyRelation = model.DependencyRelationDirect
 	}
 	task.AddModule(m)
 	return

module/arkts/arkts.go

@@ -2,13 +2,14 @@ package bundler
 
 import (
 	"context"
+	"os"
+	"path/filepath"
+
 	"github.com/murphysecurity/murphysec/infra/logctx"
 	"github.com/murphysecurity/murphysec/model"
 	"github.com/murphysecurity/murphysec/utils"
 	"github.com/pkg/errors"
 	"go.uber.org/zap"
-	"os"
-	"path/filepath"
 )
 
 type Inspector struct{}
@@ -43,7 +44,7 @@ func (Inspector) InspectProject(ctx context.Context) error {
 					CompVersion: j.Version,
 					EcoRepo:     EcoRepo,
 				},
-				IsDirectDependency: true,
+				DependencyRelation: model.DependencyRelationDirect,
 			})
 		}
 		task.AddModule(model.Module{

module/bundler/gem.go

@@ -2,12 +2,13 @@ package cargo
 
 import (
 	"fmt"
+	"strings"
+
 	"github.com/murphysecurity/murphysec/model"
 	"github.com/murphysecurity/murphysec/utils/simpletoml"
 	"github.com/repeale/fp-go"
 	"github.com/samber/lo"
 	"golang.org/x/exp/maps"
-	"strings"
 )
 
 func splitNameVersionFromDepLine(line string) (name, version string) {
@@ -98,7 +99,7 @@ func analyzeCargoLock(input []byte) (rs []*model.DependencyItem, err error) {
 		if r == nil {
 			continue
 		}
-		r.IsDirectDependency = true
+		r.DependencyRelation = model.DependencyRelationDirect
 		rs = append(rs, r)
 	}
 	return
@@ -116,6 +117,7 @@ func _buildTree(lock map[[2]string][][2]string, key [2]string, visited map[[2]st
 			CompVersion: key[1],
 			EcoRepo:     EcoRepo,
 		},
+		DependencyRelation: model.DependencyRelationTransitive,
 	}
 	if _, ok := visited[key]; ok {
 		return r

module/cargo/cargo_lock.go

@@ -2,12 +2,13 @@ package go_mod
 
 import (
 	"context"
+	"os"
+	"path/filepath"
+
 	"github.com/BurntSushi/toml"
 	"github.com/murphysecurity/murphysec/infra/logctx"
 	"github.com/murphysecurity/murphysec/model"
 	"go.uber.org/zap"
-	"os"
-	"path/filepath"
 )
 
 type goPkgLock struct {
@@ -47,7 +48,7 @@ func parserGoPkgLock(ctx context.Context) error {
 				CompVersion: j.Version,
 				EcoRepo:     EcoRepo,
 			},
-			IsDirectDependency: true,
+			DependencyRelation: model.DependencyRelationDirect,
 		})
 	}
 

module/go_mod/gopkg.go

@@ -91,7 +91,7 @@ func buildScan(ctx context.Context) error {
 				CompVersion: nameVersionMp[j],
 				EcoRepo:     EcoRepo,
 			},
-			IsDirectDependency: true,
+			DependencyRelation: model.DependencyRelationDirect,
 		}
 		logger.Debug("buildTree  start : " + j)
 		dependencies = append(dependencies, buildingDependencyTree(nameVersionMp, &dependencie, sonTree, &packageToPackageUsed, logger))
@@ -124,11 +124,11 @@ func buildingDependencyTree(dInfo map[string]string, d *model.DependencyItem, so
 						CompVersion: dInfo[j],
 						EcoRepo:     EcoRepo,
 					},
-					IsDirectDependency: false,
+					DependencyRelation: model.DependencyRelationTransitive,
 				}
 				(*packageToPackageUsed)[d.CompName] = append((*packageToPackageUsed)[d.CompName], j)
 				t := buildingDependencyTree(dInfo, &mod, sonTree, packageToPackageUsed, logger)
-				t.IsDirectDependency = false
+				t.DependencyRelation = model.DependencyRelationTransitive
 				d.Dependencies = append(d.Dependencies, t)
 			}
 		}
@@ -365,17 +365,17 @@ func baseScan(ctx context.Context) error {
 		}
 		modName := file.Module.Mod.Path
 		for _, req := range file.Require {
-			isDirectDependency := true
+			isDirectDependency := model.DependencyRelationDirect
 			if _, ok := indirectMp[req.Mod.Path]; ok {
-				isDirectDependency = false
+				isDirectDependency = model.DependencyRelationTransitive
 			}
 			dependencies = append(dependencies, model.DependencyItem{
 				Component: model.Component{
 					CompName:    req.Mod.Path,
 					CompVersion: req.Mod.Version,
 					EcoRepo:     EcoRepo,
 				},
-				IsDirectDependency: isDirectDependency,
+				DependencyRelation: isDirectDependency,
 				IsOnline:           model.IsOnline{Value: true, Valid: true},
 			})
 		}

module/go_mod/gotree.go

@@ -154,7 +154,7 @@ func (g *GradleDependencyInfo) BaseModule(basePath string) model.Module {
 func convDep(input []DepElement) []model.DependencyItem {
 	var r = _convDep(input)
 	for i := range r {
-		r[i].IsDirectDependency = true
+		r[i].DependencyRelation = model.DependencyRelationDirect
 	}
 	return r
 }
@@ -168,7 +168,8 @@ func _convDep(input []DepElement) []model.DependencyItem {
 				CompVersion: it.Version,
 				EcoRepo:     EcoRepo,
 			},
-			Dependencies: _convDep(it.Children),
+			Dependencies:       _convDep(it.Children),
+			DependencyRelation: model.DependencyRelationTransitive,
 		})
 	}
 	return rs