feat: SCA-9 add dart pubspec supports

Author: iseki0

module/module.go

@@ -1,6 +1,10 @@
 package module
 
 import (
+	"os"
+	"strconv"
+	"strings"
+
 	"github.com/murphysecurity/murphysec/model"
 	"github.com/murphysecurity/murphysec/module/arkts"
 	"github.com/murphysecurity/murphysec/module/bundler"
@@ -18,6 +22,7 @@ import (
 	"github.com/murphysecurity/murphysec/module/perl"
 	"github.com/murphysecurity/murphysec/module/pnpm"
 	"github.com/murphysecurity/murphysec/module/poetry"
+	"github.com/murphysecurity/murphysec/module/pubspec"
 	"github.com/murphysecurity/murphysec/module/python"
 	"github.com/murphysecurity/murphysec/module/rebar3"
 	"github.com/murphysecurity/murphysec/module/renv"
@@ -26,9 +31,6 @@ import (
 	"github.com/murphysecurity/murphysec/utils"
 	"github.com/repeale/fp-go"
 	"github.com/samber/lo"
-	"os"
-	"strconv"
-	"strings"
 )
 
 var Inspectors []model.Inspector
@@ -64,6 +66,7 @@ func init() {
 	Inspectors = append(Inspectors, sbt.Inspector{})
 	Inspectors = append(Inspectors, yarn.Inspector{})
 	Inspectors = append(Inspectors, luarocks.Inspector{})
+	Inspectors = append(Inspectors, pubspec.Inspector{})
 
 	var enabled = fp.Pipe6(os.Getenv, utils.SplitBy(","), fp.Map(strings.TrimSpace), fp.Filter(lo.IsNotEmpty[string]), fp.Map(strings.ToLower), utils.ToSet[string])("MPS_ENABLED_INSPECTORS")
 	if len(enabled) > 0 {

module/pubspec/pubspec.go

@@ -0,0 +1,98 @@
+package pubspec
+
+import (
+	"bufio"
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/murphysecurity/murphysec/infra/logctx"
+	"github.com/murphysecurity/murphysec/model"
+	"github.com/murphysecurity/murphysec/utils"
+	"github.com/repeale/fp-go"
+	"github.com/samber/lo"
+	"gopkg.in/yaml.v3"
+)
+
+type Inspector struct{}
+
+func (i Inspector) String() string {
+	return "Pubspec"
+}
+
+func (i Inspector) CheckDir(ctx context.Context, dir string) bool {
+	return utils.IsFile(filepath.Join(dir, lockfileName))
+}
+
+func (i Inspector) InspectProject(ctx context.Context) (e error) {
+	var logger = logctx.Use(ctx)
+	var inspTask = model.UseInspectionTask(ctx)
+	lockPath := filepath.Join(inspTask.Dir(), lockfileName)
+	var f *os.File
+	f, e = os.Open(lockPath)
+	if e != nil {
+		return
+	}
+	defer func() { utils.CloseLogErrZap(f, logger) }()
+	var deps []model.DependencyItem
+	deps, e = parseFile(ctx, f)
+	if e != nil {
+		return
+	}
+	var module = model.Module{
+		ModulePath:     lockPath,
+		PackageManager: "pubspec",
+		Dependencies:   deps,
+		ScanStrategy:   model.ScanStrategyNormal,
+	}
+	inspTask.AddModule(module)
+	return
+}
+
+func parseFile(ctx context.Context, reader io.Reader) (r []model.DependencyItem, e error) {
+	var parsedLockfile *pubspecLockfile
+	e = yaml.NewDecoder(bufio.NewReader(reader)).Decode(&parsedLockfile)
+	if e != nil {
+		return
+	}
+	r = fp.Map(func(it lo.Entry[string, pubspecLockPackage]) model.DependencyItem {
+		dep := model.DependencyItem{
+			Component: model.Component{
+				CompName:    it.Key,
+				CompVersion: it.Value.Version,
+				EcoRepo: model.EcoRepo{
+					Ecosystem: "pubspec",
+				},
+			},
+			IsOnline: model.IsOnlineTrue(),
+		}
+		for _, flag := range strings.Split(it.Value.Dependency, " ") {
+			switch flag {
+			case "dev":
+				dep.IsOnline.SetOnline(false)
+			case "direct":
+				dep.IsDirectDependency = true
+			}
+		}
+		return dep
+	})(lo.Entries(parsedLockfile.Packages))
+	return
+}
+
+func (i Inspector) SupportFeature(feature model.InspectorFeature) bool {
+	return false
+}
+
+var _ model.Inspector = &Inspector{}
+
+const lockfileName = "pubspec.lock"
+
+type pubspecLockPackage struct {
+	Version    string `yaml:"version"`
+	Dependency string `yaml:"dependency"`
+}
+type pubspecLockfile struct {
+	Packages map[string]pubspecLockPackage `yaml:"packages,omitempty"`
+}

module/pubspec/pubspec_test.go

@@ -0,0 +1,19 @@
+package pubspec
+
+import (
+	"bytes"
+	"context"
+	_ "embed"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+//go:embed testdata-1
+var testdata1 []byte
+
+func TestName(t *testing.T) {
+	var d, e = parseFile(context.TODO(), bytes.NewReader(testdata1))
+	assert.NoError(t, e)
+	assert.Equal(t, 23, len(d))
+}

module/pubspec/testdata-1

@@ -0,0 +1,160 @@
+# Generated by pub
+# See https://dart.dev/tools/pub/glossary#lockfile
+packages:
+  async:
+    dependency: transitive
+    description:
+      name: async
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "2.6.1"
+  avatar_glow:
+    dependency: "direct main"
+    description:
+      name: avatar_glow
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.0.0"
+  boolean_selector:
+    dependency: transitive
+    description:
+      name: boolean_selector
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "2.1.0"
+  characters:
+    dependency: transitive
+    description:
+      name: characters
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.1.0"
+  charcode:
+    dependency: transitive
+    description:
+      name: charcode
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.2.0"
+  clock:
+    dependency: transitive
+    description:
+      name: clock
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.1.0"
+  collection:
+    dependency: transitive
+    description:
+      name: collection
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.15.0"
+  cupertino_icons:
+    dependency: "direct main"
+    description:
+      name: cupertino_icons
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.0.3"
+  fake_async:
+    dependency: transitive
+    description:
+      name: fake_async
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.2.0"
+  flutter:
+    dependency: "direct main"
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+  flutter_test:
+    dependency: "direct dev"
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+  matcher:
+    dependency: transitive
+    description:
+      name: matcher
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "0.12.10"
+  meta:
+    dependency: transitive
+    description:
+      name: meta
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.3.0"
+  path:
+    dependency: transitive
+    description:
+      name: path
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.8.0"
+  sky_engine:
+    dependency: transitive
+    description: flutter
+    source: sdk
+    version: "0.0.99"
+  source_span:
+    dependency: transitive
+    description:
+      name: source_span
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.8.1"
+  stack_trace:
+    dependency: transitive
+    description:
+      name: stack_trace
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.10.0"
+  stream_channel:
+    dependency: transitive
+    description:
+      name: stream_channel
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "2.1.0"
+  string_scanner:
+    dependency: transitive
+    description:
+      name: string_scanner
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.1.0"
+  term_glyph:
+    dependency: transitive
+    description:
+      name: term_glyph
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.2.0"
+  test_api:
+    dependency: transitive
+    description:
+      name: test_api
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "0.3.0"
+  typed_data:
+    dependency: transitive
+    description:
+      name: typed_data
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.3.0"
+  vector_math:
+    dependency: transitive
+    description:
+      name: vector_math
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "2.1.0"
+sdks:
+  dart: ">=2.12.0 <3.0.0"