Merge pull request #15 from trailofbits/subdirectories

Adds support for specifying subdirectories for comparison

Author: ESultanik

README.md

@@ -14,8 +14,10 @@ Vendetect helps identify copied or vendored code between repositories, making it
 
 Key features:
 - Compare code between two repositories (local or remote)
+- Analyze specific subdirectories within repositories
 - Identify files with similar code and display them side-by-side
 - Show similarity percentages for matched code
+- Filter by file types and adjust similarity thresholds
 - Support for different programming languages through Pygments lexers
 - Similarity is _not_ solely based upon symbol names; vendetect also considers semantics
 
@@ -66,23 +68,84 @@ Where:
 - `TEST_REPO`: Path or URL to the repository you want to check for copied code
 - `SOURCE_REPO`: Path or URL to the repository that is the potential source of the code
 
-### Example
+### Examples
 
 ```bash
 # Compare two local repositories
 vendetect /path/to/my/project /path/to/another/project
 
 # Compare a local project with a remote repository
 vendetect /path/to/my/project https://github.com/example/repo.git
+
+# Compare only specific subdirectories within repositories
+vendetect /path/to/my/project https://github.com/example/repo.git \
+  --test-subdir src/components \
+  --source-subdir lib/ui
+
+# Filter by file types and adjust similarity threshold
+vendetect /path/to/my/project /path/to/another/project \
+  --type py --type js \
+  --min-similarity 0.8
 ```
 
 ### Options
 
 ```
---format FORMAT    Output format: rich, csv, or json (default=rich)
---log-level LEVEL  Sets the log level (default=INFO)
---debug            Equivalent to --log-level=DEBUG
---quiet            Equivalent to --log-level=CRITICAL
+--format FORMAT              Output format: rich, csv, or json (default=rich)
+--output OUTPUT              Output file path (default: stdout)
+--force                      Force overwrite of existing output file
+--type FILE_TYPES, -t        File extension to consider (can be used multiple times)
+--min-similarity THRESHOLD   Minimum similarity threshold (range: 0.0-1.0, default: 0.5)
+--test-subdir DIR, -ts       Subdirectory within TEST_REPO to analyze
+--source-subdir DIR, -ss     Subdirectory within SOURCE_REPO to analyze
+--incremental                Enable incremental result reporting
+--batch-size SIZE            Number of files to process per batch (default: 100)
+--max-history-depth DEPTH    Maximum commit history depth (default: -1 = entire history)
+--log-level LEVEL            Sets the log level (default=INFO)
+--debug                      Equivalent to --log-level=DEBUG
+--quiet                      Equivalent to --log-level=CRITICAL
+```
+
+### Advanced Features
+
+#### Subdirectory Analysis
+When working with large repositories, you can focus analysis on specific subdirectories:
+
+```bash
+# Analyze only the src/ directory in both repositories
+vendetect /path/to/my/project /path/to/another/project \
+  --test-subdir src --source-subdir src
+
+# Compare frontend code in one repo with backend in another
+vendetect /path/to/frontend-repo /path/to/backend-repo \
+  --test-subdir client/src --source-subdir server/utils
+```
+
+This is particularly useful for:
+- Focusing on relevant code sections
+- Reducing analysis time for large repositories
+- Comparing similar modules across different project structures
+
+#### File Type Filtering
+Control which files are analyzed by specifying file extensions:
+
+```bash
+# Only analyze Python files
+vendetect /path/to/my/project /path/to/another/project --type py
+
+# Analyze multiple file types
+vendetect /path/to/my/project /path/to/another/project --type py --type js --type ts
+```
+
+#### Similarity Thresholds
+Adjust the minimum similarity threshold to filter results:
+
+```bash
+# Show only high-confidence matches (80% similarity or higher)
+vendetect /path/to/my/project /path/to/another/project --min-similarity 0.8
+
+# Show all potential matches (lower threshold)
+vendetect /path/to/my/project /path/to/another/project --min-similarity 0.3
 ```
 
 ### Output Formats
@@ -95,12 +158,12 @@ Vendetect supports three output formats:
 
 Example using CSV output:
 ```bash
-vendetect /path/to/my/project /path/to/another/project --format csv > results.csv
+vendetect /path/to/my/project /path/to/another/project --format csv --output results.csv
 ```
 
 Example using JSON output:
 ```bash
-vendetect /path/to/my/project /path/to/another/project --format json > results.json
+vendetect /path/to/my/project /path/to/another/project --format json --output results.json
 ```
 
 ## How it works 🧐

src/vendetect/_cli.py

@@ -249,8 +249,24 @@ def read_file_content(file: File) -> str:
 def main() -> None:  # noqa: C901, PLR0912, PLR0915
     parser = argparse.ArgumentParser(prog="vendetect")
 
-    parser.add_argument("TEST_REPO", type=str, help="path to the test repository")
-    parser.add_argument("SOURCE_REPO", type=str, help="path to the source repository")
+    parser.add_argument("TEST_REPO", type=str, help="path or URL to the test repository")
+    parser.add_argument("SOURCE_REPO", type=str, help="path or URL to the source repository")
+    parser.add_argument(
+        "--test-subdir",
+        "-ts",
+        type=str,
+        default=None,
+        help="relative path to the subdirectory in TEST_REPO in which to test (optional, for use when TEST_REPO is a "
+        "remote git repository URL)",
+    )
+    parser.add_argument(
+        "--source-subdir",
+        "-ss",
+        type=str,
+        default=None,
+        help="relative path to the subdirectory in SOURCE_REPO in which to test (optional, for use when SOURCE_REPO is "
+        "a remote git repository URL)",
+    )
     parser.add_argument(
         "--format",
         type=str,
@@ -348,8 +364,8 @@ def main() -> None:  # noqa: C901, PLR0912, PLR0915
 
     try:
         with (
-            Repository.load(args.TEST_REPO) as test_repo,
-            Repository.load(args.SOURCE_REPO) as source_repo,
+            Repository.load(args.TEST_REPO, args.test_subdir) as test_repo,
+            Repository.load(args.SOURCE_REPO, args.source_subdir) as source_repo,
             RichStatus(console) as status,
         ):
             # Initialize detector with optimization options

src/vendetect/comparison.py

@@ -63,10 +63,14 @@ class Comparison:
     slices2: tuple[Slice, ...]
 
     def __lt__(self, other: "Comparison") -> bool:
-        if self.token_overlap > other.token_overlap:
-            return True
-        if self.token_overlap < other.token_overlap:
-            return False
+        # TODO(evan.sultanik@trailofbits.com): Make the comparison metric user-specifiable (#14)  # noqa: FIX002
+        # For now, disable comparison of token overlap, because that was causing too many false-positives
+        # (I believe due to whitespace overlap)
+        #
+        # if self.token_overlap > other.token_overlap:
+        #     return True  # noqa: ERA001
+        # if self.token_overlap < other.token_overlap:
+        #     return False  # noqa: ERA001
         oursim = self.similarity1 + self.similarity2
         theirsim = other.similarity1 + other.similarity2
         return oursim > theirsim

src/vendetect/detector.py

@@ -44,7 +44,7 @@ def update_compare_progress(self, file: File | None = None) -> None:
 
 
 @dataclass(frozen=True, unsafe_hash=True)
-class Source:
+class Source:  # noqa: PLW1641 to fix a false-positive from ruff
     file: File
     source_slices: tuple[Slice, ...]
 

src/vendetect/repo.py

@@ -33,25 +33,35 @@ def wrapper(*args: P.args, **kwargs: P.kwargs) -> T:
 
 
 class Repository:
-    def __init__(self, root_path: Path, rev: str | None = None):
+    def __init__(self, root_path: Path, rev: str | None = None, subdir: Path | None = None):
         self.root_path: Path = root_path
+        if subdir is not None and subdir.is_absolute():
+            subdir = subdir.relative_to(root_path)
+        self.subdir: Path | None = subdir
         self.rev: str = ""
         if rev is None:
             with self:
                 if self.is_git:
                     git_path: str = GIT_PATH  # type: ignore
                     self.rev = (
-                        subprocess.check_output([git_path, "rev-parse", "HEAD"], cwd=self.root_path)  #  noqa: S603
+                        subprocess.check_output([git_path, "rev-parse", "HEAD"], cwd=self.path)  #  noqa: S603
                         .strip()
                         .decode("utf-8")
                     )
         else:
             self.rev = rev
 
+    @property
+    @with_self
+    def path(self) -> Path:
+        if self.subdir is None:
+            return self.root_path
+        return self.root_path / self.subdir
+
     def __hash__(self) -> int:
         if self.rev:
             return hash(self.rev)
-        return hash(self.root_path)
+        return hash(self.path)
 
     def __eq__(self, other: object) -> bool:
         if not isinstance(other, Repository):
@@ -60,7 +70,7 @@ def __eq__(self, other: object) -> bool:
             return self.rev == other.rev
         if self.rev or other.rev:
             return False
-        return self.root_path == other.root_path
+        return self.path == other.path
 
     def __enter__(self) -> Self:
         return self
@@ -87,7 +97,7 @@ def previous_version(self, path: Path) -> Optional["RepositoryCommit"]:
             )
             raise RepositoryError(msg)
         if path.is_absolute():
-            path = path.relative_to(self.root_path)
+            path = path.relative_to(self.path)
         prev_version = (
             subprocess.check_output(  # noqa: S603
                 [
@@ -102,7 +112,7 @@ def previous_version(self, path: Path) -> Optional["RepositoryCommit"]:
                     "--",
                     str(path),
                 ],
-                cwd=self.root_path,
+                cwd=self.path,
             )
             .decode("utf-8")
             .strip()
@@ -121,34 +131,70 @@ def is_shallow_clone(self) -> bool:
             return (
                 subprocess.check_output(  # noqa: S603
                     [GIT_PATH, "rev-parse", "--is-shallow-repository"],  # type: ignore
-                    cwd=self.root_path,
+                    cwd=self.path,
                     stderr=subprocess.DEVNULL,
                 ).strip()
                 != b"false"
             )
         except subprocess.CalledProcessError:
             return False
 
+    @property
+    @with_self
+    def git_root(self) -> Path | None:
+        if GIT_PATH is None:
+            return None
+        try:
+            return Path(
+                subprocess.check_output(  # noqa: S603
+                    [GIT_PATH, "-C", str(self.path), "rev-parse", "--show-toplevel"],
+                    stderr=subprocess.DEVNULL,
+                )
+                .strip()
+                .decode("utf-8")
+            )
+        except subprocess.CalledProcessError:
+            return None
+
+    @with_self
+    def is_inside_git_work_tree(self) -> bool:
+        if GIT_PATH is None:
+            return False
+        try:
+            return (
+                subprocess.check_output(  # noqa: S603
+                    [GIT_PATH, "-C", str(self.path), "rev-parse", "--is-inside-work-tree"],
+                    stderr=subprocess.DEVNULL,
+                )
+                .strip()
+                .lower()
+                == b"true"
+            )
+        except subprocess.CalledProcessError:
+            return False
+
     @property
     @with_self
     def is_git(self) -> bool:
-        return self.root_path.is_dir() and (self.root_path / ".git").is_dir()
+        return self.root_path.is_dir() and ((self.root_path / ".git").is_dir() or self.is_inside_git_work_tree())
 
     @with_self
     def git_files(self) -> Iterator["File"]:
         if GIT_PATH is None:
             msg = "`git` binary could not be found"
             raise RepositoryError(msg)
-        for line in subprocess.check_output([GIT_PATH, "ls-files"], cwd=self.root_path).splitlines():  # noqa: S603
+        for line in subprocess.check_output([GIT_PATH, "ls-files"], cwd=self.path).splitlines():  # noqa: S603
             line = line.strip()  # noqa: PLW2901
             if line:
                 path = Path(line.decode("utf-8"))
+                if self.subdir is not None:
+                    path = self.subdir / path
                 yield File(path, self)
 
     @with_self
     def files(self) -> Iterator["File"]:
         if GIT_PATH is None or not self.is_git:
-            stack: list[File] = [File(self.root_path, self)]
+            stack: list[File] = [File(self.path, self)]
         else:
             stack = list(reversed(list(self.git_files())))
         history = set()
@@ -166,33 +212,38 @@ def __iter__(self) -> Iterator["File"]:
         yield from self.files()
 
     def __repr__(self) -> str:
-        return f"{self.__class__.__name__}({self.root_path!r})"
+        return f"{self.__class__.__name__}({self.root_path!r}, rev={self.rev!r}, subdir={self.subdir!r})"
 
     def __str__(self) -> str:
         if self.rev:
-            return f"{self.root_path!s}@{self.rev}"
-        return f"{self.root_path!s}"
+            return f"{self.path!s}@{self.rev}"
+        return f"{self.path!s}"
 
     @classmethod
-    def load(cls, repo_uri: str) -> "Repository":
+    def load(cls, repo_uri: str, subdir: Path | str | None = None) -> "Repository":
         # first see if it is a local repo
         repo_uri_path = Path(repo_uri).absolute()
+        if subdir is not None and not isinstance(subdir, Path):
+            subdir = Path(subdir)
         if repo_uri_path.exists() and repo_uri_path.is_dir():
-            return Repository(repo_uri_path)
-        return RemoteGitRepository(repo_uri)
+            return Repository(repo_uri_path, subdir=subdir)
+        return RemoteGitRepository(repo_uri, subdir=subdir)
 
 
 class _ClonedRepository(Repository):
-    def __init__(self, clone_uri: str, rev: str | None = None):
+    def __init__(self, clone_uri: str, rev: str | None = None, subdir: Path | None = None):
         self._clone_uri: str = clone_uri
         self._entries: int = 0
         self._tempdir: TemporaryDirectory | None = None
+        if subdir is not None and subdir.is_absolute():
+            msg = f"Invalid subdirectory {subdir!s}: the path must be relative, not absolute"
+            raise ValueError(msg)
         if GIT_PATH is None:
             msg = (
                 f"Error cloning {self._clone_uri}: `git` binary could not be found;please make sure it is in your PATH"
             )
             raise RepositoryError(msg)
-        super().__init__(Path(), rev=rev)
+        super().__init__(Path(), rev=rev, subdir=subdir)
 
     def __enter__(self) -> Self:
         self._entries += 1
@@ -329,12 +380,12 @@ def __str__(self) -> str:
 
 
 class RemoteGitRepository(_ClonedRepository):
-    def __init__(self, url: str):
+    def __init__(self, url: str, subdir: Path | None = None):
         self.url: str = url
-        super().__init__(url, rev="")
+        super().__init__(url, rev="", subdir=subdir)
 
     def __repr__(self) -> str:
-        return f"{self.__class__.__name__}({self.url!r})"
+        return f"{self.__class__.__name__}({self.url!r}, subdir={self.subdir!r})"
 
     @property
     def is_git(self) -> bool: