pboling opened a new pull request, #255: URL: https://github.com/apache/skywalking-eyes/pull/255
# Bug 1: Ruby `Gemfile.lock` resolver fails to detect licenses for local path dependencies ## Description: The current implementation of the Ruby Gemfile.lock resolver fails to correctly identify and resolve licenses for dependencies defined with a local path source (e.g., `gem 'citrus', path: '.'`). ## Symptoms: - Dependencies sourced locally appear with an `"Unknown"` license in the report. - In `Gemfile.lock`, these dependencies often appear with a `!` suffix (e.g., `citrus!`) in the `DEPENDENCIES` section, which was not being handled. - The `PATH` block in `Gemfile.lock`, which contains the mapping to the local directory, was being ignored. ## Reproduction: Create a Ruby project with a `Gemfile` that references a local gem via `path:`. Run `license-eye` header check. The local gem is reported with an `"Unknown"` license, even if its `.gemspec` declares a valid license. ## Solution: - [x] Parser Update: Updated `parseGemfileLock` to correctly parse `PATH` blocks in `Gemfile.lock` and capture the local path (mapped from `remote:`) for relevant gems. - [x] Dependency Name Handling: Updated the parser to strip the `!` suffix from dependency names in the `DEPENDENCIES` section, which indicates a local source. - [x] Local License Resolution: Implemented `fetchLocalLicense` to parse the license directly from the local `.gemspec` file when a local path is detected, bypassing the RubyGems API lookup. - [x] Testing: Added a regression test case using the `citrus` gem structure to verify the fix. # Bug 2: GemspecResolver does not resolve transitive dependencies ## Description: When resolving dependencies from a `.gemspec` file, `GemspecResolver` only considers direct dependencies declared in the gemspec. It does not recursively resolve dependencies of those dependencies. This leads to incomplete dependency graphs and missing license checks for transitive dependencies. ## Reproduction: - Create a gemspec `A` that depends on `B`. `B` depends on `C`. - Run `license-eye` on `A`. - `C` will be missing from the report. ## Solution: - [x] Added `findInstalledGemspec` helper to locate installed gemspecs in `GEM_HOME`. - [x] Added `parseGemspecDependencies` helper to extract dependencies from a gemspec file. - [x] Updated `GemspecResolver.Resolve` to traverse the dependency graph using `BFS`, ensuring all transitive dependencies are discovered and checked. - [x] Added regression test in `gemspec_test.go` covering the `toml-merge` -> `toml-rb` -> `citrus` case. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
