retirements

Author: bwireman

.tool-versions

@@ -1,2 +1,2 @@
 gleam 1.1.0
-nodejs 21.6.1
+erlang 26.2.5

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 Benjamin Wireman
+Copyright (c) 2024 Benjamin Wireman
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

gleam.toml

@@ -24,6 +24,10 @@ tom = ">= 1.0.0 and < 2.0.0"
 stoiridh_version = ">= 0.1.0 and < 1.0.0"
 yamerl = ">= 0.10.0 and < 1.0.0"
 gleam_erlang = ">= 0.25.0 and < 1.0.0"
+gleam_hexpm = ">= 1.0.0 and < 2.0.0"
+gleam_hackney = ">= 1.2.0 and < 2.0.0"
+gleam_http = ">= 3.6.0 and < 4.0.0"
+gleam_json = ">= 1.0.1 and < 2.0.0"
 
 [dev-dependencies]
 gleeunit = ">= 1.0.0 and < 2.0.0"

manifest.toml

@@ -2,20 +2,39 @@
 # You typically do not need to edit this file
 
 packages = [
+  { name = "birl", version = "1.6.1", build_tools = ["gleam"], requirements = ["gleam_stdlib", "ranger"], otp_app = "birl", source = "hex", outer_checksum = "976CFF85D34D50F7775896615A71745FBE0C325E50399787088F941B539A0497" },
+  { name = "certifi", version = "2.12.0", build_tools = ["rebar3"], requirements = [], otp_app = "certifi", source = "hex", outer_checksum = "EE68D85DF22E554040CDB4BE100F33873AC6051387BAF6A8F6CE82272340FF1C" },
   { name = "filepath", version = "1.0.0", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "filepath", source = "hex", outer_checksum = "EFB6FF65C98B2A16378ABC3EE2B14124168C0CE5201553DE652E2644DCFDB594" },
   { name = "gleam_erlang", version = "0.25.0", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "gleam_erlang", source = "hex", outer_checksum = "054D571A7092D2A9727B3E5D183B7507DAB0DA41556EC9133606F09C15497373" },
+  { name = "gleam_hackney", version = "1.2.0", build_tools = ["gleam"], requirements = ["gleam_http", "gleam_stdlib", "hackney"], otp_app = "gleam_hackney", source = "hex", outer_checksum = "066B1A55D37DBD61CC72A1C4EDE43C6015B1797FAF3818C16FE476534C7B6505" },
+  { name = "gleam_hexpm", version = "1.0.0", build_tools = ["gleam"], requirements = ["birl", "gleam_stdlib"], otp_app = "gleam_hexpm", source = "hex", outer_checksum = "A5DF5D32BFDE84003B2C2183700D98E106A969C6C6EDE0363A50BB421AFF50B7" },
+  { name = "gleam_http", version = "3.6.0", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "gleam_http", source = "hex", outer_checksum = "8C07DF9DF8CC7F054C650839A51C30A7D3C26482AC241C899C1CEA86B22DBE51" },
+  { name = "gleam_json", version = "1.0.1", build_tools = ["gleam"], requirements = ["gleam_stdlib", "thoas"], otp_app = "gleam_json", source = "hex", outer_checksum = "9063D14D25406326C0255BDA0021541E797D8A7A12573D849462CAFED459F6EB" },
   { name = "gleam_stdlib", version = "0.37.0", build_tools = ["gleam"], requirements = [], otp_app = "gleam_stdlib", source = "hex", outer_checksum = "5398BD6C2ABA17338F676F42F404B9B7BABE1C8DC7380031ACB05BBE1BCF3742" },
   { name = "gleeunit", version = "1.1.2", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "gleeunit", source = "hex", outer_checksum = "72CDC3D3F719478F26C4E2C5FED3E657AC81EC14A47D2D2DEBB8693CA3220C3B" },
+  { name = "hackney", version = "1.20.1", build_tools = ["rebar3"], requirements = ["certifi", "idna", "metrics", "mimerl", "parse_trans", "ssl_verify_fun", "unicode_util_compat"], otp_app = "hackney", source = "hex", outer_checksum = "FE9094E5F1A2A2C0A7D10918FEE36BFEC0EC2A979994CFF8CFE8058CD9AF38E3" },
+  { name = "idna", version = "6.1.1", build_tools = ["rebar3"], requirements = ["unicode_util_compat"], otp_app = "idna", source = "hex", outer_checksum = "92376EB7894412ED19AC475E4A86F7B413C1B9FBB5BD16DCCD57934157944CEA" },
+  { name = "metrics", version = "1.0.1", build_tools = ["rebar3"], requirements = [], otp_app = "metrics", source = "hex", outer_checksum = "69B09ADDDC4F74A40716AE54D140F93BEB0FB8978D8636EADED0C31B6F099F16" },
+  { name = "mimerl", version = "1.3.0", build_tools = ["rebar3"], requirements = [], otp_app = "mimerl", source = "hex", outer_checksum = "A1E15A50D1887217DE95F0B9B0793E32853F7C258A5CD227650889B38839FE9D" },
+  { name = "parse_trans", version = "3.4.1", build_tools = ["rebar3"], requirements = [], otp_app = "parse_trans", source = "hex", outer_checksum = "620A406CE75DADA827B82E453C19CF06776BE266F5A67CFF34E1EF2CBB60E49A" },
+  { name = "ranger", version = "1.2.0", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "ranger", source = "hex", outer_checksum = "1566C272B1D141B3BBA38B25CB761EF56E312E79EC0E2DFD4D3C19FB0CC1F98C" },
   { name = "shellout", version = "1.6.0", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "shellout", source = "hex", outer_checksum = "E2FCD18957F0E9F67E1F497FC9FF57393392F8A9BAEAEA4779541DE7A68DD7E0" },
   { name = "simplifile", version = "1.7.0", build_tools = ["gleam"], requirements = ["filepath", "gleam_stdlib"], otp_app = "simplifile", source = "hex", outer_checksum = "1D5DFA3A2F9319EC85825F6ED88B8E449F381B0D55A62F5E61424E748E7DDEB0" },
+  { name = "ssl_verify_fun", version = "1.1.7", build_tools = ["mix", "rebar3", "make"], requirements = [], otp_app = "ssl_verify_fun", source = "hex", outer_checksum = "FE4C190E8F37401D30167C8C405EDA19469F34577987C76DDE613E838BBC67F8" },
   { name = "stoiridh_version", version = "0.1.0", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "stoiridh_version", source = "hex", outer_checksum = "298ABEA44DF37764A34C2E9190A84BF2770BC59DD9397C6DC7708040E5A0142B" },
+  { name = "thoas", version = "1.2.1", build_tools = ["rebar3"], requirements = [], otp_app = "thoas", source = "hex", outer_checksum = "E38697EDFFD6E91BD12CEA41B155115282630075C2A727E7A6B2947F5408B86A" },
   { name = "tom", version = "1.0.0", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "tom", source = "hex", outer_checksum = "A5364613E3DBF77F38EFF81DA9F99324086D029EC2B2D44348762FBE38602311" },
+  { name = "unicode_util_compat", version = "0.7.0", build_tools = ["rebar3"], requirements = [], otp_app = "unicode_util_compat", source = "hex", outer_checksum = "25EEE6D67DF61960CF6A794239566599B09E17E668D3700247BC498638152521" },
   { name = "yamerl", version = "0.10.0", build_tools = ["rebar3"], requirements = [], otp_app = "yamerl", source = "hex", outer_checksum = "346ADB2963F1051DC837A2364E4ACF6EB7D80097C0F53CBDC3046EC8EC4B4E6E" },
 ]
 
 [requirements]
 filepath = { version = ">= 1.0.0 and < 2.0.0" }
-gleam_erlang = { version = ">= 0.25.0 and < 1.0.0"}
+gleam_erlang = { version = ">= 0.25.0 and < 1.0.0" }
+gleam_hackney = { version = ">= 1.2.0 and < 2.0.0" }
+gleam_hexpm = { version = ">= 1.0.0 and < 2.0.0" }
+gleam_http = { version = ">= 3.6.0 and < 4.0.0" }
+gleam_json = { version = ">= 1.0.1 and < 2.0.0"}
 gleam_stdlib = { version = ">= 0.34.0 and < 2.0.0" }
 gleeunit = { version = ">= 1.0.0 and < 2.0.0" }
 shellout = { version = ">= 1.6.0 and < 2.0.0" }

src/go_over.gleam

@@ -1,27 +1,53 @@
 import gleam/io
 import gleam/list
+import gleam/option
 import gleam/string
 import go_over/advisories
+import go_over/packages
+import go_over/retired
+import go_over/warning
 import shellout
 
 pub fn main() {
   let args = shellout.arguments()
   let pull = list.any(args, fn(arg) { arg == "--skip" })
+  let pkgs = packages.read_manifest("./manifest.toml")
 
-  case advisories.check_for_advisories("./manifest.toml", !pull) {
+  let vulnerable_packages =
+    advisories.check_for_advisories(pkgs, !pull)
+    |> list.map(fn(p) {
+      case p {
+        #(pkg, adv) -> warning.adv_to_warning(pkg, adv)
+      }
+    })
+
+  let retired_packages =
+    pkgs
+    |> list.map(fn(pkg) {
+      case retired.check_retired(pkg) {
+        option.Some(ret) -> option.Some(#(pkg, ret))
+        option.None -> option.None
+      }
+    })
+    |> option.values
+    |> list.map(fn(p) {
+      case p {
+        #(pkg, ret) -> warning.retired_to_warning(pkg, ret)
+      }
+    })
+
+  case list.append(retired_packages, vulnerable_packages) {
     [] ->
       shellout.style(
         "All good!",
         with: shellout.color(["brightgreen"]),
         custom: [],
       )
     vulns -> {
-      let warnings =
-        vulns
-        |> list.map(advisories.print_adv)
-        |> string.join("\n")
-
-      shellout.style(warnings, with: shellout.color(["red"]), custom: [])
+      vulns
+      |> list.map(warning.print)
+      |> string.join("\n")
+      |> shellout.style(with: shellout.color(["red"]), custom: [])
     }
   }
   |> io.print

src/go_over/advisories.gleam

@@ -3,11 +3,10 @@ import gleam/list
 import gleam/option
 import gleam/string
 import go_over/comparisons
+import go_over/packages
 import go_over/yaml
 import shellout
 import simplifile
-import stoiridh/version.{type Version}
-import tom
 
 pub type ADV {
   ADV(name: String, vulnerable_version_ranges: List(String), file: String)
@@ -18,30 +17,6 @@ fn path() -> String {
   filepath.join(curr, ".go-over")
 }
 
-type Package {
-  Package(name: String, version: Version)
-}
-
-fn read_manifest(path: String) {
-  let assert Ok(res) = simplifile.read(path)
-  let assert Ok(manifest) = tom.parse(res)
-  let assert Ok(packages) = tom.get_array(manifest, ["packages"])
-  list.map(packages, fn(p) {
-    case p {
-      tom.InlineTable(x) -> {
-        let assert Ok(name) = tom.get_string(x, ["name"])
-        let assert Ok(ver) = tom.get_string(x, ["version"])
-        let assert Ok(semver) = version.parse(ver)
-
-        option.Some(Package(name, semver))
-      }
-
-      _ -> option.None
-    }
-  })
-  |> option.values
-}
-
 fn read_adv(path: String) {
   let #(name, vulnerable_version_ranges) = yaml.parse(path)
   ADV(name, vulnerable_version_ranges, path)
@@ -61,7 +36,7 @@ fn read_all_adv() {
   })
 }
 
-fn is_vulnerable(p: Package, advs: List(ADV)) -> List(ADV) {
+fn is_vulnerable(p: packages.Package, advs: List(ADV)) -> List(ADV) {
   list.map(advs, fn(adv) {
     case adv.name == p.name {
       False -> option.None
@@ -102,7 +77,7 @@ fn clone() {
   Nil
 }
 
-pub fn check_for_advisories(manifest_path: String, pull: Bool) {
+pub fn check_for_advisories(packages: List(packages.Package), pull: Bool) {
   case pull {
     True -> {
       let assert _ = simplifile.delete(path())
@@ -112,15 +87,15 @@ pub fn check_for_advisories(manifest_path: String, pull: Bool) {
     False -> Nil
   }
 
-  let packages = read_manifest(manifest_path)
   let advs = read_all_adv()
 
-  list.flat_map(packages, fn(p) {
-    case is_vulnerable(p, advs) {
-      [] -> []
-      vulns -> vulns
+  list.map(packages, fn(pkg) {
+    case is_vulnerable(pkg, advs) {
+      [] -> option.None
+      vulns -> option.Some(#(pkg, vulns))
     }
   })
+  |> option.values
 }
 
 pub fn print_adv(adv: ADV) {

src/go_over/packages.gleam

@@ -0,0 +1,29 @@
+import simplifile
+import tom
+import gleam/list
+import stoiridh/version.{type Version}
+import gleam/option
+
+pub type Package {
+  Package(name: String, version: Version, version_raw: String, direct: Bool)
+}
+
+pub fn read_manifest(path: String) -> List(Package) {
+  let assert Ok(res) = simplifile.read(path)
+  let assert Ok(manifest) = tom.parse(res)
+  let assert Ok(packages) = tom.get_array(manifest, ["packages"])
+  list.map(packages, fn(p) {
+    case p {
+      tom.InlineTable(x) -> {
+        let assert Ok(name) = tom.get_string(x, ["name"])
+        let assert Ok(ver) = tom.get_string(x, ["version"])
+        let assert Ok(semver) = version.parse(ver)
+
+        option.Some(Package(name, semver, ver, True))
+      }
+
+      _ -> option.None
+    }
+  })
+  |> option.values
+}

src/go_over/retired.gleam

@@ -0,0 +1,35 @@
+import gleam/hackney
+import gleam/hexpm
+import gleam/http/request
+import gleam/json
+import gleam/option
+import go_over/packages
+
+pub fn check_retired(pkg: packages.Package) {
+  // Prepare a HTTP request record
+  let assert Ok(request) =
+    request.to(
+      "https://hex.pm/api/packages/"
+      <> pkg.name
+      <> "/releases/"
+      <> pkg.version_raw,
+    )
+
+  // Send the HTTP request to the server
+  let assert Ok(resp) =
+    request
+    |> request.prepend_header("accept", "application/json")
+    |> hackney.send
+
+  let assert Ok(release) = json.decode(resp.body, hexpm.decode_release)
+
+  release.retirement
+}
+
+pub fn print_ret(ret: hexpm.ReleaseRetirement) -> String {
+  let reason = hexpm.retirement_reason_to_string(ret.reason)
+  case ret.message {
+    option.Some(msg) -> reason <> ": " <> msg
+    _ -> reason
+  }
+}

src/go_over/warning.gleam

@@ -0,0 +1,71 @@
+import gleam/hexpm.{type ReleaseRetirement}
+import gleam/list
+import gleam/string
+import go_over/advisories.{type ADV}
+import go_over/packages.{type Package}
+import go_over/retired
+
+pub type WarningReasonCode {
+  Retired
+  Vulnerable
+}
+
+fn warning_reason_code_as_string(w: WarningReasonCode) {
+  case w {
+    Retired -> "Retired"
+    Vulnerable -> "Vulnerable"
+  }
+}
+
+pub type Dep {
+  Direct
+  Indirect(of: String)
+}
+
+fn dep_code_as_string(d: Dep) {
+  case d {
+    Direct -> "Direct"
+    Indirect(p) -> "Indirect dependency of " <> p
+  }
+}
+
+pub type Warning {
+  Warning(
+    package: String,
+    version: String,
+    reason: String,
+    warning_reason_code: WarningReasonCode,
+    dep: Dep,
+  )
+}
+
+pub fn adv_to_warning(pkg: Package, adv: List(ADV)) {
+  Warning(
+    pkg.name,
+    pkg.version_raw,
+    list.map(adv, advisories.print_adv)
+      |> string.join("\n"),
+    Vulnerable,
+    Direct,
+  )
+}
+
+pub fn retired_to_warning(pkg: Package, ret: ReleaseRetirement) {
+  Warning(pkg.name, pkg.version_raw, retired.print_ret(ret), Retired, Direct)
+}
+
+pub fn print(w: Warning) {
+  [
+    "PACKAGE: ",
+    w.package,
+    "VERSION: ",
+    w.version,
+    "REASON: ",
+    w.reason,
+    "warningReasonCode: ",
+    warning_reason_code_as_string(w.warning_reason_code),
+    "Dep: ",
+    dep_code_as_string(w.dep),
+  ]
+  |> string.join("\n")
+}

src/go_over/yaml.gleam

@@ -7,6 +7,3 @@ pub fn start() {
 
 @external(erlang, "yamll", "parse")
 pub fn parse(path: String) -> #(String, List(String))
-
-
-

src/yamll.erl

@@ -4,7 +4,6 @@
     parse/1
 ]).
 
-
 parse(Path) -> 
     [Content] = yamerl:decode_file(Path),
     Name = lists:keyfind("package", 1, Content),