forked from nim-lang/packages
-
Notifications
You must be signed in to change notification settings - Fork 0
/
package_scanner.nim
175 lines (164 loc) · 4.73 KB
/
package_scanner.nim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
# A very simple Nim package scanner.
#
# Scans the package list from this repository.
#
# Check the packages for:
# * Missing name
# * Missing/unknown method
# * Missing/unreachable repository
# * Missing tags
# * Missing description
# * Missing/unknown license
# * Insecure git:// url on GitHub
#
# Usage: nim r -d:ssl package_scanner.nim
#
# Copyright 2015 Federico Ceratto <[email protected]>
# Released under GPLv3 License, see /usr/share/common-licenses/GPL-3
import std/[httpclient, net, json, os, sets, strutils]
const licenses = [
"allegro 4 giftware",
"apache license 2.0",
"apache",
"apache2",
"apache 2.0",
"apache-2.0",
"apache-2.0 license",
"apache version 2.0",
"mit or apache 2.0",
"apache license 2.0 or mit",
"mit or apache license 2.0",
"(mit or apache license 2.0) and simplified bsd",
"lxxsdt-mit",
"lgplv2.1",
"0bsd",
"bsd",
"bsd2",
"bsd-2",
"bsd3",
"bsd-3",
"bsd 3-clause",
"bsd-3-clause",
"2-clause bsd",
"cc0",
"cc0-1.0",
"gpl",
"gpl2",
"gpl3",
"gplv2",
"gplv3",
"gplv3+",
"gpl-2.0",
"agpl-3.0",
"gpl-3.0",
"gpl-3.0-or-later",
"gpl-3.0-only",
"lgplv3 or gplv2",
"apache 2.0 or gplv2",
"lgpl-2.1-or-later",
"lgpl with static linking exception",
"gnu lesser general public license v2.1",
"openldap",
"lgpl",
"lgplv2",
"lgplv3",
"lgpl-2.1",
"lgpl-3.0",
"agplv3",
"mit",
"mit/isc",
"ms-pl",
"mpl",
"mplv2",
"mpl-2.0",
"mpl 2.0",
"epl-2.0",
"eupl-1.2",
"wtfpl",
"libpng",
"fontconfig",
"zlib",
"isc",
"ppl",
"hydra",
"openssl and ssleay",
"unlicense",
"public domain",
"proprietary",
]
proc canFetchNimbleRepository(name: string, urlJson: JsonNode): bool =
# TODO: Make this check the actual repo url and check if there is a
# nimble file in it
result = true
var url: string
var client = newHttpClient(timeout = 100_000)
if not urlJson.isNil:
url = urlJson.str
if url.startsWith("https://github.com"):
if existsEnv("GITHUB_TOKEN"):
client.headers = newHttpHeaders({"authorization": "Bearer " & getEnv("GITHUB_TOKEN")})
try:
discard client.getContent(url)
except TimeoutError:
echo "W: ", name, ": Timeout error fetching repo ", url, " ", getCurrentExceptionMsg()
except HttpRequestError:
echo "W: ", name, ": HTTP error fetching repo ", url, " ", getCurrentExceptionMsg()
except AssertionDefect:
echo "W: ", name, ": httpclient error fetching repo ", url, " ", getCurrentExceptionMsg()
except:
echo "W: Unkown error fetching repo ", url, " ", getCurrentExceptionMsg()
finally:
client.close()
proc verifyAlias(pkg: JsonNode, result: var int) =
if not pkg.hasKey("name"):
echo "E: Missing alias' package name"
inc result
# TODO: Verify that 'alias' points to a known package.
proc check(): int =
var name: string
var names = initHashSet[string]()
for pkg in parseJson(readFile(getCurrentDir() / "packages.json")):
name = if pkg.hasKey("name"): pkg["name"].str else: ""
if pkg.hasKey("alias"):
verifyAlias(pkg, result)
else:
if name.len == 0:
echo "E: missing package name"
inc result
elif not pkg.hasKey("method"):
echo "E: ", name, " has no method"
inc result
elif pkg["method"].str notin ["git", "hg"]:
echo "E: ", name, " has an unknown method: ", pkg["method"].str
inc result
elif not pkg.hasKey("url"):
echo "E: ", name, " has no URL"
inc result
elif not pkg.hasKey("tags"):
echo "E: ", name, " has no tags"
inc result
elif not pkg.hasKey("description"):
echo "E: ", name, " has no description"
inc result
elif pkg.hasKey("description") and pkg["description"].str == "":
echo "E: ", name, " has empty description"
inc result
elif not pkg.hasKey("license"):
echo "E: ", name, " has no license"
inc result
elif pkg["url"].str.normalize.startsWith("git://github.com/"):
echo "E: ", name, " has an insecure git:// URL instead of https://"
inc result
elif pkg["license"].str.toLowerAscii notin licenses:
echo "E: ", name, " has an unexpected license: ", pkg["license"]
inc result
elif pkg.hasKey("web") and not canFetchNimbleRepository(name, pkg["web"]):
echo "W: Failed to fetch source code repo for ", name
if name.normalize notin names:
names.incl name.normalize
else:
echo("E: ", name, ": a package by that name already exists.")
inc result
echo "\nProblematic packages count: ", result
when isMainModule:
quit(check())