(AST-157364) Expand Parser Support#22
Conversation
Captures the Parser/factory dispatch model, per-ecosystem quirks, and the invariants (0-based line numbers, "latest" sentinel, PackageManager strings) that downstream AST-CLI relies on. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merges the CLAUDE.md documentation (Anurag's PR #20) into this branch alongside the Gradle parser work. README conflict resolved by keeping the comprehensive gradle_parser version; the AST-148815 change was a minor blank-line addition that is superseded by the rewritten README. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Addresses all inline review comments from PR #20 review: - Rename Overview → Project Overview, add status line - Add Technology Stack section (Go 1.23, testify, x/mod, stdlib, no DB) - Add Repository Structure section with folder tree - Rename Commands → Development Setup; add prerequisites, clone step, coverage HTML command, and sample JSON output - Add API / Interfaces section with full struct definitions including clarification that StartIndex/EndIndex are 0-based byte offsets - Update Architecture to include Gradle parser (missed in original) - Replace commit hash reference (9e490aa) with PR #15 link - Rename Invariants → Project Rules (Invariants); add PackageManager string for gradle and the StartIndex/EndIndex byte-offset clarification - Rename Tests & fixtures → Testing Strategy; add fixture tree, coverage HTML command, and expected new-parser pattern - Add Known Issues / Limitations section (consolidates pypi, npm, maven, dotnet, and all-parsers limitations) - Add External Integrations section (AST-CLI contract fields) - Add Deployment section (N/A — library, not a service) - Add Performance Considerations section (Maven two-pass, Gradle catalog, no caching) - Add Security & Access section (XXE posture, no file-size limit, no network calls) - Add Logging section (library vs CLI behaviour) - Add Coding Standards section (gofmt/vet, pkg vs internal, naming) - Add Debugging Steps section (5 concrete steps) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Implement a production-grade SBT parser that extracts dependencies from all .sbt files (build.sbt, plugins.sbt, dependencies.sbt, etc.). The parser supports val/lazy val/def variable declarations, all SBT operators (%, %%, %%%), Seq blocks, addSbtPlugin syntax, dependency modifiers (exclude, excludeAll, intransitive, withSources, withJavadoc, cross, classifier), block and inline comments, scope annotations, dependencyOverrides, and duplicate package detection. Includes 29 unit tests at 97.8% coverage with test fixtures containing known-vulnerable packages (Log4Shell, Jackson, Struts2, commons-collections, SnakeYAML) for security scanning validation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…E integration - gradle: emit 0-based line numbers (was off-by-one, broke IDE decorations) - gradle: default empty catalog versions to "latest" (was causing 400 from realtime-scanner) - gradle: multi-line dependency locations with rawLines tracking - maven/dotnet/golang: strip trailing \r so byte offsets are correct on CRLF files - CLAUDE.md: strengthen 0-based contract, add SBT to parser list - plugins.sbt: add known-vulnerable packages so IDE decorations can be visually verified Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Integrated Poetry, Setuptools (setup.cfg/setup.py), and enhanced PyPI parsers
from Sumit's implementation with existing Gradle/SBT support. All Python
parsers return PackageManager="pypi" per design spec. Added testdata fixtures
and comprehensive test coverage.
Key changes:
- Added internal/parsers/{poetry,setuptools}/ with full test suites
- Enhanced internal/parsers/pypi/ with support for 6 Python formats
- Fixed pre-existing CRLF line ending bug affecting golang, dotnet, maven on Windows
- Updated manifest-file-selector.go with SBT, Poetry, and Setuptools routing
- Updated parser_factory.go with dispatchers for all Python ecosystems
- Updated CLAUDE.md with complete architecture and design pattern documentation
All parsers pass unit tests. Manifest-parser builds and runs successfully.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Security Policy Alert: Runner Label Policy ViolationThis workflow run has been blocked by StepSecurity's runner label policy because it uses runner labels that are not allowed by your organization's policy. Disallowed Runner Labels:
To fix this issue, please modify the For more information, see StepSecurity's Runner Label Policy documentation. |
1 similar comment
Security Policy Alert: Runner Label Policy ViolationThis workflow run has been blocked by StepSecurity's runner label policy because it uses runner labels that are not allowed by your organization's policy. Disallowed Runner Labels:
To fix this issue, please modify the For more information, see StepSecurity's Runner Label Policy documentation. |
Security Policy Alert: Runner Label Policy ViolationThis workflow run has been blocked by StepSecurity's runner label policy because it uses runner labels that are not allowed by your organization's policy. Disallowed Runner Labels:
To fix this issue, please modify the For more information, see StepSecurity's Runner Label Policy documentation. |
Security Policy Alert: Secret Policy ViolationThis workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch. To approve this workflow, please add the Note: The label must be added by someone other than the PR author (cx-atish-jadhav) or automation bots to ensure proper security review. After the label is added, you can re-run the blocked workflow to proceed. This workflow will be automatically approved once merged into the default branch. For more information, see StepSecurity's Secret Exfiltration Policy documentation. |
1 similar comment
Security Policy Alert: Secret Policy ViolationThis workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch. To approve this workflow, please add the Note: The label must be added by someone other than the PR author (cx-atish-jadhav) or automation bots to ensure proper security review. After the label is added, you can re-run the blocked workflow to proceed. This workflow will be automatically approved once merged into the default branch. For more information, see StepSecurity's Secret Exfiltration Policy documentation. |
2 participants
No description provided.