Updated depsusage evidence API and ResolveImports for python language with tests (#15)

* Updated depsusage evidence API and updated python import resolution logic

Signed-off-by: Omkar Phansopkar <[email protected]>

* Implemented packagehint resolution and docs for import and usage evidence

Signed-off-by: Omkar Phansopkar <[email protected]>

---------

Signed-off-by: Omkar Phansopkar <[email protected]>

Author: OmkarPh

core/ast/import.go

@@ -8,7 +8,7 @@ import (
 
 // ImportNode represents an import statement in a source file
 // This is a language agnostic representation of an import statement.
-// Not all attributes may be present in all languages.
+// Not all attributes may be present in all languages
 type ImportNode struct {
 	Node
 

docs/ADR.md

@@ -25,7 +25,7 @@ various use-cases faster and more efficiently. The key building blocks are:
 
 Common plugins include
 
-- Import Resolver: Ability to resolve imports and load the file for analysis
+- Import Resolver: Ability to resolve imports and load the file for analysis. Read more - [Imports](imports.md)
 
 Like most analysis systems, higher level of abstractions are built on top
 of lower level abstractions. This means, the analysis plugins that produce

docs/imports.md

@@ -0,0 +1,46 @@
+# Imports
+
+Imports returned by `language.Resolvers().ResolveImports()` are represented as [ImportNode](/core/ast/import.go) in a language agnostic manner. It has following fields -
+
+- `moduleNameNode` exposed by `ModuleName` 
+
+  The sitter node referring to the imported package or module. It contains entire module name, a non-empty string which can be resolved to the target package or source file on the disk.
+
+  eg. In python, ModuleName `x.y.z` is resolved for imports - `from x.y.z import p` is `x.y.z`, `import x.y.z` or `import x.y.z as xz`
+
+  eg. In javascript, ModuleName can be `../relative/import`, `@gilbarbara/eslint-config`, `express`
+  
+- `moduleItemNode` exposed by `ModuleItem`
+
+	The sitter node referring to the specific item (function, class, variable, etc) imported from the `ModuleName` mentioned above. It is an empty string if the entire module is imported.
+
+  eg. For python import `from sklearn import dastasets as ds` is resolved to ModuleItem - `datasets`
+
+  eg. For javascript import `import { hex } from 'chalk/ansi-styles'`, ModuleItem is `hex`
+
+- `moduleAliasNode` exposed by `ModuleAlias`
+
+	The sitter node referring to alias of the import in the current scope. It is mapped as equivalent to the `ModuleItem` (if it is empty, then `ModuleName`).  If no alias is specified in code, then it contains the node for actual Moduleltem or ModuleName.
+
+  eg. For python import `from sklearn import datasets as ds`, alias is `ds` referring to ModuleItem - `datasets`
+  However, for `import pandas as pd`, alias `pd` refers to ModuleName - `pandas` since ModuleItem is empty.
+
+- `isWildcardImport` exposed by `IsWildcardImport`
+
+	Boolean flag Indicating whether the import is a wildcard import
+
+  eg. In python - `from seaborn import *`
+
+  eg. In java - `import java.util.*`
+
+
+## Note
+For composite imports, multiple `ImportNode`s are generated.
+For example, `import ReactDOM, { render, flushSync as flushIt } from 'react-dom'` is resolved to three import nodes -
+```
+ImportNode{ModuleName: react-dom, ModuleItem: , ModuleAlias: ReactDOM, WildcardImport: false}
+ImportNode{ModuleName: react-dom, ModuleItem: render, ModuleAlias: render, WildcardImport: false}
+ImportNode{ModuleName: react-dom, ModuleItem: flushSync, ModuleAlias: flushIt, WildcardImport: false}
+```
+
+For different edge cases refer to `ImportExpectations` testcases in `_test` files in [lang/](/lang) directory

docs/usageevidence.md

@@ -0,0 +1,44 @@
+# Usag evidence
+
+`UsageEvidence` represents the evidence of usage of a module item in a file. Fields -
+
+- PackageHint - string
+  
+  Imported modules aren't exactly same as packages they refer to. It can be a submodule with separators or the top-level module may not match exact package name. As a usage evidence, PackageHint reports the hint of actual dependency being used.
+  
+  For example, the `PyYAML` package is imported as `yaml` or `yaml.composer` where the imported top level module `yaml` isn't equal to the package name.
+
+  PackageHint is resolved from the `ModuleName` provided by [ImportNode](/core/ast/import.go) by resolving the base module and searching it in the top-level module to dependency mapping [Read more](https://github.com/safedep/code/issues/6).
+  
+
+  Moreover, this may not be the final truth, since different languages & package managers may have some package aliasing eg. Shadow JAR in java. Hence, it is just a "hint".
+  This can be verified or enriched accurately by the consumer of this API using the required package manifest information which isn't in scope of code analysis framework.
+
+- Identifier - string
+
+  The identifier that was mentioned in the code leading to this Usage evidence. It can be an imported function, class or variable.
+  
+  eg.
+  ```python
+  import ujson
+  ujson.decode('{"a": 1, "b": 2}')
+  ```
+  
+  Here, the identifier `ujson` was used, leading to this UsageEvidence
+
+- FilePath - string
+
+  File path where the dependency was used
+
+- Line - uint
+	
+  Line number where the usage was found
+  
+  Note - Line number of usage is reported, not the import
+
+Fields taken directly from ImportNode. [Read more](imports.md)
+- ModuleName - string
+- ModuleItem - string
+- ModuleAlias - string
+- IsWildCardUsage - bool
+

lang/factory_test.go

@@ -7,6 +7,11 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+type ImportExpectations struct {
+	filePath string
+	imports  []string
+}
+
 var resolveLanguageTestcases = []struct {
 	filePath             string
 	exists               bool

lang/fixtures/imports.py

@@ -0,0 +1,29 @@
+# 1. Importing an entire module
+import prototurk
+import sys
+
+# 2. Importing a module/submodule/item with an alias
+import pandas as pd
+import langchain.chat_models as customchat
+import matplotlib.pyplot as plt
+
+# 3. Importing a module conditionally
+try:
+    import ujson
+    import plistlib as plb
+except ImportError:
+    import simplejson as smpjson
+
+# 4. Importing all functions from a module / submodule
+from seaborn import * 
+from flask.helpers import *
+from xyz.pqr.mno import *
+
+# 5. Importing a specific item from a module
+from math import sqrt
+from langchain_community import llms
+
+# 6. Importing with/without an alias for a specific function
+from odbc import connect, fetch
+from sklearn import datasets as ds, metric, preprocessing as pre
+from oauthlib.oauth2 import WebApplicationClient as WAC, WebApplicationServer

lang/javascript_resolvers.go

@@ -16,7 +16,7 @@ type javascriptResolvers struct {
 
 var _ core.LanguageResolvers = (*javascriptResolvers)(nil)
 
-const wholeModuleImportQuery = `
+const jsWholeModuleImportQuery = `
 	(import_statement
 		(import_clause
 			(identifier) @module_alias)
@@ -37,7 +37,7 @@ const wholeModuleImportQuery = `
 					arguments: (arguments (string (string_fragment) @module_name))))))
 `
 
-const requireModuleQuery = `
+const jsRequireModuleQuery = `
 	(lexical_declaration
 	(variable_declarator
 		name: (identifier) @module_alias
@@ -64,7 +64,7 @@ const requireModuleQuery = `
 				arguments: (arguments (string (string_fragment) @module_name)))))
 `
 
-const specifiedItemImportQuery = `
+const jsSpecifiedItemImportQuery = `
 	(import_statement
 		(import_clause
 			(named_imports 
@@ -83,14 +83,14 @@ func (r *javascriptResolvers) ResolveImports(tree core.ParseTree) ([]*ast.Import
 	var imports []*ast.ImportNode
 
 	queryRequestItems := []ts.QueryItem{
-		ts.NewQueryItem(wholeModuleImportQuery, func(m *sitter.QueryMatch) error {
+		ts.NewQueryItem(jsWholeModuleImportQuery, func(m *sitter.QueryMatch) error {
 			node := ast.NewImportNode(data)
 			node.SetModuleAliasNode(m.Captures[0].Node)
 			node.SetModuleNameNode(m.Captures[1].Node)
 			imports = append(imports, node)
 			return nil
 		}),
-		ts.NewQueryItem(specifiedItemImportQuery, func(m *sitter.QueryMatch) error {
+		ts.NewQueryItem(jsSpecifiedItemImportQuery, func(m *sitter.QueryMatch) error {
 			node := ast.NewImportNode(data)
 			alreadyEncounteredIdentifier := false
 			for _, capture := range m.Captures {
@@ -109,7 +109,7 @@ func (r *javascriptResolvers) ResolveImports(tree core.ParseTree) ([]*ast.Import
 			imports = append(imports, node)
 			return nil
 		}),
-		ts.NewQueryItem(requireModuleQuery, func(m *sitter.QueryMatch) error {
+		ts.NewQueryItem(jsRequireModuleQuery, func(m *sitter.QueryMatch) error {
 			if len(m.Captures) < 3 {
 				return nil
 			}
@@ -147,7 +147,6 @@ func (r *javascriptResolvers) ResolveImports(tree core.ParseTree) ([]*ast.Import
 	}
 
 	err = ts.ExecuteQueries(ts.NewQueriesRequest(r.language, queryRequestItems), data, tree)
-
 	if err != nil {
 		return nil, err
 	}

lang/javascript_test.go

@@ -27,12 +27,7 @@ func TestJavascriptLanguageMeta(t *testing.T) {
 	})
 }
 
-type ImportExpectations struct {
-	filePath string
-	imports  []string
-}
-
-var importExpectations = []ImportExpectations{
+var javascriptImportExpectations = []ImportExpectations{
 	{
 		filePath: "fixtures/imports.js",
 		imports: []string{
@@ -78,7 +73,7 @@ func TestJavascriptLanguageResolvers(t *testing.T) {
 
 		importExpectationsMapper := make(map[string][]string)
 		importFilePaths := []string{}
-		for _, ie := range importExpectations {
+		for _, ie := range javascriptImportExpectations {
 			importFilePaths = append(importFilePaths, ie.filePath)
 			importExpectationsMapper[ie.filePath] = ie.imports
 		}

lang/python_resolvers.go

@@ -9,45 +9,46 @@ import (
 	sitter "github.com/smacker/go-tree-sitter"
 )
 
-const pythonImportQuery = `
+const pyWholeModuleImportQuery = `
 	(import_statement
 		name: ((dotted_name) @module_name))
 
+	(import_statement
+		name: (aliased_import
+			name: ((dotted_name) @module_name)
+			alias: (identifier) @module_alias))
+
+  (import_from_statement
+		module_name: (dotted_name) @module_name
+		(wildcard_import) @wildcard_import)
+
+	(import_from_statement
+		module_name: (relative_import) @module_name
+		(wildcard_import) @wildcard_import)
+`
+const pyItemImportQuery = `
 	(import_from_statement
 		module_name: (dotted_name) @module_name
 		name: (dotted_name
-			(identifier) @submodule_name @submodule_alias))
+			(identifier) @module_item @module_item_alias))
 
 	(import_from_statement
 		module_name: (relative_import) @module_name
 		name: (dotted_name
-			(identifier) @submodule_name @submodule_alias))
-
-	(import_statement
-		name: (aliased_import
-			name: ((dotted_name) @module_name @submodule_name)
-			alias: (identifier) @submodule_alias))
+			(identifier) @module_item @module_item_alias))
 
 	(import_from_statement
 		module_name: (dotted_name) @module_name
 		name: (aliased_import
 			name: (dotted_name
-				(identifier) @submodule_name)
-			 alias: (identifier) @submodule_alias))
+				(identifier) @module_item)
+			 alias: (identifier) @module_item_alias))
 
 	(import_from_statement
 		module_name: (relative_import) @module_name
 		name: (aliased_import
-			name: ((dotted_name) @submodule_name)
-			alias: (identifier) @submodule_alias))
-		
-  (import_from_statement
-		module_name: (dotted_name) @module_name
-		(wildcard_import) @wildcard_import)
-
-	(import_from_statement
-		module_name: (relative_import) @module_name
-		(wildcard_import) @wildcard_import)
+			name: ((dotted_name) @module_item)
+			alias: (identifier) @module_item_alias))
 	`
 
 type pythonResolvers struct {
@@ -62,34 +63,44 @@ func (r *pythonResolvers) ResolveImports(tree core.ParseTree) ([]*ast.ImportNode
 		return nil, fmt.Errorf("failed to get data from parse tree: %w", err)
 	}
 
-	qx := ts.NewQueryExecutor(r.language.Language(), *data)
-	matches, err := qx.Execute(tree.Tree().RootNode(), pythonImportQuery)
-	if err != nil {
-		return nil, fmt.Errorf("failed to execute query: %w", err)
-	}
-
-	defer matches.Close()
-
 	var imports []*ast.ImportNode
-	err = matches.ForEach(func(m *sitter.QueryMatch) error {
-		node := ast.NewImportNode(data)
-		node.SetModuleNameNode(m.Captures[0].Node)
 
-		if len(m.Captures) > 1 {
-			if m.Captures[1].Node.Type() == "wildcard_import" {
+	queryRequestItems := []ts.QueryItem{
+		ts.NewQueryItem(pyWholeModuleImportQuery, func(m *sitter.QueryMatch) error {
+			node := ast.NewImportNode(data)
+			node.SetModuleNameNode(m.Captures[0].Node)
+
+			if len(m.Captures) > 1 && m.Captures[1].Node.Type() == "wildcard_import" {
 				node.SetIsWildcardImport(true)
 			} else {
-				node.SetIsWildcardImport(false)
-				node.SetModuleItemNode(m.Captures[1].Node)
+				node.SetModuleAliasNode(m.Captures[0].Node)
+				if len(m.Captures) > 1 {
+					node.SetModuleAliasNode(m.Captures[1].Node)
+				}
 			}
-		}
-
-		if len(m.Captures) > 2 {
+			imports = append(imports, node)
+			return nil
+		}),
+		ts.NewQueryItem(pyItemImportQuery, func(m *sitter.QueryMatch) error {
+			node := ast.NewImportNode(data)
+			node.SetModuleNameNode(m.Captures[0].Node)
+			node.SetModuleItemNode(m.Captures[1].Node)
 			node.SetModuleAliasNode(m.Captures[2].Node)
-		}
-		imports = append(imports, node)
-		return nil
-	})
+			// print node type and contents of all captures
+			// fmt.Println("Node", m.Captures[0].Node.Content(*data))
+			// for _, capture := range m.Captures {
+			// 	fmt.Printf("Capture: %s, %s\n", capture.Node.Type(), capture.Node.Content(*data))
+			// }
+
+			imports = append(imports, node)
+			return nil
+		}),
+	}
+
+	err = ts.ExecuteQueries(ts.NewQueriesRequest(r.language, queryRequestItems), data, tree)
+	if err != nil {
+		return nil, err
+	}
 
 	return imports, err
 }