DependencyTrack · MangoIV · Mar 12, 2024 · Mar 12, 2024 · Mar 12, 2024
diff --git a/.gitignore b/.gitignore
@@ -18,4 +18,8 @@ target/
 # IntelliJ
 .idea/*
 !.idea/icon.svg
-!.idea/runConfigurations/
+!.idea/runConfigurations/
+
+# nix 
+.direnv
+.pre-commit-config.yaml
diff --git a/src/main/java/org/dependencytrack/model/RepositoryType.java b/src/main/java/org/dependencytrack/model/RepositoryType.java
@@ -39,10 +39,12 @@ public enum RepositoryType {
  CARGO,
  GO_MODULES,
  GITHUB,
+ HACKAGE,
  UNSUPPORTED;
 
  /**
  * Returns a RepositoryType for the specified PackageURL.
+ *
  * @param packageURL a package URL
  * @return a RepositoryType
  */
@@ -70,6 +72,8 @@ public static RepositoryType resolve(PackageURL packageURL) {
  return GO_MODULES;
  } else if (PackageURL.StandardTypes.GITHUB.equals(type)) {
  return GITHUB;
+ } else if ("hackage".equals(type)) {
+ return HACKAGE;
  }
  return UNSUPPORTED;
  }

diff --git a/src/main/java/org/dependencytrack/tasks/repositories/HackageMetaAnalyzer.java b/src/main/java/org/dependencytrack/tasks/repositories/HackageMetaAnalyzer.java
@@ -0,0 +1,74 @@
+package org.dependencytrack.tasks.repositories;
+
+import alpine.common.logging.Logger;
+import org.apache.http.HttpStatus;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.util.EntityUtils;
+import org.dependencytrack.exception.MetaAnalyzerException;
+import org.dependencytrack.model.Component;
+import org.dependencytrack.model.RepositoryType;
+import org.json.JSONObject;
+
+import java.io.IOException;
+
+public class HackageMetaAnalyzer extends AbstractMetaAnalyzer {
+ private static final Logger LOGGER = Logger.getLogger(HackageMetaAnalyzer.class);
+ private static final String DEFAULT_BASE_URL = "https://hackage.haskell.org/";
+
+ HackageMetaAnalyzer() {
+ this.baseUrl = DEFAULT_BASE_URL;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public RepositoryType supportedRepositoryType() {
+ return RepositoryType.HACKAGE;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public boolean isApplicable(Component component) {
+ // FUTUREWORK(mangoiv): add hackage to https://github.com/package-url/packageurl-java/blob/master/src/main/java/com/github/packageurl/PackageURL.java
+ final var purl = component.getPurl();
+ return purl != null && "hackage".equals(purl.getType());
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public MetaModel analyze(final Component component) {
+ final var meta = new MetaModel(component);
+ final var purl = component.getPurl();
+ if (purl != null) {
+ final var url = baseUrl + "/package/" + purl.getName() + "/preferred";
+ try (final CloseableHttpResponse response = processHttpRequest(url)) {
+ if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
+ final var entity = response.getEntity();
+ if (entity != null) {
+ String responseString = EntityUtils.toString(entity);
+ final var deserialized = new JSONObject(responseString);
+ final var preferred = deserialized.getJSONArray("normal-version");
+ // the latest version is the first in the list
+ if (preferred != null) {
+ final var latest = preferred.getString(0);
+ meta.setLatestVersion(latest);
+ }
+ // the hackage API doesn't expose the "published_at" information
+ // we could use https://flora.pm/experimental/packages/{namespace}/{packageName}
+ // but it appears this isn't reliable yet
+ }
+ } else {
+ var statusLine = response.getStatusLine();
+ handleUnexpectedHttpResponse(LOGGER, url, statusLine.getStatusCode(), statusLine.getReasonPhrase(), component);
+ }
+ } catch (IOException ex) {
+ handleRequestException(LOGGER, ex);
+ } catch (Exception ex) {
+ throw new MetaAnalyzerException(ex);
+ }
+ }
+ return meta;
+ }
+}
diff --git a/src/main/java/org/dependencytrack/tasks/repositories/IMetaAnalyzer.java b/src/main/java/org/dependencytrack/tasks/repositories/IMetaAnalyzer.java
@@ -135,6 +135,11 @@ static IMetaAnalyzer build(Component component) {
  if (analyzer.isApplicable(component)) {
  return analyzer;
  }
+ } else if ("hackage".equals(component.getPurl().getType())) {
+ IMetaAnalyzer analyzer = new HackageMetaAnalyzer();
+ if (analyzer.isApplicable(component)) {
+ return analyzer;
+ }
  }
  }
 

diff --git a/src/test/java/org/dependencytrack/tasks/repositories/HackageMetaAnalyzerTest.java b/src/test/java/org/dependencytrack/tasks/repositories/HackageMetaAnalyzerTest.java
@@ -0,0 +1,21 @@
+package org.dependencytrack.tasks.repositories;
+
+import com.github.packageurl.PackageURL;
+import org.dependencytrack.model.Component;
+import org.dependencytrack.model.RepositoryType;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class HackageMetaAnalyzerTest {
+ @Test
+ public void testAnalyzer() throws Exception {
+ Component component = new Component();
+ component.setPurl(new PackageURL("pkg:hackage/singletons-th@3.1"));
+
+ HackageMetaAnalyzer analyzer = new HackageMetaAnalyzer();
+ Assert.assertTrue(analyzer.isApplicable(component));
+ Assert.assertEquals(RepositoryType.HACKAGE, analyzer.supportedRepositoryType());
+ MetaModel metaModel = analyzer.analyze(component);
+ Assert.assertNotNull(metaModel.getLatestVersion());
+ }
+}