Add: standalone plugin for evaluating dependencies with a graph

.gitignore

@@ -136,3 +136,4 @@ link.sh
 
 # vts/nasl folder used for testing
 nasl
+!tests/standalone_plugins/nasl/

pyproject.toml

@@ -32,6 +32,7 @@ chardet = ">=4,<6"
 validators = "^0.34.0"
 gitpython = "^3.1.31"
 charset-normalizer = "^3.2.0"
+networkx = "^3.4.2"
 
 [tool.poetry.group.dev.dependencies]
 autohooks = ">=21.7.0"
@@ -81,6 +82,7 @@ troubadix-changed-cves = 'troubadix.standalone_plugins.changed_cves:main'
 troubadix-allowed-rev-diff = 'troubadix.standalone_plugins.allowed_rev_diff:main'
 troubadix-file-extensions = 'troubadix.standalone_plugins.file_extensions:main'
 troubadix-deprecate-vts = 'troubadix.standalone_plugins.deprecate_vts:main'
+troubadix-dependency-graph = 'troubadix.standalone_plugins.dependency_graph.dependency_graph:main'
 
 [build-system]
 requires = ["poetry-core>=1.0.0"]

tests/standalone_plugins/nasl/21.04/21_script.nasl

@@ -0,0 +1,6 @@
+if(description)
+{
+  script_category(ACT_GATHER_INFO);
+  script_dependencies( "foo.nasl" );
+  exit(0);
+}

tests/standalone_plugins/nasl/22.04/22_script.nasl

@@ -0,0 +1,6 @@
+if(description)
+{
+  script_category(ACT_GATHER_INFO);
+  script_dependencies( "foo.nasl" );
+  exit(0);
+}

tests/standalone_plugins/nasl/common/bar.nasl

@@ -0,0 +1,10 @@
+if(description)
+{
+  script_category(ACT_GATHER_INFO);
+  script_dependencies( "foo.nasl", "foo.nasl" );
+
+  if(FEED_NAME == "GSF" || FEED_NAME == "GEF" || FEED_NAME == "SCM")
+    script_dependencies("gsf/enterprise_script.nasl");
+
+  exit(0);
+}

tests/standalone_plugins/nasl/common/foo.nasl

@@ -0,0 +1,8 @@
+if(description)
+{
+  script_category(ACT_ATTACK);
+  script_dependencies( "foobar.nasl", "gsf/enterprise_script.nasl" );
+  exit(0);
+}
+
+script_dependencies( "missing.nasl" );

tests/standalone_plugins/nasl/common/foobar.nasl

@@ -0,0 +1,7 @@
+if(description)
+{
+  script_category(ACT_GATHER_INFO);
+  script_dependencies( "bar.nasl" );
+  exit(0);
+  script_tag(name:"deprecated", value:TRUE);
+}

tests/standalone_plugins/nasl/common/gsf/enterprise_script.nasl

@@ -0,0 +1,5 @@
+if(description)
+{
+  script_category(ACT_GATHER_INFO);
+  exit(0);
+}

tests/standalone_plugins/test_dependency_graph.py

@@ -0,0 +1,76 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2024 Greenbone AG
+import sys
+import unittest
+from contextlib import redirect_stderr, redirect_stdout
+from io import StringIO
+from pathlib import Path
+from unittest.mock import patch
+
+from troubadix.standalone_plugins.dependency_graph.cli import parse_args
+from troubadix.standalone_plugins.dependency_graph.dependency_graph import (
+    create_graph,
+    get_feed,
+    main,
+)
+from troubadix.standalone_plugins.dependency_graph.models import (
+    Dependency,
+    Feed,
+    Script,
+)
+
+NASL_DIR = "tests/standalone_plugins/nasl"
+
+
+class TestDependencyGraph(unittest.TestCase):
+
+    def test_parse_args_ok(self):
+        test_args = [
+            "prog",
+            NASL_DIR,
+            "--feed",
+            "feed_22_04",
+            "--log",
+            "info",
+        ]
+        with patch.object(sys, "argv", test_args):
+            args = parse_args()
+            self.assertTrue(args)
+            self.assertEqual(args.root, Path(NASL_DIR))
+            self.assertEqual(args.feed, [Feed.FEED_22_04])
+            self.assertEqual(args.log, "info")
+
+    @patch("sys.stderr", new_callable=StringIO)
+    def test_parse_args_no_dir(self, mock_stderr):
+        test_args = ["prog", "not_real_dir"]
+        with patch.object(sys, "argv", test_args):
+            with self.assertRaises(SystemExit):
+                parse_args()
+            self.assertRegex(mock_stderr.getvalue(), "invalid directory_type")
+
+    def test_get_feed(self):
+        feed = [Feed.FULL]
+        scripts = get_feed(Path(NASL_DIR), feed)
+        self.assertEqual(len(scripts), 6)
+
+    def test_create_graph(self):
+        dependency1 = Dependency("bar.nasl", False)
+        scripts = [
+            Script("foo.nasl", "community", [dependency1], 0, False),
+            Script("bar.nasl", "enterprise", [], 0, False),
+        ]
+        graph = create_graph(scripts)
+        self.assertEqual(len(list(graph.nodes)), 2)
+
+    def test_full_run(self):
+        test_args = [
+            "prog",
+            NASL_DIR,
+        ]
+        with (
+            redirect_stdout(StringIO()),
+            redirect_stderr(StringIO()),
+            patch.object(sys, "argv", test_args),
+        ):
+            return_code = main()
+            self.assertEqual(return_code, 1)

tests/test_naslinter.py

@@ -44,6 +44,7 @@ def test_generate_file_list_with_exclude_patterns(self):
                 "**/templates/*/*.nasl",
                 "**/test_files/*",
                 "**/test_files/**/*.nasl",
+                "**/tests/standalone_plugins/**/*.nasl",
             ],
             include_patterns=["**/*.nasl", "**/*.inc"],
         )

troubadix/argparser.py

@@ -26,20 +26,38 @@
 from pontos.terminal import Terminal
 
 
+# allows non existent paths and directory paths
 def directory_type(string: str) -> Path:
     directory_path = Path(string)
     if directory_path.exists() and not directory_path.is_dir():
         raise ValueError(f"{string} is not a directory.")
     return directory_path
 
 
+# allows only existing directory paths
+def directory_type_existing(string: str) -> Path:
+    directory_path = Path(string)
+    if not directory_path.is_dir():
+        raise ValueError(f"{string} is not a directory.")
+    return directory_path
+
+
+# allows non existent paths and file paths
 def file_type(string: str) -> Path:
     file_path = Path(string)
     if file_path.exists() and not file_path.is_file():
         raise ValueError(f"{string} is not a file.")
     return file_path
 
 
+# allows only existing file paths
+def file_type_existing(string: str) -> Path:
+    file_path = Path(string)
+    if not file_path.is_file():
+        raise ValueError(f"{string} is not a file.")
+    return file_path
+
+
 def check_cpu_count(number: str) -> int:
     """Make sure this value is valid
     Default: use half of the available cores to not block the machine"""

troubadix/plugins/dependencies.py

@@ -31,6 +31,20 @@
 )
 
 
+def split_dependencies(value: str) -> list[str]:
+    """
+    Remove single and/or double quotes, spaces
+    and create a list by using the comma as a separator
+    additionally, check and filter for inline comments
+    """
+    dependencies = []
+    for line in value.splitlines():
+        subject = line[: line.index("#")] if "#" in line else line
+        _dependencies = re.sub(r'[\'"\s]', "", subject).split(",")
+        dependencies += [dep for dep in _dependencies if dep != ""]
+    return dependencies
+
+
 class CheckDependencies(FilePlugin):
     name = "check_dependencies"
 
@@ -60,17 +74,7 @@ def run(
 
         for match in matches:
             if match:
-                # Remove single and/or double quotes, spaces
-                # and create a list by using the comma as a separator
-                # additionally, check and filter for inline comments
-                dependencies = []
-
-                for line in match.group("value").splitlines():
-                    subject = line[: line.index("#")] if "#" in line else line
-                    _dependencies = re.sub(r'[\'"\s]', "", subject).split(",")
-                    dependencies += [dep for dep in _dependencies if dep != ""]
-
-                for dep in dependencies:
+                for dep in split_dependencies(match.group("value")):
                     if not any(
                         (root / vers / dep).exists() for vers in FEED_VERSIONS
                     ):

troubadix/standalone_plugins/changed_oid.py

@@ -23,16 +23,10 @@
 from pathlib import Path
 from typing import Iterable
 
+from troubadix.argparser import file_type_existing
 from troubadix.standalone_plugins.common import git
 
 
-def file_type(string: str) -> Path:
-    file_path = Path(string)
-    if not file_path.is_file():
-        raise ValueError(f"{string} is not a file.")
-    return file_path
-
-
 def parse_args(args: Iterable[str]) -> Namespace:
     parser = ArgumentParser(
         description="Check for changed oid",
@@ -52,7 +46,7 @@ def parse_args(args: Iterable[str]) -> Namespace:
         "-f",
         "--files",
         nargs="+",
-        type=file_type,
+        type=file_type_existing,
         default=[],
         help=(
             "List of files to diff. "

troubadix/standalone_plugins/dependency_graph/__init__.py

@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Greenbone AG

troubadix/standalone_plugins/dependency_graph/checks.py

@@ -0,0 +1,128 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Greenbone AG
+
+
+from collections import Counter
+
+import networkx as nx
+
+from .models import Result, Script
+
+
+def check_duplicates(scripts: list[Script]) -> Result:
+    """
+    checks for a script depending on a script multiple times
+    """
+    warnings = []
+    for script in scripts:
+        counter = Counter(dep.name for dep in script.dependencies)
+        duplicates = [dep for dep, count in counter.items() if count > 1]
+
+        if duplicates:
+            msg = f"Duplicate dependencies in {script.name}: {', '.join(duplicates)}"
+            warnings.append(msg)
+
+    return Result(name="check_duplicates", warnings=warnings)
+
+
+def check_missing_dependencies(
+    scripts: list[Script], graph: nx.DiGraph
+) -> Result:
+    """
+    Checks if any scripts that are depended on are missing from
+    the list of scripts created from the local file system,
+    logs the scripts dependending on the missing script
+    """
+    errors = []
+    dependencies = {
+        dep.name for script in scripts for dep in script.dependencies
+    }
+    script_names = {script.name for script in scripts}
+    missing_dependencies = dependencies - script_names
+
+    for missing in missing_dependencies:
+        depending_scripts = graph.predecessors(missing)
+        msg = f"missing dependency file: {missing}:"
+        for script in depending_scripts:
+            msg += f"\n  - used by: {script}"
+        errors.append(msg)
+
+    return Result(name="missing_dependencies", errors=errors)
+
+
+def check_cycles(graph) -> Result:
+    """
+    checks for cyclic dependencies
+    """
+    if nx.is_directed_acyclic_graph(graph):
+        return Result(name="check_cycles")
+
+    cycles = nx.simple_cycles(graph)
+
+    errors = [f"cyclic dependency: {cycle}" for cycle in cycles]
+    return Result(name="check_cycles", errors=errors)
+
+
+def cross_feed_dependencies(
+    graph, is_enterprise_checked: bool
+) -> list[tuple[str, str]]:
+    """
+    creates a list of script and dependency for scripts
+    in community feed that depend on scripts in enterprise folders
+    """
+    cross_feed_dependencies = [
+        (u, v)
+        for u, v, is_enterprise_feed in graph.edges.data("is_enterprise_feed")
+        if graph.nodes[u]["feed"] == "community"
+        and graph.nodes[v].get("feed", "unknown") == "enterprise"
+        and is_enterprise_feed == is_enterprise_checked
+    ]  # unknown as standard value due to non existend nodes not having a feed value
+    return cross_feed_dependencies
+
+
+def check_cross_feed_dependecies(graph) -> Result:
+    """
+    Checks if scripts in the community feed have dependencies to enterprise scripts,
+    and if they are correctly contained within a is_enterprise_feed check.
+    """
+    gated_cfd = cross_feed_dependencies(graph, is_enterprise_checked=True)
+    warnings = [
+        f"cross-feed-dependency: {dependent}(community feed) "
+        f"depends on {dependency}(enterprise feed)"
+        for dependent, dependency in gated_cfd
+    ]
+
+    ungated_cfd = cross_feed_dependencies(graph, is_enterprise_checked=False)
+    errors = [
+        f"unchecked cross-feed-dependency: {dependent}(community feed) "
+        f"depends on {dependency}(enterprise feed), but the current feed is not properly checked"
+        for dependent, dependency in ungated_cfd
+    ]
+
+    return Result(
+        name="check_cross_feed_dependencies", warnings=warnings, errors=errors
+    )
+
+
+def check_category_order(graph) -> Result:
+    problematic_edges = [
+        (dependent, dependency)
+        for dependent, dependency in graph.edges()
+        if graph.nodes[dependent]["category"]
+        < graph.nodes[dependency].get("category", -1)
+    ]
+
+    errors = [
+        f"{dependent} depends on {dependency} which has a lower category order"
+        for dependent, dependency in problematic_edges
+    ]
+    return Result(name="check_category_order", errors=errors)
+
+
+def check_deprecated_dependencies(graph) -> Result:
+    errors = [
+        f"{dependent} depends on deprectated script {dependency}"
+        for dependent, dependency in graph.edges()
+        if graph.nodes[dependency].get("deprecated", False)
+    ]
+    return Result(name="check_deprecated_dependencies", errors=errors)