From 1d796b734f1cf6a820070348615d8f93b1eb2c10 Mon Sep 17 00:00:00 2001
From: linsui <2873532-linsui@users.noreply.gitlab.com>
Date: Wed, 7 Aug 2024 14:37:41 +0800
Subject: [PATCH] scanner: error on dependency files without lock file

---
 fdroidserver/scanner.py                       | 17 +++++++++++++++++
 tests/scanner.TestCase                        |  3 ++-
 tests/source-files/lockfile.test/Cargo.lock   |  0
 tests/source-files/lockfile.test/Cargo.toml   |  0
 tests/source-files/lockfile.test/package.json |  0
 tests/source-files/lockfile.test/pubspec.yaml |  0
 tests/source-files/lockfile.test/yarn.lock    |  0
 7 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 tests/source-files/lockfile.test/Cargo.lock
 create mode 100644 tests/source-files/lockfile.test/Cargo.toml
 create mode 100644 tests/source-files/lockfile.test/package.json
 create mode 100644 tests/source-files/lockfile.test/pubspec.yaml
 create mode 100644 tests/source-files/lockfile.test/yarn.lock

diff --git a/fdroidserver/scanner.py b/fdroidserver/scanner.py
index ce09499b..e881f650 100644
--- a/fdroidserver/scanner.py
+++ b/fdroidserver/scanner.py
@@ -50,6 +50,11 @@ MAVEN_URL_REGEX = re.compile(
     re.DOTALL,
 )
 
+DEPFILE = {
+    "Cargo.toml": ["Cargo.lock"],
+    "pubspec.yaml": ["pubspec.lock"],
+    "package.json": ["package.lock", "yarn.lock", "pnpm-lock.yaml"],
+}
 
 SCANNER_CACHE_VERSION = 1
 
@@ -813,6 +818,18 @@ def scan_source(build_dir, build=metadata.Build(), json_per_build=None):
                         'binary', path_in_build_dir, filepath, json_per_build
                     )
 
+            elif curfile in DEPFILE:
+                for lockfile in DEPFILE[curfile]:
+                    if os.path.isfile(os.path.join(root, lockfile)):
+                        break
+                else:
+                    count += handleproblem(
+                        _('dependency file without lock'),
+                        path_in_build_dir,
+                        filepath,
+                        json_per_build,
+                    )
+
             elif is_executable(filepath):
                 if is_binary(filepath) and not (
                     safe_path(path_in_build_dir) or is_image_file(filepath)
diff --git a/tests/scanner.TestCase b/tests/scanner.TestCase
index c412b32e..89d60402 100755
--- a/tests/scanner.TestCase
+++ b/tests/scanner.TestCase
@@ -60,7 +60,8 @@ class ScannerTest(unittest.TestCase):
             'org.mozilla.rocket': 2,
             'org.tasks': 2,
             'realm': 1,
-            'se.manyver': 2,
+            'se.manyver': 3,
+            'lockfile.test': 1,
         }
         for d in glob.glob(os.path.join(source_files, '*')):
             build = fdroidserver.metadata.Build()
diff --git a/tests/source-files/lockfile.test/Cargo.lock b/tests/source-files/lockfile.test/Cargo.lock
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/source-files/lockfile.test/Cargo.toml b/tests/source-files/lockfile.test/Cargo.toml
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/source-files/lockfile.test/package.json b/tests/source-files/lockfile.test/package.json
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/source-files/lockfile.test/pubspec.yaml b/tests/source-files/lockfile.test/pubspec.yaml
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/source-files/lockfile.test/yarn.lock b/tests/source-files/lockfile.test/yarn.lock
new file mode 100644
index 00000000..e69de29b