scanner: error on dependency files without lock file

fdroidserver/scanner.py

@@ -50,6 +50,11 @@ MAVEN_URL_REGEX = re.compile(
     re.DOTALL,
 )
 
+DEPFILE = {
+    "Cargo.toml": ["Cargo.lock"],
+    "pubspec.yaml": ["pubspec.lock"],
+    "package.json": ["package.lock", "yarn.lock", "pnpm-lock.yaml"],
+}
 
 SCANNER_CACHE_VERSION = 1
 
@@ -813,6 +818,18 @@ def scan_source(build_dir, build=metadata.Build(), json_per_build=None):
                         'binary', path_in_build_dir, filepath, json_per_build
                     )
 
+            elif curfile in DEPFILE:
+                for lockfile in DEPFILE[curfile]:
+                    if os.path.isfile(os.path.join(root, lockfile)):
+                        break
+                else:
+                    count += handleproblem(
+                        _('dependency file without lock'),
+                        path_in_build_dir,
+                        filepath,
+                        json_per_build,
+                    )
+
             elif is_executable(filepath):
                 if is_binary(filepath) and not (
                     safe_path(path_in_build_dir) or is_image_file(filepath)

tests/scanner.TestCase

@@ -60,7 +60,8 @@ class ScannerTest(unittest.TestCase):
             'org.mozilla.rocket': 2,
             'org.tasks': 2,
             'realm': 1,
-            'se.manyver': 2,
+            'se.manyver': 3,
+            'lockfile.test': 1,
         }
         for d in glob.glob(os.path.join(source_files, '*')):
             build = fdroidserver.metadata.Build()