Adds Dart Support with Pub Package Manager (#313)

Changelog.md

@@ -1,7 +1,8 @@
 # Spectrometer Changelog
 
-# unreleased
+## v2.15.0
 
+- Dart: Adds support for pub package manager. ([#313](https://github.com/fossas/spectrometer/pull/313))
 - Modified DiscoveredProject's to include manifest file information (origin paths) ([#316](https://github.com/fossas/spectrometer/pull/316))
 
 ## v2.14.5

docs/quickreference/pub.md

@@ -0,0 +1,12 @@
+# Quick reference: pub
+
+## Requirements
+
+**Ideal/Minimum**
+- `dart` installed locally
+- `pubspec.yaml` file present in your project
+- `pubspec.lock` file present in your project, with dependencies already retrieved and resolved 
+
+## Project discovery
+
+Directories containing `pubspec.yaml` files are considered dart projects.

docs/strategies.md

@@ -70,6 +70,7 @@ TODO: create a lookup table that categorizes these strategies by language or too
 The CLI supports the following strategies:
 
 - [clojure](strategies/golang.md) (lein)
+- [dart](strategies/dart.md) (pub)
 - [elixir](strategies/elixir.md) (mix)
 - [erlang](strategies/erlang.md) (rebar3)
 - [golang](strategies/golang.md) (gomodules, dep, glide)

docs/strategies/dart.md

@@ -0,0 +1,278 @@
+# Dart
+
+Dart ecosystem uses pub package manager to manage shared [packages and libraries](https://dart.dev/guides/packages). Packages can be sourced from [registry](https://pub.dev/), [git repository](https://dart.dev/tools/pub/dependencies#git-packages), or from [local file system](https://dart.dev/tools/pub/dependencies#path-packages). 
+
+## Project Discovery
+
+Find file named `pubspec.yaml`. 
+
+## Analysis
+
+We attempt to perform all of the strategies below, we select the result of succeeded strategies which has the highest preference. 
+
+| Preference | Strategy                                                                                               | Direct Deps        | Deep Deps          | Edges              |
+| ---------- | ------------------------------------------------------------------------------------------------------ | ------------------ | ------------------ | ------------------ |
+| Highest    | 1. `pubspec.yaml` and `pubspec.lock` are discovered, and `flutter pub deps -s compact` can be executed | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+|            | 2. `pubspec.yaml` and `pubspec.lock` are discovered, and `dart pub deps -s compact` can be executed    | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+|            | 3. `pubspec.yaml` and `pubspec.lock` are discovered, and `pub deps -s compact` can be executed         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+|            | 4. `pubspec.yaml` and `pubspec.lock` are discovered                                                    | :heavy_check_mark: | :x:                | :x:                |
+| Lowest     | 5. Only `pubspec.yaml` is discovered                                                                   | :heavy_check_mark: | :x:                | :x:                |
+
+Where, 
+
+* :heavy_check_mark: - Supported in all projects
+* :x: - Not Supported
+
+It is recommended that, `pub deps get` is executed prior to analyzing dart project. This ensures dependencies are retrieved, so `pub deps -s compact` command can produce edges between direct, and deep dependencies.
+
+### Limitations
+
+* [Path dependencies](https://dart.dev/tools/pub/dependencies#path-packages) are not reported, and will be ignored in analyses. All descendant dependencies of the path dependency will be promoted to the ancestor of the path dependency.
+* [Sdk dependencies](https://dart.dev/tools/pub/dependencies#sdk) are not reported, and will be ignored in analyses. All descendant dependencies of the sdk dependency will be promoted to the ancestor of the sdk dependency.
+
+# Example 
+
+Create new dart project by creating `pubspec.yaml` file.
+
+```yaml
+name: some_example
+description: some example description
+version: 1.0.0+1
+
+environment:
+  sdk: ">=2.0.0 <3.0.0"
+
+dependencies:    
+  path: ">= 1.2.0 <3.0.0"
+  encrypt:
+    git: https://github.com/leocavalcante/encrypt.git
+  flutter:
+    sdk: flutter
+  provider: ^5.0.0
+  quiver: any
+
+flutter:
+  uses-material-design: true
+```
+
+Execute `dart pub get` to retrieve packages from the spec file. When performed, it will create `pubspec.lock` file. 
+
+```text 
+# Generated by pub
+# See https://dart.dev/tools/pub/glossary#lockfile
+packages:
+  args:
+    dependency: transitive
+    description:
+      name: args
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "2.2.0"
+  asn1lib:
+    dependency: transitive
+    description:
+      name: asn1lib
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.0.2"
+  characters:
+    dependency: transitive
+    description:
+      name: characters
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.1.0"
+  clock:
+    dependency: transitive
+    description:
+      name: clock
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.1.0"
+  collection:
+    dependency: transitive
+    description:
+      name: collection
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.15.0"
+  convert:
+    dependency: transitive
+    description:
+      name: convert
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "3.0.1"
+  crypto:
+    dependency: transitive
+    description:
+      name: crypto
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "3.0.1"
+  encrypt:
+    dependency: "direct main"
+    description:
+      path: "."
+      ref: HEAD
+      resolved-ref: bc2a3f44339574edb5c374b991b6386c495a1bbb
+      url: "https://github.com/leocavalcante/encrypt.git"
+    source: git
+    version: "5.0.1"
+  flutter:
+    dependency: "direct main"
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+  js:
+    dependency: transitive
+    description:
+      name: js
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "0.6.3"
+  matcher:
+    dependency: transitive
+    description:
+      name: matcher
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "0.12.11"
+  meta:
+    dependency: transitive
+    description:
+      name: meta
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.7.0"
+  nested:
+    dependency: transitive
+    description:
+      name: nested
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.0.0"
+  path:
+    dependency: "direct main"
+    description:
+      name: path
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.8.0"
+  pointycastle:
+    dependency: transitive
+    description:
+      name: pointycastle
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "3.3.0"
+  provider:
+    dependency: "direct main"
+    description:
+      name: provider
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "5.0.0"
+  quiver:
+    dependency: "direct main"
+    description:
+      name: quiver
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "3.0.1"
+  sky_engine:
+    dependency: transitive
+    description: flutter
+    source: sdk
+    version: "0.0.99"
+  stack_trace:
+    dependency: transitive
+    description:
+      name: stack_trace
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.10.0"
+  typed_data:
+    dependency: transitive
+    description:
+      name: typed_data
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "1.3.0"
+  vector_math:
+    dependency: transitive
+    description:
+      name: vector_math
+      url: "https://pub.dartlang.org"
+    source: hosted
+    version: "2.1.0"
+sdks:
+  dart: ">=2.12.0 <3.0.0"
+  flutter: ">=1.16.0"
+```
+
+Dependencies can be inspected using `dart pub deps -s compact`:
+
+```text
+Dart SDK 2.14.0-301.0.dev
+Flutter SDK 2.4.0-4.0.pre
+some_example 1.0.0+1
+
+dependencies:
+- encrypt 5.0.1 [args asn1lib clock collection crypto pointycastle]
+- flutter 0.0.0 [characters collection meta typed_data vector_math sky_engine]
+- path 1.8.0
+- provider 5.0.0 [collection flutter nested]
+- quiver 3.0.1 [matcher]
+
+transitive dependencies:
+- args 2.2.0
+- asn1lib 1.0.2
+- characters 1.1.0
+- clock 1.1.0
+- collection 1.15.0
+- convert 3.0.1 [typed_data]
+- crypto 3.0.1 [collection typed_data]
+- js 0.6.3
+- matcher 0.12.11 [stack_trace]
+- meta 1.7.0
+- nested 1.0.0 [flutter]
+- pointycastle 3.3.0 [collection convert js]
+- sky_engine 0.0.99
+- stack_trace 1.10.0 [path]
+- typed_data 1.3.0 [collection]
+- vector_math 2.1.0
+```
+
+When pub deps command is successfully executed, and lockfile id discovered (strategy 1, 2, or 3) analyses would yield following dependency graph:
+
+![With lock file and deps command](dart-resolved-graph-with-lock-cmd.svg)
+
+Note: Dependencies in yellow boxes are direct dependencies, rest are deep dependencies. All descendent dependencies of sdk dependencies are promoted to their ancestor - e.g. characters, collection, meta, typed_data, and vector_math.
+
+If pub deps command is not successfully executed:
+
+![Without deps command](dart-resolved-graph-without-cmd.svg)
+
+## FAQ
+
+### How do I *only* analyze dart projects?
+
+You can explicitly specify analyses target in `.fossa.yml` file. 
+
+Example below, will exclude all analyses targets except pub. 
+
+```yaml
+# .fossa.yml 
+
+version: 3
+targets:
+  only:
+    - type: pub
+```
+
+## References
+
+* [Pub](https://dart.dev/tools/pub/cmd)
+* [Dart](https://dart.dev/tools/pub/cmd)
+* [Flutter](https://flutter.dev/)

docs/userguide.md

@@ -9,6 +9,7 @@
   - [Check for FOSSA scan results](#check-for-fossa-scan-results)
 - [Supported Languages](#supported-languages)
   - [clojure](#clojure)
+  - [dart](#dart)
   - [erlang](#erlang)
   - [golang](#golang)
   - [haskell](#haskell)
@@ -85,6 +86,10 @@ fossa analyze --help
 
 - [leiningen](quickreference/leiningen.md)
 
+### dart
+
+- [pub](quickreference/pub.md)
+
 ### erlang
 
 - [rebar3](quickreference/rebar3.md)
@@ -249,6 +254,7 @@ Supported dependency types:
 - `maven` - Maven dependencies that can be found at many different sources. Specified as `name: javax.xml.bind:jaxb-api` where the convention is `groupId:artifactId`.
 - `npm` - Javascript dependencies found at [npmjs.com](https://www.npmjs.com/).
 - `nuget` - .NET dependencies found at [NuGet.org](https://www.nuget.org/).
+- `pub` - Dart dependencies found at [pub.dev](https://www.pub.dev/).
 - `pypi` - Python dependencies that are typically found at [Pypi.org](https://pypi.org/).
 - `cocoapods` - Swift and Objective-C dependencies found at [Cocoapods.org](https://cocoapods.org/).
 - `url` - The URL type allows you to specify only the download location of an archive (e.g.: `.zip`, .`tar.gz`, etc.) in the `name` field and the FOSSA backend will attempt to download and scan it. Example for a github source dependency `https://github.com/fossas/spectrometer/archive/refs/tags/v2.7.2.tar.gz`. The `version` field will be silently ignored for `url` type dependencies.