Refactor library counting in package-dependencies tool for uniqueness

fortran01 · fortran01 · commit cfd3cbdbb4fe · 2025-04-22T18:19:50.000-04:00
- Updated the PackageDependencyExtractor class to track unique classes for specified libraries using Sets instead of simple counts.
- Enhanced the Markdown output to reflect counts of unique classes for each library, improving clarity on dependency analysis.
- Revised README.md to describe the updated functionality regarding unique class counting.
- Modified tests to validate the new unique counting logic and ensure accurate reporting of library dependencies.
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ The input JSONL files are typically generated from Jarviz-lib static analysis of
 - Generate statistics about dependencies
 - View the most depended-upon classes
 - Extract and analyze package dependencies
-- Count instances of specific libraries (struts, commons, log4j, cryptix) in dependencies, customizable via `--libraries` option
+- Count unique classes belonging to specific libraries (struts, commons, log4j, cryptix) found in dependencies, customizable via `--libraries` option
 
 ## Installation
 
@@ -172,11 +172,11 @@ No cycles found.
 
 The package dependencies extractor generates a Markdown file with the following sections:
 
-1. **Specific Library Counts**: Tracks the number of dependencies where the targetClass contains specific libraries:
+1. **Specific Library Counts**: Tracks the number of unique classes depended upon where the `targetClass` contains specific library names:
    - By default: Struts, Commons, Log4j, Cryptix
    - Customizable via the `--libraries` option
    
-   This helps identify and quantify vulnerability exposure if any of these libraries have security issues.
+   This helps identify and quantify vulnerability exposure by showing how many distinct classes from potentially vulnerable libraries are used.
 
 2. **Base Packages**: A list of all base packages used by the project, grouped by:
    - External Dependencies (e.g., `java.lang`, `javax.servlet`)
diff --git a/package-dependencies.ts b/package-dependencies.ts
@@ -26,7 +26,7 @@ interface PackageInfo {
 
 // Interface for tracking specific library counts
 interface LibraryCounts {
-    [key: string]: number;
+    [key: string]: Set<string>;
 }
 
 class PackageDependencyExtractor {
@@ -46,7 +46,7 @@ class PackageDependencyExtractor {
         
         // Initialize counter for each library
         this.librariesToCount.forEach(lib => {
-            this.libraryCounts[lib] = 0;
+            this.libraryCounts[lib] = new Set<string>();
         });
     }
 
@@ -108,14 +108,15 @@ class PackageDependencyExtractor {
         this.countSpecificLibraries(targetClass);
     }
     
-    // Method to count instances of specific libraries
+    // Method to count unique classes for specific libraries
     private countSpecificLibraries(targetClass: string): void {
         const lcTargetClass = targetClass.toLowerCase();
         
         // Check for each library in the target class
         this.librariesToCount.forEach(library => {
             if (lcTargetClass.includes(library)) {
-                this.libraryCounts[library]++;
+                // Add the original targetClass to the Set for uniqueness
+                this.libraryCounts[library].add(targetClass);
             }
         });
     }
@@ -223,13 +224,13 @@ class PackageDependencyExtractor {
         
         // Add section for specific library counts
         markdownContent += '## Specific Library Counts\n\n';
-        markdownContent += 'These counts represent the number of dependencies where the `targetClass` field in the JSONL data contains each specific library name. This helps quantify how many times your application code depends on classes from these libraries, which is useful for identifying vulnerability exposure.\n\n';
-        markdownContent += '| Library | Count |\n';
-        markdownContent += '|---------|-------|\n';
+        markdownContent += 'These counts represent the number of unique `targetClass` values in the JSONL data that contain each specific library name. This helps quantify how many distinct classes from these libraries your application code depends on, which is useful for identifying vulnerability exposure.\n\n';
+        markdownContent += '| Library | Count (Unique Classes) |\n';
+        markdownContent += '|---------|------------------------|\n';
         
         // Display counts for each library dynamically
         Object.keys(this.libraryCounts).forEach(library => {
-            markdownContent += `| ${library.charAt(0).toUpperCase() + library.slice(1)} | ${this.libraryCounts[library]} |\n`;
+            markdownContent += `| ${library.charAt(0).toUpperCase() + library.slice(1)} | ${this.libraryCounts[library].size} |\n`;
         });
         markdownContent += '\n';
         
@@ -329,16 +330,20 @@ class PackageDependencyExtractor {
         // Log the library counts to console
         console.log('\nSpecific Library Counts:');
         Object.keys(this.libraryCounts).forEach(library => {
-            console.log(`- ${library.charAt(0).toUpperCase() + library.slice(1)}: ${this.libraryCounts[library]}`);
+            console.log(`- ${library.charAt(0).toUpperCase() + library.slice(1)}: ${this.libraryCounts[library].size}`);
         });
     }
     
-    // Getter for library counts (useful for testing)
-    getLibraryCounts(): LibraryCounts {
-        return this.libraryCounts;
+    // Method to get the library counts (Set sizes)
+    getLibraryCounts(): { [key: string]: number } {
+        const counts: { [key: string]: number } = {};
+        Object.keys(this.libraryCounts).forEach(lib => {
+            counts[lib] = this.libraryCounts[lib].size;
+        });
+        return counts;
     }
 
-    // Getter for libraries being counted
+    // Method to get the list of libraries being counted
     getLibrariesToCount(): string[] {
         return [...this.librariesToCount];
     }
diff --git a/tests/package-dependencies.test.ts b/tests/package-dependencies.test.ts
@@ -9,8 +9,8 @@ class PackageDependencyExtractor {
   dependencyMap: Map<string, Set<string>> = new Map();
   artifactMap: Map<string, Set<string>> = new Map();
   basePackageDependencyMap: Map<string, Set<string>> = new Map();
-  // Add property to track library counts
-  libraryCounts: { [key: string]: number } = {};
+  // Update library counts property to use Set for uniqueness
+  libraryCounts: { [key: string]: Set<string> } = {}; // Changed from number to Set<string>
   librariesToCount: string[] = ['struts', 'commons', 'log4j', 'cryptix']; // Default libraries
 
   constructor(librariesToCount?: string) {
@@ -20,7 +20,7 @@ class PackageDependencyExtractor {
     
     // Initialize counter for each library
     this.librariesToCount.forEach(lib => {
-      this.libraryCounts[lib] = 0;
+      this.libraryCounts[lib] = new Set<string>(); // Initialize with an empty Set
     });
   }
 
@@ -199,7 +199,7 @@ class PackageDependencyExtractor {
     
     // Display counts for each library dynamically
     Object.keys(this.libraryCounts).forEach(library => {
-      markdownContent += `| ${library.charAt(0).toUpperCase() + library.slice(1)} | ${this.libraryCounts[library]} |\n`;
+      markdownContent += `| ${library.charAt(0).toUpperCase() + library.slice(1)} | ${this.libraryCounts[library].size} |\n`; // Use .size in tests too
     });
     markdownContent += '\n';
     
@@ -297,21 +297,25 @@ class PackageDependencyExtractor {
     fs.writeFileSync(outputFile, markdownContent);
   }
 
-  // Method to count instances of specific libraries
+  // Method to count unique classes for specific libraries (Updated for tests)
   countSpecificLibraries(targetClass: string): void {
     const lcTargetClass = targetClass.toLowerCase();
     
-    // Check for each library in the target class
     this.librariesToCount.forEach(library => {
       if (lcTargetClass.includes(library)) {
-        this.libraryCounts[library]++;
+        // Add the original targetClass to the Set for uniqueness
+        this.libraryCounts[library].add(targetClass);
       }
     });
   }
 
-  // Getter for library counts (useful for testing)
-  getLibraryCounts() {
-    return this.libraryCounts;
+  // Method to get the library counts (Set sizes) for testing
+  getLibraryCounts(): { [key: string]: number } { // Return type changed to number for the size
+    const counts: { [key: string]: number } = {};
+    Object.keys(this.libraryCounts).forEach(lib => {
+      counts[lib] = this.libraryCounts[lib].size;
+    });
+    return counts;
   }
   
   // Getter for libraries being counted
@@ -670,105 +674,169 @@ describe('PackageDependencyExtractor', () => {
 });
 
 // Add tests for library counts
-describe('countSpecificLibraries', () => {
+describe('Specific Library Counting', () => {
+  let extractor: PackageDependencyExtractor;
+  
+  beforeEach(() => {
+    extractor = new PackageDependencyExtractor();
+  });
+
   test('should count struts in targetClass', () => {
-    const extractor = new PackageDependencyExtractor();
     extractor.countSpecificLibraries('org.apache.struts.actions.Action');
-    expect(extractor.libraryCounts['struts']).toBe(1);
+    expect(extractor.libraryCounts['struts'].size).toBe(1); // Check size
   });
 
   test('should count commons in targetClass', () => {
-    const extractor = new PackageDependencyExtractor();
     extractor.countSpecificLibraries('org.apache.commons.lang.StringUtils');
-    expect(extractor.libraryCounts['commons']).toBe(1);
+    expect(extractor.libraryCounts['commons'].size).toBe(1); // Check size
   });
 
   test('should count log4j in targetClass', () => {
-    const extractor = new PackageDependencyExtractor();
     extractor.countSpecificLibraries('org.apache.log4j.Logger');
-    expect(extractor.libraryCounts['log4j']).toBe(1);
+    expect(extractor.libraryCounts['log4j'].size).toBe(1); // Check size
   });
 
   test('should count cryptix in targetClass', () => {
-    const extractor = new PackageDependencyExtractor();
     extractor.countSpecificLibraries('cryptix.provider.Cipher');
-    expect(extractor.libraryCounts['cryptix']).toBe(1);
+    expect(extractor.libraryCounts['cryptix'].size).toBe(1); // Check size
   });
 
-  test('should handle case insensitivity', () => {
-    const extractor = new PackageDependencyExtractor();
+  test('should handle case-insensitivity', () => {
     extractor.countSpecificLibraries('org.apache.STRUTS.Action');
     extractor.countSpecificLibraries('org.apache.COMMONS.FileUtils');
     extractor.countSpecificLibraries('org.apache.LOG4J.Logger');
     extractor.countSpecificLibraries('CRYPTIX.provider.Cipher');
     
-    expect(extractor.libraryCounts['struts']).toBe(1);
-    expect(extractor.libraryCounts['commons']).toBe(1);
-    expect(extractor.libraryCounts['log4j']).toBe(1);
-    expect(extractor.libraryCounts['cryptix']).toBe(1);
+    expect(extractor.libraryCounts['struts'].size).toBe(1);
+    expect(extractor.libraryCounts['commons'].size).toBe(1);
+    expect(extractor.libraryCounts['log4j'].size).toBe(1);
+    expect(extractor.libraryCounts['cryptix'].size).toBe(1);
   });
-
-  test('should handle multiple libraries in one targetClass', () => {
-    const extractor = new PackageDependencyExtractor();
+  
+  test('should handle multiple libraries in one class name', () => {
+    // Example: a class name containing both 'struts' and 'commons'
     extractor.countSpecificLibraries('org.apache.struts.commons.util');
     
-    expect(extractor.libraryCounts['struts']).toBe(1);
-    expect(extractor.libraryCounts['commons']).toBe(1);
-    expect(extractor.libraryCounts['log4j']).toBe(0);
-    expect(extractor.libraryCounts['cryptix']).toBe(0);
+    expect(extractor.libraryCounts['struts'].size).toBe(1);
+    expect(extractor.libraryCounts['commons'].size).toBe(1);
+    expect(extractor.libraryCounts['log4j'].size).toBe(0);
+    expect(extractor.libraryCounts['cryptix'].size).toBe(0);
   });
 
-  test('should increment counts correctly for multiple calls', () => {
-    const extractor = new PackageDependencyExtractor();
+  test('should count unique classes correctly', () => {
     extractor.countSpecificLibraries('org.apache.struts.Action');
     extractor.countSpecificLibraries('org.apache.struts.actions.DispatchAction');
     extractor.countSpecificLibraries('org.apache.commons.lang.StringUtils');
     extractor.countSpecificLibraries('org.apache.commons.io.FileUtils');
+    // Add the same classes again
+    extractor.countSpecificLibraries('org.apache.struts.Action'); // Duplicate
+    extractor.countSpecificLibraries('org.apache.commons.lang.StringUtils'); // Duplicate
     
-    expect(extractor.libraryCounts['struts']).toBe(2);
-    expect(extractor.libraryCounts['commons']).toBe(2);
+    expect(extractor.libraryCounts['struts'].size).toBe(2); // Should be 2 unique classes
+    expect(extractor.libraryCounts['commons'].size).toBe(2); // Should be 2 unique classes
   });
 
-  test('should support custom libraries list', () => {
+  test('should not count libraries not in the list', () => {
     const extractor = new PackageDependencyExtractor('spring,hibernate,tomcat');
     extractor.countSpecificLibraries('org.springframework.context.ApplicationContext');
     extractor.countSpecificLibraries('org.hibernate.Session');
     
-    expect(extractor.libraryCounts['spring']).toBe(1);
-    expect(extractor.libraryCounts['hibernate']).toBe(1);
-    expect(extractor.libraryCounts['tomcat']).toBe(0);
-    // The default libraries shouldn't be counted
+    expect(extractor.libraryCounts['spring'].size).toBe(1);
+    expect(extractor.libraryCounts['hibernate'].size).toBe(1);
+    expect(extractor.libraryCounts['tomcat'].size).toBe(0);
+    expect(extractor.libraryCounts['struts']).toBeUndefined();
+  });
+  
+  test('should use custom libraries when provided', () => {
+    const extractor = new PackageDependencyExtractor('spring,hibernate,tomcat');
+    extractor.countSpecificLibraries('org.springframework.context.ApplicationContext');
+    extractor.countSpecificLibraries('org.hibernate.Session');
+    
+    expect(extractor.libraryCounts['spring'].size).toBe(1);
+    expect(extractor.libraryCounts['hibernate'].size).toBe(1);
+    expect(extractor.libraryCounts['tomcat'].size).toBe(0);
     expect(extractor.libraryCounts['struts']).toBeUndefined();
   });
 });
 
-// Add test for processRecord with library counting
-test('should count libraries when processing a record', () => {
-  const extractor = new PackageDependencyExtractor();
-  const record = {
-    appSetName: 'TestApp',
-    applicationName: 'TestApp',
-    artifactFileName: 'test.jar',
-    artifactId: 'test',
-    artifactGroup: 'com.test',
-    artifactVersion: '1.0.0',
-    sourceClass: 'com.test.TestClass',
-    sourceMethod: 'testMethod',
-    targetClass: 'org.apache.struts.Action',
-    targetMethod: 'execute'
-  };
-  
-  extractor.processRecord(record);
-  expect(extractor.libraryCounts['struts']).toBe(1);
-  
-  // Process another record with a different library
-  const record2 = {
-    ...record,
-    targetClass: 'org.apache.commons.lang.StringUtils'
-  };
+describe('Integration with processRecord', () => {
+  let extractor: PackageDependencyExtractor;
   
-  extractor.processRecord(record2);
-  expect(extractor.libraryCounts['commons']).toBe(1);
+  beforeEach(() => {
+    extractor = new PackageDependencyExtractor();
+  });
+
+  test('should count struts library via processRecord', () => {
+    const record = {
+      appSetName: 'TestApp',
+      applicationName: 'TestApp',
+      artifactFileName: 'test.jar',
+      artifactId: 'test',
+      artifactGroup: 'com.test',
+      artifactVersion: '1.0.0',
+      sourceClass: 'com.test.TestClass',
+      sourceMethod: 'testMethod',
+      targetClass: 'org.apache.struts.Action',
+      targetMethod: 'execute'
+    };
+    
+    extractor.processRecord(record);
+    expect(extractor.libraryCounts['struts'].size).toBe(1);
+  });
+
+  test('should count commons library via processRecord', () => {
+    const record = {
+      appSetName: 'TestApp',
+      applicationName: 'TestApp',
+      artifactFileName: 'test.jar',
+      artifactId: 'test',
+      artifactGroup: 'com.test',
+      artifactVersion: '1.0.0',
+      sourceClass: 'com.test.TestClass',
+      sourceMethod: 'testMethod',
+      targetClass: 'org.apache.commons.lang.StringUtils',
+      targetMethod: 'execute'
+    };
+    
+    extractor.processRecord(record);
+    expect(extractor.libraryCounts['commons'].size).toBe(1);
+  });
+
+  test('should correctly count unique classes with multiple identical records', () => {
+    const recordStruts = {
+      appSetName: 'TestApp',
+      applicationName: 'TestApp',
+      artifactFileName: 'test.jar',
+      artifactId: 'test',
+      artifactGroup: 'com.test',
+      artifactVersion: '1.0.0',
+      sourceClass: 'com.test.TestClass',
+      sourceMethod: 'testMethod',
+      targetClass: 'org.apache.struts.Action',
+      targetMethod: 'execute'
+    };
+    
+    const recordCommons = {
+      appSetName: 'TestApp',
+      applicationName: 'TestApp',
+      artifactFileName: 'test.jar',
+      artifactId: 'test',
+      artifactGroup: 'com.test',
+      artifactVersion: '1.0.0',
+      sourceClass: 'com.test.TestClass',
+      sourceMethod: 'testMethod',
+      targetClass: 'org.apache.commons.lang.StringUtils',
+      targetMethod: 'execute'
+    };
+    
+    extractor.processRecord(recordStruts);
+    extractor.processRecord(recordCommons);
+    extractor.processRecord(recordStruts);
+    extractor.processRecord(recordCommons);
+
+    expect(extractor.libraryCounts['struts'].size).toBe(1);
+    expect(extractor.libraryCounts['commons'].size).toBe(1);
+  });
 });
 
 // Add tests for getLibrariesToCount
