refactor(go): Migrate GoDep TOML parsing to kotlinx-serialization

This allows to get rid of toml4j which had no releases since 2017 and
depends on GSON, which has vulnerabilities.

Signed-off-by: Sebastian Schuberth <[email protected]>

Author: sschuberth

gradle/libs.versions.toml

@@ -59,7 +59,6 @@ slf4j = "2.0.9"
 springCore = "5.3.30"
 svnkit = "1.10.11"
 sw360Client = "17.0.1-m2"
-toml4j = "0.7.2"
 wiremock = "3.0.1"
 xz = "1.9"
 
@@ -159,7 +158,6 @@ slf4j = { module = "org.slf4j:slf4j-api ", version.ref = "slf4j" }
 springCore = { module = "org.springframework:spring-core", version.ref = "springCore" }
 svnkit = { module = "org.tmatesoft.svnkit:svnkit", version.ref = "svnkit" }
 sw360Client = { module = "org.eclipse.sw360:client", version.ref = "sw360Client" }
-toml4j = { module = "com.moandjiezana.toml:toml4j", version.ref = "toml4j" }
 wiremock = { module = "com.github.tomakehurst:wiremock", version.ref = "wiremock" }
 xz = { module = "org.tukaani:xz", version.ref = "xz" }
 

plugins/package-managers/go/build.gradle.kts

@@ -43,12 +43,7 @@ dependencies {
     implementation(project(":utils:spdx-utils"))
 
     implementation(libs.bundles.kotlinxSerialization)
-    implementation(libs.toml4j)
-    constraints {
-        implementation("com.google.code.gson:gson:2.10.1") {
-            because("Earlier versions have vulnerabilities.")
-        }
-    }
+    implementation(libs.tomlkt)
 
     funTestImplementation(testFixtures(project(":analyzer")))
 }

plugins/package-managers/go/src/main/kotlin/GoDep.kt

@@ -19,15 +19,16 @@
 
 package org.ossreviewtoolkit.plugins.packagemanagers.go
 
-import com.moandjiezana.toml.Toml
-
 import java.io.File
 import java.io.IOException
 import java.net.URI
 
 import kotlin.io.path.copyToRecursively
 import kotlin.io.path.createDirectories
 
+import net.peanuuutz.tomlkt.Toml
+import net.peanuuutz.tomlkt.decodeFromNativeReader
+
 import org.apache.logging.log4j.kotlin.logger
 
 import org.ossreviewtoolkit.analyzer.AbstractPackageManagerFactory
@@ -59,6 +60,8 @@ import org.ossreviewtoolkit.utils.common.toUri
 import org.ossreviewtoolkit.utils.ort.createOrtTempDir
 import org.ossreviewtoolkit.utils.ort.showStackTrace
 
+private val toml = Toml { ignoreUnknownKeys = true }
+
 /**
  * A map of legacy package manager file names "dep" can import, and their respective lock file names, if any.
  */
@@ -227,26 +230,17 @@ class GoDep(
             run("ensure", workingDir = workingDir, environment = mapOf("GOPATH" to gopath.path))
         }
 
-        val entries = Toml().read(lockfile).toMap()["projects"]
-        if (entries == null) {
-            logger.warn { "${lockfile.name} is missing any [[projects]] entries" }
+        val contents = lockfile.reader().use { toml.decodeFromNativeReader<GoDepLockFile>(it) }
+        if (contents.projects.isEmpty()) {
+            logger.warn { "The lockfile '$lockfile' does not contain any projects." }
             return emptyList()
         }
 
         val projects = mutableListOf<Map<String, String>>()
 
-        for (entry in entries as List<*>) {
-            val project = entry as? Map<*, *> ?: continue
-            val name = project["name"]
-            val revision = project["revision"]
-
-            if (name !is String || revision !is String) {
-                logger.warn { "Invalid [[projects]] entry in $lockfile: $entry" }
-                continue
-            }
-
-            val version = project["version"] as? String ?: revision
-            projects += mapOf("name" to name, "revision" to revision, "version" to version)
+        contents.projects.forEach { project ->
+            val version = project.version ?: project.revision
+            projects += mapOf("name" to project.name, "revision" to project.revision, "version" to version)
         }
 
         return projects

plugins/package-managers/go/src/main/kotlin/GoDepLockFile.kt

@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2023 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.go
+
+import kotlinx.serialization.Serializable
+
+/**
+ * See https://golang.github.io/dep/docs/Gopkg.lock.html.
+ */
+@Serializable
+internal data class GoDepLockFile(
+    val projects: List<Project> = emptyList()
+) {
+    @Serializable
+    data class Project(
+        val name: String,
+        val packages: List<String>,
+        val revision: String,
+        val version: String? = null
+    )
+}