Skip to content

PRP: Add Scala SBT build file extractor#1981

Open
Amsamms wants to merge 2 commits intogoogle:mainfrom
Amsamms:fix/issue-1022-sbt-extractor
Open

PRP: Add Scala SBT build file extractor#1981
Amsamms wants to merge 2 commits intogoogle:mainfrom
Amsamms:fix/issue-1022-sbt-extractor

Conversation

@Amsamms
Copy link
Copy Markdown

@Amsamms Amsamms commented Apr 13, 2026

Description

Adds a filesystem extractor for Scala SBT build files (.sbt) that extracts Maven package dependencies.

Closes #1022

Supported SBT dependency patterns

  • Single inline dependencies: libraryDependencies += "groupId" %% "artifactId" % "version"
  • Seq block dependencies: libraryDependencies ++= Seq("g" %% "a" % "v", ...)
  • Version variable resolution: val ver = "1.0.0" / lazy val ver = "1.0.0" references
  • All cross-version operators: %, %%, %%%
  • Configuration scoping: % Test suffix (ignored for extraction)

Design decisions

Based on review feedback from #1801:

  • Configurable file size limits: Default 10MB max, configurable via PluginConfig.MaxFileSizeBytes. File size checked in FileRequired() before reading.
  • Regex compiled once in New(): All regex patterns are compiled during initialization and stored in the Extractor struct, avoiding repeated compilation in Extract() and the MustCompile vs Compile lint conflict.
  • Stats reporting: FileRequired and Extract both report stats via stats.Collector.
  • Reuses javalockfile.Metadata: SBT resolves to Maven artifacts, so we reuse the Java lockfile metadata type (no proto changes needed).
  • All files end with newline: Passes linelint.

Files changed

  • extractor/filesystem/language/scala/sbt/sbt.go — Extractor implementation
  • extractor/filesystem/language/scala/sbt/sbt_test.go — Tests for FileRequired and Extract
  • extractor/filesystem/language/scala/sbt/testdata/ — Test fixtures
  • extractor/filesystem/list/list.go — Registers ScalaSource extractor
  • docs/supported_inventory_types.md — Documents the new extractor

Testing

All tests pass locally on Go 1.24.2:

$ go test ./extractor/filesystem/language/scala/sbt/... -count=2
ok  github.com/google/osv-scalibr/extractor/filesystem/language/scala/sbt  0.024s
$ go vet ./extractor/filesystem/language/scala/sbt/...
$ make lint-plugger  # passes

Amsamms added 2 commits April 13, 2026 20:15
@Amsamms
Add Scala SBT build file extractor
8fc33d8 
Adds a filesystem extractor for Scala SBT build files (.sbt) that extracts
Maven package dependencies. Supports:
- Single dependency declarations (libraryDependencies +=)
- Seq block declarations (libraryDependencies ++= Seq(...))
- Version variable resolution (val/lazy val)
- All SBT cross-version operators (%, %%, %%%)
- Configurable file size limits with 10MB default

Closes google#1022
@Amsamms
Use MustCompile for const regex patterns in New()
af9785f 
Switch from regexp.Compile to regexp.MustCompile for constant pattern
strings, satisfying the gocritic regexpMust lint rule. These patterns
are string literals known at compile time, so MustCompile is the
correct choice.
@Amsamms
Copy link
Copy Markdown
Author

Amsamms commented Apr 23, 2026

Friendly ping @erikvarga @cuixq — this Scala SBT build file extractor PR has been open for 10 days with all 13 CI checks passing. Per the PRP inventory scope (post-Apr 9), this extractor parses build.sbt files for the Scala/Maven ecosystem. Would appreciate a review when you have capacity. Happy to address any feedback. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PRP: Extractor for Scala sbt

1 participant

@Amsamms