gps-denied-onboard/ci/opencv_pin_gate.py

#!/usr/bin/env python3
"""OpenCV pin gate — D-CROSS-CVE-1 enforcement.

Asserts that the resolved `opencv-python` (or `opencv-contrib-python`) version
declared in `pyproject.toml` is `>= 4.12.0`. Runs without installing any deps.
"""

from __future__ import annotations

import argparse
import re
import sys
from pathlib import Path

MIN_VERSION = (4, 12, 0)
OPENCV_PACKAGES = ("opencv-python", "opencv-contrib-python")


def _parse_version(spec: str) -> tuple[int, ...]:
    match = re.search(r"(\d+)\.(\d+)\.(\d+)", spec)
    if match is None:
        raise ValueError(f"Cannot parse a version from {spec!r}")
    return tuple(int(g) for g in match.groups())


def main(argv: list[str] | None = None) -> int:
    parser = argparse.ArgumentParser(description="OpenCV >=4.12.0 pin gate.")
    parser.add_argument("--pyproject", type=Path, default=Path("pyproject.toml"))
    args = parser.parse_args(argv)

    text = args.pyproject.read_text()
    found: list[tuple[str, tuple[int, ...]]] = []
    for pkg in OPENCV_PACKAGES:
        for line in text.splitlines():
            stripped = line.strip().strip(",").strip('"').strip("'")
            if stripped.startswith(pkg):
                spec = stripped[len(pkg) :].strip()
                if spec.startswith((">=", "==", "~=", ">")):
                    spec = spec.lstrip(">=~<")
                if not spec:
                    continue
                try:
                    parsed = _parse_version(spec)
                except ValueError:
                    continue
                found.append((pkg, parsed))

    if not found:
        print("FAIL: no OpenCV pin found in pyproject.toml.", file=sys.stderr)
        return 2

    for pkg, version in found:
        if version < MIN_VERSION:
            print(
                f"FAIL: {pkg}=={'.'.join(str(v) for v in version)} "
                f"< required {'.'.join(str(v) for v in MIN_VERSION)} (D-CROSS-CVE-1).",
                file=sys.stderr,
            )
            return 1
        print(f"OK: {pkg} >= {'.'.join(str(v) for v in MIN_VERSION)}")
    return 0


if __name__ == "__main__":
    raise SystemExit(main())