Description

Adds parsing for uv.lock files so their dependencies can be added to the SBOM.

Closes #3268

Type of change

[X] New feature (non-breaking change which adds functionality)
[ ] Documentation (updates the documentation)

Checklist:

[x] I have added unit tests that cover changed behavior
[x] I have tested my code in common scenarios and confirmed there are no regressions
[X] I have added comments to my code, particularly in hard-to-understand sections

Mar 26 '25 22:03 jkugler

I am still trying to wrap my head around the Dependency stuff.
I do not yet have tests
I do not yet have additional docs

But, I wanted to make sure I'm heading down the right path.

Mar 26 '25 22:03 jkugler

Do you have the pyproject.toml file for the lock generated here? https://github.com/anchore/syft/tree/main/syft/pkg/cataloger/python/test-fixtures/poetry/dev-deps/ I'm trying to find it so I can replicate the tests. :)

Mar 27 '25 22:03 jkugler

Oh, I'm realizing I need to create a bunch of data structures, and not just use the data structures coming from the TOML. Hmm...more to wrap my head around. :)

Mar 27 '25 22:03 jkugler

For some reason, my tests don't run when I invoke make unit. Pointers appreciated. :)

Mar 31 '25 21:03 jkugler

Also, not sure where the docs live...

Mar 31 '25 21:03 jkugler

👋 Thanks for the PR @jkugler! Let me find some time today to give this a review and I can add some pointers, notes, and give you a good idea of where the docs live.

We keep a lot of them in our wiki to try and keep the README short and easy to consume, but let's see if we can find the proper spot for this one: https://github.com/anchore/syft/wiki

Apr 01 '25 14:04 spiffcs

👋 Thanks for the PR @jkugler! Let me find some time today to give this a review and I can add some pointers, notes, and give you a good idea of where the docs live.

Thanks! I know some of the tests will fail simply because some data isn't there. I'd like to find the pyproject.toml for the "dev" fixture:

Do you have the pyproject.toml file for the lock generated here? https://github.com/anchore/syft/tree/main/syft/pkg/cataloger/python/test-fixtures/poetry/dev-deps/ I'm trying to find it so I can replicate the tests. :)

Apr 01 '25 18:04 jkugler

Any updates? :)

Apr 10 '25 00:04 jkugler

Just checking in! Any updates on this? Thanks!

Apr 23 '25 23:04 jkugler

Just checking in. Would love to move forward with this.

May 07 '25 00:05 jkugler

Hey @jkugler, I don't know if you're able to make it, but we have an open office hours this week, Thursday 12 PM ET.

May 07 '25 01:05 kzantow

Some linting/code location changes. Lint now complains about duplicate code. I was going to wait until the code has stabilized before I du-duped the function and structs.

May 09 '25 18:05 jkugler

[!WARNING] Detected modification or removal of existing json schemas:

schema/json/schema-16.0.24.json

May 09 '25 18:05 github-actions[bot]

Still seems it's not picking up my new tests, so not sure what's going on.

May 09 '25 19:05 jkugler

Hey :) is here any progress? Would it be possible to support somehow?

Jul 10 '25 09:07 floric

I'm still waiting on feedback. I need to get back to my code and see what changes I can make to go forward.

Jul 10 '25 17:07 jkugler

Updated the parse_uv_lock.go to "un-export" private structs. I'd like to move forward with this. What's the best path for that?

Jul 15 '25 21:07 jkugler

Hey, when will there be a new version with this change?

Jul 18 '25 10:07 dwolski98

This was just merged yesterday, it will be in the next release (which will be 1.29.0) 👍

Jul 18 '25 13:07 kzantow

feat: add parsing for uv.lock

Description

Type of change

Checklist: