feat(python): add support for uv

[nikpivkin]

Description

This PR adds support for retrieving the dependency list from uv.lock of the uv package manager.

Example:

❯ uv init
❯ uv add django==4.2.16
❯ ./trivy fs uv.lock -d --dependency-tree
uv.lock (uv)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version     │                         Title                          │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼────────────────────────────────────────────────────────┤
│ django  │ CVE-2024-53908 │ HIGH     │ fixed  │ 4.2.16            │ 5.0.10, 5.1.4, 4.2.17 │ django: Potential SQL injection in HasKey(lhs, rhs) on │
│         │                │          │        │                   │                       │ Oracle                                                 │
│         │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2024-53908             │
│         ├────────────────┼──────────┤        │                   ├───────────────────────┼────────────────────────────────────────────────────────┤
│         │ CVE-2024-53907 │ MEDIUM   │        │                   │ 5.1.4, 4.2.17, 5.0.10 │ django: Potential denial-of-service in                 │
│         │                │          │        │                   │                       │ django.utils.html.strip_tags()                         │
│         │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2024-53907             │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴────────────────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
uv.lock
└── django@4.2.16, (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

Related issues

• Close feat(python): Add support for astral UV #7653

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[nikpivkin]

@knqyf263 @DmitriyLewen Many package managers are now moving towards PEP-735 support, which introduces the concept of dependency groups, and uv is no exception. I have now implemented skipping all groups except from the dependencies field, as groups can include dependencies for testing, linting or building documentation. Here's what it might look like:

[dependency-groups]
test = ["pytest", "coverage"]
docs = ["sphinx", "sphinx-rtd-theme"]
typing = ["mypy", "types-requests"]

The uv documentation mentions dev dependencies separately from dependency groups, but dev dependencies just belong to a dev group. It also says:

Eventually, the dev-dependencies field will be deprecated and removed.

Is it worth skipping the dev group exclusively?

BTW, I did some tests with poetry (1.8.5). I added a dev dependency poetry add pytest --dev which added to the dev group:

[tool.poetry.group.dev.dependencies]
pytest = "^8.3.4"

But Trivy didn't skip it because now the package in the lockfile doesn't contain the category field as before, based on which Trivy determines the dev dependencies. This is unusual because the lock version remains unchanged and matches the one used in our tests: lock-version = '2.0'.

❯ trivy fs . -f json --list-all-pkgs | grep pytest
2024-12-12-12T17:03:28+06:00 INFO [vuln] Vulnerability scanning is enabled
2024-12-12-12T17:03:28+06:00 INFO [secret] Secret scanning is enabled
2024-12-12-12T17:03:28+06:00 INFO [secret] INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12-12T17:03:28+06:00 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-12-12T17:03:03:28+06:00 INFO Number of language-specific files num=1
2024-12-12-12T17:03:28+06:00 INFO [poetry] Detecting vulnerabilities...
          “ID": ‘pytest@8.3.4’,
          “Name": ‘pytest’,
            “PURL": ‘pkg:pypi/pytest@8.3.4’,
```

[DmitriyLewen]

Is it worth skipping the dev group exclusively?

I think we also need to skip dev group.

But Trivy didn't skip it because now the package in the lockfile doesn't contain the category field as before

Create new issue for this case. please

@nikpivkin i left comments, take a look, please

[nikpivkin]

Create new issue for this case. please

Created #8096

[nikpivkin]

I think we also need to skip dev group.

The dev group is already skipped. I wanted to discuss what to do with other groups such as test or docs that inherently contain dev dependencies?

[DmitriyLewen]

looks good.
left small comments

[DmitriyLewen]

The dev group is already skipped. I wanted to discuss what to do with other groups such as test or docs that inherently contain dev dependencies?

Does the dependencies field contain these dependencies?
If so, is there a marker for them

[nikpivkin]

dependencies does not contain these dependencies.

Here's an example:

[dependency-groups]
test = ["pytest", "coverage"]
docs = ["sphinx", "sphinx-rtd-theme"]
typing = ["mypy", "types-requests"]

[DmitriyLewen]

IIUC your logic skips these (doc, test, development etc) dependencies .
I think we can leave this logic and wait for feedback from users and then think about it if users need these dependencies.

[DmitriyLewen]

LGTM

cc. @knqyf263

[knqyf263]

LGTM. Left small comments.

[knqyf263]

I think we also need to skip dev group.

The dev group is already skipped. I wanted to discuss what to do with other groups such as test or docs that inherently contain dev dependencies?

Is this about pyproject.toml, not uv.lock? I didn't find the code parsing pyproject.toml in this PR. What am I missing? I'm sorry I was not following the discussion.

[nikpivkin]

@knqyf263 This is about uv.lock. It contains information about all dependencies and groups of the root package. Example:

[package.dev-dependencies]
docs = [
    { name = "mkdocs" },
]
test = [
    { name = "pytest" },
]

For uv we only need to parse the lockfile, since it contains all the information we need.

[knqyf263]

Isn't dependency-groups you mentioned above about pyproject.toml?
#8080 (comment)

Does it mean dependency-groups are copied into uv.lock?

[nikpivkin]

That's right, it's the same dependency groups

[knqyf263]

Thanks for clarifying. Is it possible to identify the dependency graph for development dependencies? We can do that in another PR, though.
#8080 (comment)

[nikpivkin]

Yes, I've already started working on this so we can implement support in this PR.

[knqyf263]

It's better to keep the PR small. Please let me merge this one.

[nikpivkin]

@knqyf263 OK