Merge pull request #179 from sw360/177-support-uvlock

Support uv.lock

Author: tngraf

ChangeLog.md

@@ -21,6 +21,7 @@
 * `project prerequisites` now has a summary at the end of the output to show how many
   components have been scanned and how many warnings and errors there are.
 * Adapt `getdependencies python` to the Poetry 2.x pyproject.toml format.
+* `getdependencies python` now also supports uv and its `uv.lock` file.
 
 ## 2.9.1
 

capycli/bom/show_bom.py

@@ -14,10 +14,10 @@
 import sys
 from typing import Any
 
-from cyclonedx.model.license import DisjunctiveLicense, LicenseExpression
 from cyclonedx.model import XsUri
 from cyclonedx.model.bom import Bom
 from cyclonedx.model.component import Component
+from cyclonedx.model.license import DisjunctiveLicense, LicenseExpression
 
 import capycli.common.script_base
 from capycli.common.capycli_bom_support import CaPyCliBom, CycloneDxSupport

capycli/dependencies/python.py

@@ -41,6 +41,8 @@ class InputFileType(str, Enum):
     REQUIREMENTS = "requirements"
     # Poetry lock file ("poetry.lock")
     POETRY_LOCK = "poetry.lock"
+    # uv lock file ("uv.lock")
+    UV_LOCK = "uv.lock"
 
 
 @dataclass
@@ -406,11 +408,15 @@ def determine_file_type(self, full_filename: str) -> InputFileType:
             return InputFileType.REQUIREMENTS
 
         if (filename == "poetry.lock"):
-            data = self.read_poetry_lock_file(full_filename)
+            data = self.read_lock_file(full_filename, filename)
             if data:
                 LOG.debug("Guessing poetry.lock file")
                 return InputFileType.POETRY_LOCK
 
+        if (filename == "uv.lock"):
+            LOG.debug("Guessing uv.lock file")
+            return InputFileType.UV_LOCK
+
         # default
         LOG.debug("Use default type: requirements file")
         return InputFileType.REQUIREMENTS
@@ -435,27 +441,33 @@ def read_toml_file(self, filename: str, err_hint: str = "") -> Dict[str, Any]:
 
         return {}
 
-    def read_poetry_lock_file(self, filename: str) -> Dict[str, Any]:
+    def read_lock_file(self, filename: str, hint: str) -> Dict[str, Any]:
         """
         Ready a poetry.lock file, a TOML file.
         """
-        return self.read_toml_file(filename, "poetry.lock")
+        return self.read_toml_file(filename, hint)
 
     def read_pyproject_file(self, filename: str) -> Dict[str, Any]:
         """
         Ready a pyproject.toml file, a TOML file.
         """
         return self.read_toml_file(filename, "pyproject.toml")
 
-    def get_all_lock_file_entries(self, lock_filename: str) -> List[LockFileEntry]:
+    def get_all_poetry_lock_file_entries(self, lock_filename: str) -> List[LockFileEntry]:
         """Extract information about *all* dependencies from the lock file."""
-        poetry_lock = self.read_poetry_lock_file(lock_filename)
-        poetry_lock_metadata = poetry_lock["metadata"]
+        poetry_lock = self.read_lock_file(lock_filename, "poetry.lock")
+
+        if "metadata" in poetry_lock:
+            poetry_lock_metadata = poetry_lock["metadata"]
+        else:
+            poetry_lock_metadata = {
+                "lock-version": "2.1"
+            }
         entry_list: List[LockFileEntry] = []
         try:
             poetry_lock_version = tuple(int(p) for p in str(poetry_lock_metadata["lock-version"]).split("."))
         except Exception:
-            poetry_lock_version = (0,)
+            poetry_lock_version = tuple((2, 0))
         LOG.debug(f"poetry_lock_version: {poetry_lock_version}")
 
         for package in poetry_lock["package"]:
@@ -469,13 +481,15 @@ def get_all_lock_file_entries(self, lock_filename: str) -> List[LockFileEntry]:
                 continue
 
             entry = LockFileEntry(name, version, description, [], [], False)
-            package_files = package["files"] \
-                if poetry_lock_version >= (2,) \
-                else poetry_lock_metadata["files"][package["name"]]
-            for file_metadata in package_files:
-                entry.files.append(FileEntry(
-                    file_metadata["file"],
-                    file_metadata["hash"]))
+            if "files" in package:
+                # poetry.lock version 2.x
+                package_files = package["files"] \
+                    if poetry_lock_version >= (2,) \
+                    else poetry_lock_metadata["files"][package["name"]]
+                for file_metadata in package_files:
+                    entry.files.append(FileEntry(
+                        file_metadata["file"],
+                        file_metadata["hash"]))
 
             for dep in package.get("dependencies", []):
                 dep_name = GetPythonDependencies.normalize_packagename(dep)
@@ -486,6 +500,35 @@ def get_all_lock_file_entries(self, lock_filename: str) -> List[LockFileEntry]:
 
         return entry_list
 
+    def get_all_uv_lock_file_entries(self, lock_filename: str) -> List[LockFileEntry]:
+        """Extract information about *all* dependencies from the lock file."""
+        uv_lock = self.read_lock_file(lock_filename, "uv.lock")
+
+        entry_list: List[LockFileEntry] = []
+        try:
+            uv_lock_version = tuple((uv_lock.get("version", 0), uv_lock.get("revision", 0)))
+        except Exception:
+            uv_lock_version = tuple((1, 3))
+        LOG.debug(f"uv_lock_version: {uv_lock_version}")
+
+        for package in uv_lock["package"]:
+            name = GetPythonDependencies.normalize_packagename(package.get("name", "").strip())
+            version = package.get("version", "").strip()
+            # no description in uv.lock
+            LOG.debug(f"  Processing raw package: {name}, {version}")
+
+            entry = LockFileEntry(name, version, "", [], [], False)
+            # no files in uv.lock
+
+            for dep in package.get("dependencies", []):
+                dep_name = GetPythonDependencies.normalize_packagename(dep["name"])
+                LOG.debug(f"    Dependency: {dep_name}")
+                entry.dependencies.append(dep_name)
+
+            entry_list.append(entry)
+
+        return entry_list
+
     def find_lock_entry(self, name: str, entries: List[LockFileEntry]) -> Optional[LockFileEntry]:
         for entry in entries:
             if name == entry.name:
@@ -528,16 +571,17 @@ def get_lock_file_entries_for_sbom(self,
             # => return all dependencies
             return all_entries
 
-        poetry2xflag = False
+        new_pyproject_format = False
         if "project" in pyproject_info:
+            # this is for poetry >= 2.0 and uv
             cfg = pyproject_info["project"]
-            poetry2xflag = True
+            new_pyproject_format = True
         else:
             cfg = pyproject_info["tool"]["poetry"]
         # get only real dependencies
         dependencies = cfg.get("dependencies", [])
         for dep in dependencies:
-            if poetry2xflag:
+            if new_pyproject_format:
                 dep = self.get_pure_dep_name(dep)
             dep_name = GetPythonDependencies.normalize_packagename(dep)
             if dep_name.lower() == "python":
@@ -568,7 +612,56 @@ def sbom_from_poetry_lock_file(self, filename: str, search_meta_data: bool, pack
             pyproject_file = os.path.join(folder, "pyproject.toml")
         creator = SbomCreator()
         sbom = creator.create([], addlicense=True, addprofile=True, addtools=True)
-        entry_list_all = self.get_all_lock_file_entries(filename)
+        entry_list_all = self.get_all_poetry_lock_file_entries(filename)
+        entry_list = self.get_lock_file_entries_for_sbom(pyproject_file, entry_list_all)
+        for package in entry_list:
+            purl = PackageURL(type="pypi", name=package.name, version=package.version)
+            cxcomp = Component(
+                name=package.name,
+                version=package.version,
+                purl=purl,
+                bom_ref=purl.to_string(),
+                description=package.description)
+
+            prop = Property(
+                name=CycloneDxSupport.CDX_PROP_LANGUAGE,
+                value="Python")
+            cxcomp.properties.add(prop)
+
+            if search_meta_data:
+                self.add_meta_data_to_bomitem(cxcomp, package_source)
+            else:
+                LOG.debug("  Processing package_files")
+                for file_metadata in package.files:
+                    LOG.debug(f"    Processing file_metadata: {file_metadata}")
+                    try:
+                        cxcomp.external_references.add(ExternalReference(
+                            type=ExternalReferenceType.DISTRIBUTION,
+                            url=XsUri(cxcomp.get_pypi_url()),
+                            # comment=f'Distribution file: {file_metadata.file}',
+                            comment=CaPyCliBom.BINARY_URL_COMMENT,
+                            hashes=[HashType.from_composite_str(file_metadata.hash)]
+                        ))
+                    except Exception as ex:
+                        # IGNORE
+                        LOG.debug("      Ignored error: " + repr(ex))
+                        pass
+
+            sbom.components.add(cxcomp)
+
+        return sbom
+
+    def sbom_from_uv_lock_file(self, filename: str, search_meta_data: bool, package_source: str = "") -> Bom:
+        folder = os.path.dirname(filename)
+
+        if self.proj_file_override:
+            # override for unit tests
+            pyproject_file = self.proj_file_override
+        else:
+            pyproject_file = os.path.join(folder, "pyproject.toml")
+        creator = SbomCreator()
+        sbom = creator.create([], addlicense=True, addprofile=True, addtools=True)
+        entry_list_all = self.get_all_uv_lock_file_entries(filename)
         entry_list = self.get_lock_file_entries_for_sbom(pyproject_file, entry_list_all)
         for package in entry_list:
             purl = PackageURL(type="pypi", name=package.name, version=package.version)
@@ -700,6 +793,8 @@ def run(self, args: Any) -> None:
         datatype = self.determine_file_type(args.inputfile)
         if datatype == InputFileType.POETRY_LOCK:
             sbom = self.sbom_from_poetry_lock_file(args.inputfile, args.search_meta_data, args.package_source)
+        elif datatype == InputFileType.UV_LOCK:
+            sbom = self.sbom_from_uv_lock_file(args.inputfile, args.search_meta_data, args.package_source)
         else:
             print_text("Reading input file " + args.inputfile)
             package_list = self.requirements_to_package_list(args.inputfile)

tests/fixtures/uv_0.9.18/pyproject.toml

@@ -0,0 +1,120 @@
+# SPDX-FileCopyrightText: (c) 2018-2025 Siemens
+# SPDX-License-Identifier: MIT
+
+[project]
+name = "capycli"
+version = "2.9.1"
+description = "CaPyCli - Clearing Automation Python Command Line Interface for SW360"
+readme="Readme.md"
+requires-python = ">=3.11,<3.15"
+license = "MIT"
+authors = [
+    {name = "Thomas Graf", email="thomas.graf@siemens.com"},
+    {name = "Gernot Hillier", email="gernot.hillier@siemens.com"}
+]
+keywords = ["sw360", "cli, automation", "license", "compliance", "clearing"]
+license-files = [
+    "License.md"
+]
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Intended Audience :: Developers",
+    "Natural Language :: English",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3 :: Only",
+]
+
+dependencies = [
+    "colorama (>=0.4.3,<0.5.0)",
+    "requests (>=2.31.0,<3.0.0)",
+    "semver (==3.0.2)",
+    "packageurl-python (>=0.15.6,<0.16.0)",
+    "pyjwt (>=2.4.0,<3.0.0)",
+    "openpyxl (>=3.0.3,<4.0.0)",
+    "requirements-parser (==0.11.0)",
+    "sw360 (>=1.8.1,<2.0.0)",
+    "wheel (>=0.38.4,<0.39.0)",
+    "cli-support (==2.0.1)",
+    "chardet (==5.2.0)",
+    "cyclonedx-python-lib (>=11.4.0,<12.0.0)",
+    "dateparser (>=1.1.8,<2.0.0)",
+    "urllib3 (>=2.5.0,<3.0.0)",
+    "importlib-resources (>=5.12.0,<6.0.0)",
+    "beautifulsoup4 (>=4.11.1,<5.0.0)",
+    "jsonschema (>=4.23.0,<5.0.0)",
+    "validation (>=0.8.3,<0.9.0)"]
+
+[project.urls]
+repository = "https://github.com/sw360/capycli"
+homepage = "https://github.com/sw360/capycli"
+issues = "https://github.com/sw360/capycli/issues"
+
+[project.scripts]
+capycli = "capycli.main.cli:main"
+
+[tool.poetry]
+include = [
+    "License.md",
+    { path = "capycli/data/granularity_list.csv", format = "wheel" },
+    { path = "capycli/data/__init__.py", format = "wheel" },
+    { path = "capycli/data/granularity_list.csv", format = "sdist" },
+    { path = "capycli/data/__init__.py", format = "sdist" },
+]
+
+[tool.poetry.group.dev.dependencies]
+coverage = "^5.4"
+responses = "0.24.1"
+pytest = "7.4.3"
+cli-test-helpers = "^3.1.0"
+isort = "^5.12.0"
+mypy = "^1.8.0"
+types-colorama = "^0.4.15.12"
+types-urllib3 = "^1.26.25.14"
+types-openpyxl = "^3.1.0.32"
+types-python-dateutil = "^2.8.19.14"
+types-requests = "2.31.0.6"  # this is the last version that uses urllib3 < 2
+types-beautifulsoup4 = "^4.12.0.20240106"
+codespell = "^2.2.6"
+pyinstaller = "^6.17.0"
+flake8 = "^7.3.0"
+
+[tool.pytest.ini_options]
+filterwarnings = [
+    # note the use of single quote below to denote "raw" strings in TOML
+    "ignore:pkg_resources is deprecated as an API:DeprecationWarning",
+    "ignore:Both `id` and `name` have been supplied - `name` will be ignored!",
+    # cyclonedx-python-lib - UserWarning: The Component this BOM is describing None...
+    "ignore::UserWarning",
+    # cyclonedx-python-lib - DeprecationWarning: `@.tools` is deprecated from CycloneDX v1.5 onwards
+    "ignore::DeprecationWarning"
+]
+
+[tool.mypy]
+exclude = [
+    "/tests",
+]
+
+show_error_codes = true
+pretty = true
+
+warn_unreachable = true
+allow_redefinition = true
+
+### Strict mode ###
+warn_unused_configs         = true
+disallow_subclassing_any    = true
+
+disallow_any_generics       = true
+disallow_untyped_calls      = true
+disallow_untyped_defs       = true
+disallow_incomplete_defs    = true
+check_untyped_defs          = true
+disallow_untyped_decorators = true
+no_implicit_optional        = true
+warn_redundant_casts        = true
+warn_unused_ignores         = true
+no_implicit_reexport        = true
+
+[tool.codespell]
+skip = "./htmlcov/*,./_internal_tests_/*,./__internal__/*,./tests/fixtures/*,*.svg,./capycli/data/granularity_list.csv,./ComponentCache.*,./build/*,./dist/*"
+ignore-words-list = "manuel, assertIn,datas"