Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(poetrylock): support extracting groups from v2+ poetry.lock files #376

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(poetrylock): support extracting groups from v2+ poetry.lock files #376

wants to merge 7 commits into from

Conversation

G-Rath
Copy link
Collaborator

@G-Rath G-Rath commented Jan 7, 2025
edited
Loading

Poetry v2 lockfiles now include the groups a package belongs to, meaning that we can support extracting them to allow filtering.

Similar to Maven and NPM, Poetry explicitly notes everything that isn't in an explicit group as being in the main group meaning for packages that are considered in that group we always use an empty slice instead since that's how we indicate the "production" group.

I generated the final fixture using the following pyproject.toml:

[project]
name = "mine"
version = "1.0.0"

requires-python = ">=3.9"

dependencies = [
  "proto-plus == 1.22.0; python_version >= '3.6' and python_version < '3.10'",
  "proto-plus == 1.23.0; python_version >= '3.10'",
  "six"
]

[project.optional-dependencies]
caching = ["redis>=1"]

[tool.poetry.group.dev.dependencies]
urllib3 = "*"
factory-boy = "*"

[tool.poetry.group.test.dependencies]
faker = "*"

Technically we don't need the python_version constraint on proto-plus for this feature, but I realised we don't have any existing fixtures for this situation so I figured I'd sneak it in as part of this given it seems like we already support the lockfile having a package multiple names with different versions

This is a sister PR to google/osv-scanner#1477 since osv-scanner is still in the middle of transitioning to using osv-scalibr - the core logic is exactly the same, and either (or both) should be fine to land

@G-Rath G-Rath mentioned this pull request Jan 7, 2025
Open
@G-Rath G-Rath force-pushed the poetry/support-groups branch from 7d549ec to 340f76b Compare January 7, 2025 19:20
another-rex
another-rex reviewed Jan 8, 2025
View reviewed changes
extractor/filesystem/language/python/poetrylock/poetrylock.go
@@ -65,6 +66,28 @@ func (e Extractor) FileRequired(api filesystem.FileAPI) bool {
return filepath.Base(api.Path()) == "poetry.lock"
}

func resolveGroups(pkg poetryLockPackage) []string {
// by definition an optional package cannot be in any other group,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not clear on how optional works here, does this refer to this? https://python-poetry.org/docs/managing-dependencies/#optional-groups or are optional groups and optional packages different.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

umm ok I didn't know about that - I believe it was referring to https://python-poetry.org/docs/pyproject/#optional-dependencies but I'll check what happens when using these optional groups.

fwiw right now "optional" logically is focused on "is the optional property set to true" - so I know that optional-dependencies is one way of having that property come out as true, and now the question is if "optional groups" result in that too or something different

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like "optional groups" just manage what gets installed by default when you run poetry install, so they don't have any bearing on the lockfile itself, which makes sense

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@another-rex another-rex another-rex left review comments

@erikvarga erikvarga Awaiting requested review from erikvarga

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@G-Rath @another-rex