Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 35 additions & 3 deletions src/skillspector/nodes/analyzers/static_patterns_supply_chain.py
Original file line number Diff line number Diff line change
Expand Up @@ -486,6 +486,36 @@ def _extract_packages_from_pyproject(content: str) -> list[tuple[str, str | None
return results



def _extract_packages_from_toml_lock(content: str) -> list[tuple[str, str | None, int]]:
"""Extract exact package versions from TOML lockfiles such as uv.lock and poetry.lock."""
try:
data = tomllib.loads(content)
except tomllib.TOMLDecodeError:
return []

packages = data.get("package")
if not isinstance(packages, list):
return []

results: list[tuple[str, str | None, int]] = []
for package in packages:
if not isinstance(package, dict):
continue

name = package.get("name")
version = package.get("version")
if not isinstance(name, str) or not name.strip():
continue

version_value = version.strip() if isinstance(version, str) and version.strip() else None
marker = f'name = "{name}"'
idx = content.find(marker)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

content.find(marker) returns the first occurrence of name = "<pkg>", which in uv.lock is frequently a dependencies = [{ name = "..." }] entry of an earlier package rather than this package's own [[package]] block, so SC4/SC5/SC6 findings get anchored to the wrong line. Verified with a realistic uv.lock: requests was attributed to another package's dependencies list. Consider locating the enclosing [[package]] block (e.g., regex over \[\[package\]\]\s*\nname = "...") or tracking positions while parsing.

line_num = get_line_number(content, idx) if idx >= 0 else 1
results.append((name, version_value, line_num))

return results

def _version_lt(v1: str, v2: str) -> bool:
"""Simple version comparison: True if v1 < v2 (numeric tuple comparison)."""

Expand Down Expand Up @@ -517,7 +547,7 @@ def ctx(start: int) -> str:

is_dep_file = any(
n in file_path.lower()
for n in ["requirements", "package.json", "pyproject.toml", "setup.py", "pipfile"]
for n in ["requirements", "package.json", "pyproject.toml", "setup.py", "pipfile", "uv.lock", "poetry.lock"]

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding uv.lock/poetry.lock to the SC1 ("Unpinned Dependencies") gate is semantically inverted — lockfiles are fully pinned by definition, so these patterns can only ever produce false positives or wasted scanning here. Suggest keeping lockfiles out of the SC1 gate and only routing them through the SC4–SC6 dependency analysis.

)
if is_dep_file:
for pattern, confidence in SC1_PATTERNS:
Expand Down Expand Up @@ -761,7 +791,7 @@ def _analyze_dependencies(

lower_path = file_path.lower()
is_python_dep = any(
n in lower_path for n in ["requirements", "pyproject.toml", "setup.py", "pipfile"]
n in lower_path for n in ["requirements", "pyproject.toml", "setup.py", "pipfile", "uv.lock", "poetry.lock"]

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This adds a parallel lockfile scan, but the pyproject.toml/requirements pass still extracts unpinned entries as (name, None) and queries OSV without a version, returning all historical CVEs — the exact false-positive reported in #233 will still fire from the manifest file even when the lockfile pins a clean version. To fix #233, prefer the locked version for packages that also appear in manifest files (or suppress the manifest finding when the locked version has no advisories).

)
is_npm_dep = "package.json" in lower_path

Expand All @@ -771,6 +801,8 @@ def _analyze_dependencies(
if is_python_dep:
if "pyproject.toml" in lower_path:
packages = _extract_packages_from_pyproject(content)
elif "uv.lock" in lower_path or "poetry.lock" in lower_path:
packages = _extract_packages_from_toml_lock(content)
else:
packages = _extract_packages_from_requirements(content)
ecosystem = ECOSYSTEM_PYPI
Expand Down Expand Up @@ -963,7 +995,7 @@ def node(state: SkillspectorState) -> AnalyzerNodeResponse:
lower_path = path.lower()
is_dep_file = any(
n in lower_path
for n in ["requirements", "package.json", "pyproject.toml", "setup.py", "pipfile"]
for n in ["requirements", "package.json", "pyproject.toml", "setup.py", "pipfile", "uv.lock", "poetry.lock"]
)
if not is_dep_file:
continue
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Licensed under the Apache License, Version 2.0 (the "License");

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file starts with a UTF-8 BOM (EF BB BF) and uses a single truncated comment line instead of the repo's standard SPDX/Apache-2.0 header (see any sibling test file). It also fails ruff check (I001) and ruff format --check (missing blank lines between top-level defs), both of which run in CI over tests/. Please strip the BOM, add the full header, and run ruff format.

from skillspector.nodes.analyzers import static_patterns_supply_chain as supply_chain
def test_uv_lock_versions_are_passed_to_osv(monkeypatch):
seen = {}
def fake_query_batch(packages, ecosystem):
seen["packages"] = packages
seen["ecosystem"] = ecosystem
return [[] for _ in packages]
monkeypatch.setattr(supply_chain, "query_batch", fake_query_batch)
content = """
version = 1
[[package]]
name = "mlx"
version = "0.31.2"
[[package]]
name = "requests"
version = "2.31.0"
"""
supply_chain._analyze_dependencies(content, "uv.lock")

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coverage is happy-path only. Consider adding cases for: malformed TOML (returns [] rather than raising), a [[package]] entry missing version (name passed with version=None), and the node()-level gate so a uv.lock component actually reaches _analyze_dependencies end-to-end.

assert seen["ecosystem"] == supply_chain.ECOSYSTEM_PYPI
assert ("mlx", "0.31.2") in seen["packages"]
assert ("requests", "2.31.0") in seen["packages"]
def test_poetry_lock_versions_are_passed_to_osv(monkeypatch):
seen = {}
def fake_query_batch(packages, ecosystem):
seen["packages"] = packages
seen["ecosystem"] = ecosystem
return [[] for _ in packages]
monkeypatch.setattr(supply_chain, "query_batch", fake_query_batch)
content = """
[[package]]
name = "jinja2"
version = "3.1.6"
description = "A fast template engine."
"""
supply_chain._analyze_dependencies(content, "poetry.lock")
assert seen["ecosystem"] == supply_chain.ECOSYSTEM_PYPI
assert ("jinja2", "3.1.6") in seen["packages"]