Add functionality to handle poetryV2 installation

lib/helpers/utils.js

@@ -17,14 +17,14 @@ import {
 } from "node:fs";
 import { homedir, platform, tmpdir } from "node:os";
 import path, {
-  basename,
   delimiter as _delimiter,
+  sep as _sep,
+  basename,
   dirname,
   extname,
   join,
-  resolve,
   relative,
-  sep as _sep,
+  resolve,
 } from "node:path";
 import process from "node:process";
 import { URL, fileURLToPath } from "node:url";
@@ -4902,6 +4902,7 @@ export function parsePyProjectTomlFile(tomlFile) {
     }
   }
 
+  let isPoetryV2 = false;
   let poetryMode = false;
   let uvMode = false;
   let hatchMode = false;
@@ -4924,6 +4925,16 @@ export function parsePyProjectTomlFile(tomlFile) {
   ) {
     poetryMode = true;
   }
+  const requires = tomlData?.["build-system"]?.["requires"];
+  if (requires && Array.isArray(requires)) {
+    for (const req of requires) {
+      if (req.startsWith("poetry-core") && req.includes(">=2.0")) {
+        isPoetryV2 = true;
+        break;
+      }
+    }
+  }
+
   if (tomlData?.tool?.uv) {
     uvMode = true;
   }
@@ -5027,6 +5038,7 @@ export function parsePyProjectTomlFile(tomlFile) {
   return {
     parentComponent: pkg,
     poetryMode,
+    isPoetryV2,
     uvMode,
     hatchMode,
     workspacePaths,
@@ -13526,6 +13538,15 @@ export function getPipFrozenTree(
       });
       thoughtLog("Performing poetry install");
       let poetryInstallArgs = ["-m", "poetry", "install", "-n", "--no-root"];
+      const isPoetryV2 = parsePyProjectTomlFile(
+        join(basePath, "pyproject.toml"),
+      ).isPoetryV2;
+      // checking if poetryV2 is true or not
+      if (isPoetryV2) {
+        // Include all dependency groups and extras (Poetry v2+)
+        poetryInstallArgs.push("--all-groups", "--all-extras");
+      }
+
       // Attempt to perform poetry install
       result = safeSpawnSync(PYTHON_CMD, poetryInstallArgs, {
         cwd: basePath,
@@ -13539,6 +13560,11 @@ export function getPipFrozenTree(
             "Hmm, poetry doesn't seem to be available as a module. Perhaps it was installed directly 🤔?",
           );
           poetryInstallArgs = ["install", "-n", "--no-root"];
+
+          if (isPoetryV2) {
+            // Also include flags when calling poetry directly
+            poetryInstallArgs.push("--all-groups", "--all-extras");
+          }
           // Attempt to perform poetry install
           result = safeSpawnSync("poetry", poetryInstallArgs, {
             cwd: basePath,

lib/helpers/utils.test.js

@@ -11,12 +11,10 @@ import {
   findLicenseId,
   getCratesMetadata,
   getDartMetadata,
-  getGoPkgLicense,
   getLicenses,
   getMvnMetadata,
   getNugetMetadata,
   getPyMetadata,
-  getRepoLicense,
   guessPypiMatchingVersion,
   hasAnyProjectType,
   isPackageManagerAllowed,
@@ -4979,6 +4977,34 @@ test("parse pyproject.toml", () => {
   });
 });
 
+test("parse pyproject.toml with poetryv2 requirement", () => {
+  const retMap = parsePyProjectTomlFile("./test/data/pyproject_poetryv2.toml");
+  // expect(retMap.parentComponent).toEqual({
+  //   name: "cpggen",
+  //   version: "1.9.0",
+  //   description:
+  //     "Generate CPG for multiple languages for code and threat analysis",
+  //   license: "Apache-2.0",
+  //   author: "Team AppThreat <[email protected]>",
+  //   homepage: { url: "https://github.com/AppThreat/cpggen" },
+  //   repository: { url: "https://github.com/AppThreat/cpggen" },
+  //   tags: [
+  //     "atom",
+  //     "code analysis",
+  //     "code property graph",
+  //     "cpg",
+  //     "joern",
+  //     "static analysis",
+  //     "threat analysis",
+  //   ],
+  //   type: "application",
+  //   "bom-ref": "pkg:pypi/[email protected]",
+  //   purl: "pkg:pypi/[email protected]",
+  //   evidence: { identity: { field: "purl", confidence: 1, methods: [Array] } },
+  // });
+  expect(retMap.isPoetryV2).toBeTruthy();
+});
+
 test("parse pyproject.toml with custom poetry source", () => {
   const retMap = parsePyProjectTomlFile(
     "./test/data/pyproject_with_custom_poetry_source.toml",

test/data/pyproject_poetryv2.toml

@@ -0,0 +1,52 @@
+[tool.poetry]
+name = "cpggen"
+version = "1.9.0" # 1.9.0 is not version 2.0.0
+description = "Generate CPG for multiple languages for code and threat analysis"
+authors = ["Team AppThreat <[email protected]>"]
+license = "Apache-2.0"
+readme = "README.md"
+packages = [{include = "cpggen"}]
+homepage = "https://github.com/AppThreat/cpggen"
+repository = "https://github.com/AppThreat/cpggen"
+keywords = ["joern", "code analysis", "static analysis", "cpg", "code property graph", "atom", "threat analysis"]
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Intended Audience :: Developers",
+    "Intended Audience :: System Administrators",
+    "Topic :: Utilities",
+    "Topic :: Security",
+    "Programming Language :: Python :: 3.8",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Operating System :: OS Independent",
+]
+exclude = ["contrib", "tests"]
+include = ["cpggen/atom/*"]
+
+[tool.poetry.scripts]
+atomgen = 'cpggen.cli:main'
+cpggen = 'cpggen.cli:main'
+cpg = 'cpggen.cli:main'
+
+[tool.poetry.dependencies]
+python = ">=3.8.1,<3.12"
+rich = "^13.4.2"
+gitpython = "^3.1.31"
+quart = "^0.18.4"
+psutil = "^5.9.5"
+packageurl-python = "^0.11.1"
+httpx = "^0.24.1"
+
+[tool.poetry.group.dev.dependencies]
+pytest = "^7.4.0"
+black = "^23.3.0"
+flake8 = "^6.0.0"
+pytest-cov = "^4.0.0"
+pyinstaller = "^5.12.0"
+bandit = "^1.7.5"
+pylint = "^2.17.4"
+
+[build-system]
+requires = ["poetry-core>=2.0.0"]
+build-backend = "poetry.core.masonry.api"