Skip to content

Add functionality to handle poetryV2 installation #1865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Add functionality to handle poetryV2 installation #1865

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
17aff60
Add functionality to handle poetryV2
ambuj-1211 Jun 16, 2025
e6507cf
Merge branch 'CycloneDX:master' into Refactor-poetry-install-command
ambuj-1211 Jun 16, 2025
ce26c47
Modify utils.js and its test code
ambuj-1211 Jun 16, 2025
e2cd176
Merge branch 'Refactor-poetry-install-command' of https://github.com/…
ambuj-1211 Jun 16, 2025
017cba3
Refactor utils.js and utils.test.js
ambuj-1211 Jun 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions lib/helpers/utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4925,9 +4925,9 @@ export function parsePyProjectTomlFile(tomlFile) {
) {
poetryMode = true;
}
const requires = tomlData?.["build-system"]?.["requires"];
if (requires && Array.isArray(requires)) {
for (const req of requires) {
const buildRequires = tomlData?.["build-system"]?.["requires"];
if (buildRequires && Array.isArray(buildRequires)) {
for (const req of buildRequires) {
if (req.startsWith("poetry-core") && req.includes(">=2.0")) {
isPoetryV2 = true;
break;
Expand Down Expand Up @@ -13538,9 +13538,9 @@ export function getPipFrozenTree(
});
thoughtLog("Performing poetry install");
let poetryInstallArgs = ["-m", "poetry", "install", "-n", "--no-root"];
const isPoetryV2 = parsePyProjectTomlFile(
join(basePath, "pyproject.toml"),
).isPoetryV2;

const pyprojectpath = safeExistsSync(join(basePath, "pyproject.toml"));
const isPoetryV2 = parsePyProjectTomlFile(pyprojectpath).isPoetryV2;
// checking if poetryV2 is true or not
if (isPoetryV2) {
// Include all dependency groups and extras (Poetry v2+)
Expand Down
50 changes: 27 additions & 23 deletions lib/helpers/utils.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4979,29 +4979,33 @@ test("parse pyproject.toml", () => {

test("parse pyproject.toml with poetryv2 requirement", () => {
const retMap = parsePyProjectTomlFile("./test/data/pyproject_poetryv2.toml");
// expect(retMap.parentComponent).toEqual({
// name: "cpggen",
// version: "1.9.0",
// description:
// "Generate CPG for multiple languages for code and threat analysis",
// license: "Apache-2.0",
// author: "Team AppThreat <[email protected]>",
// homepage: { url: "https://github.com/AppThreat/cpggen" },
// repository: { url: "https://github.com/AppThreat/cpggen" },
// tags: [
// "atom",
// "code analysis",
// "code property graph",
// "cpg",
// "joern",
// "static analysis",
// "threat analysis",
// ],
// type: "application",
// "bom-ref": "pkg:pypi/[email protected]",
// purl: "pkg:pypi/[email protected]",
// evidence: { identity: { field: "purl", confidence: 1, methods: [Array] } },
// });
expect(retMap.parentComponent).toEqual({
name: "blint",
version: "2.4.2",
description: "Linter and SBOM generator for binary files.",
license: "MIT",
authors: [{ name: "Team AppThreat", email: "[email protected]" }],
homepage: { url: "https://github.com/owasp-dep-scan/blint" },
repository: { url: "https://github.com/owasp-dep-scan/blint" },
tags: ["binary", "linter", "sast", "security"],
properties: [{ name: "cdx:pypi:requiresPython", value: ">=3.10,<3.14" }],
type: "application",
"bom-ref": "pkg:pypi/[email protected]",
purl: "pkg:pypi/[email protected]",
evidence: {
identity: {
field: "purl",
confidence: 1,
methods: [
{
technique: "manifest-analysis",
confidence: 1,
value: "./test/data/pyproject_poetryv2.toml",
},
],
},
},
});
expect(retMap.isPoetryV2).toBeTruthy();
});

Expand Down
103 changes: 66 additions & 37 deletions test/data/pyproject_poetryv2.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,52 +1,81 @@
[tool.poetry]
name = "cpggen"
version = "1.9.0" # 1.9.0 is not version 2.0.0
description = "Generate CPG for multiple languages for code and threat analysis"
authors = ["Team AppThreat <[email protected]>"]
license = "Apache-2.0"
[project]
name = "blint"
version = "2.4.2"
description = "Linter and SBOM generator for binary files."
authors = [
{name= "Team AppThreat", email = "[email protected]"},
]
dependencies = [
"lief>=0.16.6",
"rich>=14.0.0",
"PyYAML>=6.0.2",
"defusedxml>=0.7.1",
"pydantic[email]>=2.11.3",
"orjson>=3.10.16",
"symbolic==10.2.1",
"ar>=1.0.0",
"custom-json-diff>=2.1.6",
"appdirs>=1.4.4",
"apsw>=3.49.1.0",
"packageurl-python>=0.16.0",
"oras>=0.2.28",
]
license = "MIT"
readme = "README.md"
packages = [{include = "cpggen"}]
homepage = "https://github.com/AppThreat/cpggen"
repository = "https://github.com/AppThreat/cpggen"
keywords = ["joern", "code analysis", "static analysis", "cpg", "code property graph", "atom", "threat analysis"]
homepage = "https://github.com/owasp-dep-scan/blint"
repository = "https://github.com/owasp-dep-scan/blint"
keywords = ["linter", "binary", "security", "sast"]
classifiers = [
"Development Status :: 5 - Production/Stable",
"Intended Audience :: Developers",
"Intended Audience :: System Administrators",
"Topic :: Utilities",
"Topic :: Security",
"Programming Language :: Python :: 3.8",
"Programming Language :: Python :: 3.9",
"Programming Language :: Python :: 3.10",
"Programming Language :: Python :: 3.11",
"Programming Language :: Python :: 3.12",
"Programming Language :: Python :: 3.13",
"Operating System :: OS Independent",
]
exclude = ["contrib", "tests"]
include = ["cpggen/atom/*"]

[tool.poetry.scripts]
atomgen = 'cpggen.cli:main'
cpggen = 'cpggen.cli:main'
cpg = 'cpggen.cli:main'

[tool.poetry.dependencies]
python = ">=3.8.1,<3.12"
rich = "^13.4.2"
gitpython = "^3.1.31"
quart = "^0.18.4"
psutil = "^5.9.5"
packageurl-python = "^0.11.1"
httpx = "^0.24.1"

[tool.poetry.group.dev.dependencies]
pytest = "^7.4.0"
black = "^23.3.0"
flake8 = "^6.0.0"
pytest-cov = "^4.0.0"
pyinstaller = "^5.12.0"
bandit = "^1.7.5"
pylint = "^2.17.4"
requires-python = ">=3.10,<3.14"
include = ["blint/data/*.yml"]

[project.urls]
"CI" = "https://github.com/owasp-dep-scan/blint/actions"

[project.scripts]
blint = 'blint.cli:main'

[project.optional-dependencies]
dev = [
"pytest>=8.3.5",
"black>=25.1.0",
"flake8>=7.2.0",
"pylint>=3.3.6",
"pytest-cov>=6.1.1",
"pyinstaller>=6.12.0"
]

[tool.black]
line-length = 99

[build-system]
requires = ["poetry-core>=2.0.0"]
build-backend = "poetry.core.masonry.api"

[tool.pytest.ini_options]
addopts = "--verbose --cov-append --cov-report term --cov blint"

[tool.pylint]
generated-members = ["lief", "orjson"]
ignore-paths = ["blint/cyclonedx/*", "tests/*"]
# Let's not fuss about long strings
ignore-long-lines = "[r|f]\""
disable = ["missing-module-docstring", "logging-fstring-interpolation"]

[tool.pylint.format]
max-line-length = 99

[tool.pylint.design]
max-args = 6
max-nested-blocks = 6