fix(poetry): properly handle multi-constraint dependency declarations

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

cyclonedx_py/_internal/poetry.py

@@ -292,17 +292,21 @@ def _make_bom(self, project: 'T_NameDict', locker: 'T_NameDict',
         use_extras_dep_names = frozenset(map(normalize_packagename,
                                              chain.from_iterable(po_cfg['extras'][e] for e in use_extras)))
         for group_name in use_groups:
-            for dep_name, dep_spec in po_cfg['group'][group_name].get('dependencies', {}).items():
+            for dep_name, dep_specs in po_cfg['group'][group_name].get('dependencies', {}).items():
                 dep_name = normalize_packagename(dep_name)
-                dep_spec = dep_spec if isinstance(dep_spec, dict) else {'version': dep_spec}
+                if not isinstance(dep_specs, list):
+                    if isinstance(dep_specs, dict):
+                        dep_specs = [dep_specs]
+                    else:
+                        dep_specs = [{'version': dep_specs}]
                 self._logger.debug('root-component depends on %s', dep_name)
                 if dep_name == 'python':
                     continue  # skip python constraint
                 lock_entries = lock_data.get(dep_name)
                 if lock_entries is None:
                     self._logger.warning('skip unlocked dependency: %s', dep_name)
                     continue
-                if dep_spec.get('optional') and dep_name not in use_extras_dep_names:
+                if all(ds.get('optional') for ds in dep_specs) and dep_name not in use_extras_dep_names:
                     self._logger.debug('skip optional unused dependency: %s', dep_name)
                     continue
                 for lock_entry in lock_entries:
@@ -311,7 +315,10 @@ def _make_bom(self, project: 'T_NameDict', locker: 'T_NameDict',
                         value=group_name
                     ))
                     root_d.dependencies.add(Dependency(lock_entry.component.bom_ref))
-                    self.__add_dep(bom, lock_entry, dep_spec.get('extras', ()), lock_data)
+                    self.__add_dep(
+                        bom, lock_entry,
+                        chain.from_iterable(ds.get('extras', ()) for ds in dep_specs),
+                        lock_data)
 
         return bom
 

tests/_data/infiles/poetry/with-optionals-no-extra/pyproject-proto.toml

@@ -9,11 +9,12 @@ authors = ["Your Name <[email protected]>"]
 python  = "^3.8"
 cyclonedx-python-lib = {version = ">=8,<9", optional = true}
 py-serializable = [
+  # see https://github.com/CycloneDX/cyclonedx-python/issues/840
   {version = "*", optional = true}
 ]
 
 [tool.poetry.extras]
-# no extras - see https://github.com/CycloneDX/cyclonedx-python/issues/840
+# no extras!
 
 
 [build-system]