feat: support parsing pylock.toml files (#303)

* feat: support parsing `pylock.toml` files

* feat: update tests and parser

Author: G-Rath

README.md

@@ -70,6 +70,7 @@ The detector supports parsing the following lockfiles:
 | `poetry.lock`                 | `PyPI`      | `poetry`   |
 | `uv.lock`                     | `PyPI`      | `uv`       |
 | `Pipfile.lock`                | `PyPI`      | `pipenv`   |
+| `pylock.toml`                 | `PyPI`      | (none)     |
 | `pdm.lock`                    | `PyPI`      | `pdm`      |
 | `pubspec.lock`                | `Pub`       | `pub`      |
 | `pom.xml`\*                   | `Maven`     | `maven`    |

__snapshots__/main_test.snap

@@ -39,6 +39,7 @@ Don't know how to parse files as "my-file" - supported values are:
   poetry.lock
   pom.xml
   pubspec.lock
+  pylock.toml
   renv.lock
   requirements.txt
   uv.lock

pkg/lockfile/ecosystems_test.go

@@ -35,10 +35,10 @@ func TestKnownEcosystems(t *testing.T) {
 	expectedCount := numberOfLockfileParsers(t)
 
 	// - npm, yarn, bun, and pnpm,
-	// - pip, poetry, uv, pdm and pipenv,
+	// - pip, poetry, uv, pdm, pylock, and pipenv,
 	// - maven and gradle,
 	// all use the same ecosystem so "ignore" those parsers in the count
-	expectedCount -= 8
+	expectedCount -= 9
 
 	ecosystems := lockfile.KnownEcosystems()
 

pkg/lockfile/parse-pylock.go

@@ -0,0 +1,71 @@
+package lockfile
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/BurntSushi/toml"
+)
+
+type pylockVCS struct {
+	Type   string `toml:"type"`
+	Commit string `toml:"commit-id"`
+}
+
+type pylockDirectory struct {
+	Path string `toml:"path"`
+}
+
+type PylockPackage struct {
+	Name      string          `toml:"name"`
+	Version   string          `toml:"version"`
+	VCS       pylockVCS       `toml:"vcs"`
+	Directory pylockDirectory `toml:"directory"`
+}
+
+type PylockLockfile struct {
+	Version  string          `toml:"lock-version"`
+	Packages []PylockPackage `toml:"packages"`
+}
+
+const PylockEcosystem = PipEcosystem
+
+func ParsePylock(pathToLockfile string) ([]PackageDetails, error) {
+	var parsedLockfile *PylockLockfile
+
+	lockfileContents, err := os.ReadFile(pathToLockfile)
+
+	if err != nil {
+		return []PackageDetails{}, fmt.Errorf("could not read %s: %w", pathToLockfile, err)
+	}
+
+	err = toml.Unmarshal(lockfileContents, &parsedLockfile)
+
+	if err != nil {
+		return []PackageDetails{}, fmt.Errorf("could not parse %s: %w", pathToLockfile, err)
+	}
+
+	packages := make([]PackageDetails, 0, len(parsedLockfile.Packages))
+
+	for _, pkg := range parsedLockfile.Packages {
+		// this is likely the root package, which is sometimes included in the lockfile
+		if pkg.Version == "" && pkg.Directory.Path == "." {
+			continue
+		}
+
+		pkgDetails := PackageDetails{
+			Name:      pkg.Name,
+			Version:   pkg.Version,
+			Ecosystem: PylockEcosystem,
+			CompareAs: PylockEcosystem,
+		}
+
+		if pkg.VCS.Commit != "" {
+			pkgDetails.Commit = pkg.VCS.Commit
+		}
+
+		packages = append(packages, pkgDetails)
+	}
+
+	return packages, nil
+}

pkg/lockfile/parse-pylock_test.go

@@ -0,0 +1,289 @@
+package lockfile_test
+
+import (
+	"testing"
+
+	"github.com/g-rath/osv-detector/pkg/lockfile"
+)
+
+func TestParsePylock_FileDoesNotExist(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParsePylock("testdata/pylock/does-not-exist")
+
+	expectErrContaining(t, err, "could not read")
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+func TestParsePylock_InvalidToml(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParsePylock("testdata/pylock/not-toml.txt")
+
+	expectErrContaining(t, err, "could not parse")
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+func TestParsePylock_NoPackages(t *testing.T) {
+	t.Skip("todo: need a fixture")
+
+	t.Parallel()
+
+	packages, err := lockfile.ParsePylock("testdata/pylock/empty.toml")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+func TestParsePylock_OnePackage(t *testing.T) {
+	t.Skip("todo: need a fixture")
+
+	t.Parallel()
+
+	packages, err := lockfile.ParsePylock("testdata/pylock/one-package.toml")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		// ...
+	})
+}
+
+func TestParsePylock_TwoPackages(t *testing.T) {
+	t.Skip("todo: need a fixture")
+
+	t.Parallel()
+
+	packages, err := lockfile.ParsePylock("testdata/pylock/two-packages.toml")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		// ...
+	})
+}
+
+func TestParsePylock_Example(t *testing.T) {
+	t.Parallel()
+
+	// from https://peps.python.org/pep-0751/#example
+	packages, err := lockfile.ParsePylock("testdata/pylock/example.toml")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "attrs",
+			Version:   "25.1.0",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "cattrs",
+			Version:   "24.1.2",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "numpy",
+			Version:   "2.2.3",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+	})
+}
+
+func TestParsePylock_PackageWithCommits(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParsePylock("testdata/pylock/commits.toml")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "click",
+			Version:   "8.2.1",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "mleroc",
+			Version:   "0.1.0",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+			Commit:    "735093f03c4d8be70bfaaae44074ac92d7419b6d",
+		},
+		{
+			Name:      "packaging",
+			Version:   "24.2",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "pathspec",
+			Version:   "0.12.1",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "python-dateutil",
+			Version:   "2.9.0.post0",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "scikit-learn",
+			Version:   "1.6.1",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "tqdm",
+			Version:   "4.67.1",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+	})
+}
+
+func TestParsePylock_CreatedByPipWithJustSelf(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParsePylock("testdata/pylock/pip-just-self.toml")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+func TestParsePylock_CreatedByPip(t *testing.T) {
+	t.Parallel()
+
+	// from https://peps.python.org/pep-0751/#example
+	packages, err := lockfile.ParsePylock("testdata/pylock/pip-full.toml")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "annotated-types",
+			Version:   "0.7.0",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "packaging",
+			Version:   "25.0",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "pyproject-toml",
+			Version:   "0.1.0",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "setuptools",
+			Version:   "80.9.0",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "wheel",
+			Version:   "0.45.1",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+	})
+}
+
+func TestParsePylock_CreatedByPdm(t *testing.T) {
+	t.Parallel()
+
+	// from https://peps.python.org/pep-0751/#example
+	packages, err := lockfile.ParsePylock("testdata/pylock/pdm-full.toml")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "certifi",
+			Version:   "2025.1.31",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "chardet",
+			Version:   "3.0.4",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "charset-normalizer",
+			Version:   "2.0.12",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "colorama",
+			Version:   "0.3.9",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "idna",
+			Version:   "2.7",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "py",
+			Version:   "1.4.34",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "pytest",
+			Version:   "3.2.5",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "requests",
+			Version:   "2.27.1",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "setuptools",
+			Version:   "39.2.0",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+		{
+			Name:      "urllib3",
+			Version:   "1.26.20",
+			Ecosystem: lockfile.PylockEcosystem,
+			CompareAs: lockfile.PylockEcosystem,
+		},
+	})
+}

pkg/lockfile/parse.go

@@ -30,6 +30,7 @@ var parsers = map[string]PackageDetailsParser{
 	"pdm.lock":                    ParsePdmLock,
 	"pnpm-lock.yaml":              ParsePnpmLock,
 	"poetry.lock":                 ParsePoetryLock,
+	"pylock.toml":                 ParsePylock,
 	"Pipfile.lock":                ParsePipenvLock,
 	"pom.xml":                     ParseMavenLock,
 	"pubspec.lock":                ParsePubspecLock,