feat/#28 uv support (#62)

* follow proper consistent naming in pypi packagemanager

* follow proper consistent naming in pypi packagemanager - 2

* feat: add specialized command parsers to handle pip and uv command formats

* add uv support & modify extractor to be more robust

* add uv alias

* refactor var name & add error handling

* update readme & add support for `uv pip sync` cmd

Author: Sahilb315

README.md

@@ -43,7 +43,7 @@ npm install <package-name>
 ```
 
 ```shell
-pnpm add <package-name>
+uv pip install <package-name>
 ```
 
 ## 📑 Table of Contents
@@ -90,7 +90,7 @@ PMG supports the following package managers:
 | `pnpm`          | ✅ Active  | `pmg pnpm add <package>`    |
 | `bun`           | ✅ Active  | `pmg bun add <package>` |
 | `pip`           | ✅ Active  | `pmg pip install <package>` |
-| `uv`            | 🚧 Planned |                             |
+| `uv`            | ✅ Active  | `pmg uv add <package>` or `pmg uv pip install <package>`|
 | `yarn`          | 🚧 Planned |                             |
 | `poetry`        | 🚧 Planned |                             |
 
@@ -169,7 +169,11 @@ After setup, use your package managers normally:
 npm install <package-name>
 pnpm add <package-name>
 bun add <package-name>
+
 pip install <package-name>
+
+uv add <package-name>
+uv pip install <package-name>
 ```
 
 ### Alternative: Manual Commands
@@ -179,7 +183,11 @@ You can also run PMG manually without aliases:
 pmg npm install <package-name>
 pmg pnpm add <package-name>
 pmg bun add <package-name>
+
 pmg pip install <package-name>
+
+pmg uv add <package-name>
+pmg uv pip install <package-name>
 ```
 
 ### Lockfile Installation
@@ -191,6 +199,10 @@ pnpm install         # Uses pnpm-lock.yaml
 bun install          # Uses bun.lock
 
 pip install -r requirements.txt   # Uses requirements file
+
+uv sync                           # Installs packages from uv.lock
+uv pip sync requirements.txt      # Sync from requirements file
+uv pip install -r requirements.txt
 ```
 
 PMG scans the exact package versions specified in lockfiles and blocks installation if malicious packages are detected.

cmd/pypi/pip.go

@@ -31,7 +31,7 @@ func NewPipCommand() *cobra.Command {
 
 func executePipFlow(ctx context.Context, args []string) error {
 	analytics.TrackCommandPip()
-	packageManager, err := packagemanager.NewPipPackageManager(packagemanager.DefaultPipPackageManagerConfig())
+	packageManager, err := packagemanager.NewPypiPackageManager(packagemanager.DefaultPipPackageManagerConfig())
 	if err != nil {
 		return fmt.Errorf("failed to create pip package manager: %w", err)
 	}

cmd/pypi/uv.go

@@ -0,0 +1,62 @@
+package pypi
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/safedep/dry/log"
+	"github.com/safedep/pmg/config"
+	"github.com/safedep/pmg/internal/analytics"
+	"github.com/safedep/pmg/internal/flows"
+	"github.com/safedep/pmg/internal/ui"
+	"github.com/safedep/pmg/packagemanager"
+	"github.com/spf13/cobra"
+)
+
+func NewUvCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:                "uv [action] [package]",
+		Short:              "Guard uv package manager",
+		DisableFlagParsing: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := executeUvFlow(cmd.Context(), args)
+			if err != nil {
+				log.Errorf("Failed to execute uv flow: %s", err)
+			}
+
+			return nil
+		},
+	}
+}
+
+func executeUvFlow(ctx context.Context, args []string) error {
+	analytics.TrackCommandUv()
+	packageManager, err := packagemanager.NewPypiPackageManager(packagemanager.DefaultUvPackageManagerConfig())
+	if err != nil {
+		return fmt.Errorf("failed to create uv package manager: %w", err)
+	}
+
+	config, err := config.FromContext(ctx)
+	if err != nil {
+		ui.Fatalf("Failed to get config: %s", err)
+	}
+
+	parsedCommand, err := packageManager.ParseCommand(args)
+	if err != nil {
+		return fmt.Errorf("failed to parse command: %w", err)
+	}
+
+	// Parse the args right here
+	packageResolverConfig := packagemanager.NewDefaultPypiDependencyResolverConfig()
+	packageResolverConfig.IncludeTransitiveDependencies = config.Transitive
+	packageResolverConfig.TransitiveDepth = config.TransitiveDepth
+	packageResolverConfig.IncludeDevDependencies = config.IncludeDevDependencies
+	packageResolverConfig.PackageInstallTargets = parsedCommand.InstallTargets
+
+	packageResolver, err := packagemanager.NewPypiDependencyResolver(packageResolverConfig)
+	if err != nil {
+		ui.Fatalf("Failed to create dependency resolver: %s", err)
+	}
+
+	return flows.Common(packageManager, packageResolver, config).Run(ctx, args, parsedCommand)
+}

extractor/common.go

@@ -0,0 +1,80 @@
+package extractor
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+
+	packagev1 "buf.build/gen/go/safedep/api/protocolbuffers/go/safedep/messages/package/v1"
+	"github.com/google/osv-scalibr/extractor/filesystem"
+	"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/bunlock"
+	"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson"
+	"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/pnpmlock"
+	"github.com/google/osv-scalibr/extractor/filesystem/language/python/requirements"
+	"github.com/google/osv-scalibr/extractor/filesystem/language/python/uvlock"
+	"github.com/google/osv-scalibr/fs"
+)
+
+func getExtractorForFile(filename string) (filesystem.Extractor, error) {
+	filename = filepath.Base(filename)
+
+	// Regex for requirements files (match requirements.txt and requirements-{word}.txt)
+	reqPattern := regexp.MustCompile(`^requirements(?:-\w+)?\.txt$`)
+
+	switch {
+	case filename == "package-lock.json":
+		return packagelockjson.NewDefault(), nil
+	case filename == "pnpm-lock.yaml":
+		return pnpmlock.New(), nil
+	case filename == "bun.lock":
+		return bunlock.New(), nil
+	case reqPattern.MatchString(filename):
+		return requirements.NewDefault(), nil
+	case filename == "uv.lock":
+		return uvlock.New(), nil
+	default:
+		return nil, fmt.Errorf("unsupported lockfile type: %s", filename)
+	}
+}
+
+func parseLockfile(lockfilePath, scanDir string, ecosystem packagev1.Ecosystem) ([]*packagev1.PackageVersion, error) {
+	extractor, err := getExtractorForFile(lockfilePath)
+	if err != nil {
+		return nil, err
+	}
+
+	file, err := os.Open(lockfilePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open lockfile: %w", err)
+	}
+	defer file.Close()
+
+	inputConfig := &filesystem.ScanInput{
+		FS:     fs.DirFS(scanDir),
+		Path:   lockfilePath,
+		Reader: file,
+	}
+
+	inventory, err := extractor.Extract(context.Background(), inputConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract packages: %w", err)
+	}
+
+	var packages []*packagev1.PackageVersion
+
+	for _, invPkg := range inventory.Packages {
+		pkg := &packagev1.PackageVersion{
+			Package: &packagev1.Package{
+				Name:      invPkg.Name,
+				Ecosystem: ecosystem,
+			},
+			Version: invPkg.Version,
+		}
+
+		packages = append(packages, pkg)
+	}
+
+	return packages, nil
+}

extractor/ecosystems.go

@@ -26,6 +26,7 @@ const (
 	Pnpm PackageManagerName = "pnpm"
 	Pip  PackageManagerName = "pip"
 	Bun  PackageManagerName = "bun"
+	Uv   PackageManagerName = "uv"
 )
 
 type ExtractorManager struct {
@@ -39,6 +40,7 @@ func NewExtractorManager() *ExtractorManager {
 			Pnpm: &PnpmExtractor{},
 			Pip:  &PipExtractor{},
 			Bun:  &BunExtractor{},
+			Uv:   &UvExtractor{},
 		},
 	}
 }

extractor/npm.go

@@ -1,16 +1,7 @@
 package extractor
 
 import (
-	"context"
-	"fmt"
-	"os"
-
 	packagev1 "buf.build/gen/go/safedep/api/protocolbuffers/go/safedep/messages/package/v1"
-	"github.com/google/osv-scalibr/extractor/filesystem"
-	"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/bunlock"
-	"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson"
-	"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/pnpmlock"
-	"github.com/google/osv-scalibr/fs"
 )
 
 // NpmExtractor handles package-lock.json files
@@ -29,44 +20,7 @@ func (n *NpmExtractor) GetPackageManager() PackageManagerName {
 }
 
 func (n *NpmExtractor) Extract(lockfilePath, scanDir string) ([]*packagev1.PackageVersion, error) {
-	return parseNpmPackageLockFile(lockfilePath, scanDir)
-}
-
-func parseNpmPackageLockFile(lockfilePath, scanDir string) ([]*packagev1.PackageVersion, error) {
-	packagelockExtractor := packagelockjson.NewDefault()
-
-	file, err := os.Open(lockfilePath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to open lockfile: %w", err)
-	}
-	defer file.Close()
-
-	inputConfig := &filesystem.ScanInput{
-		FS:     fs.DirFS(scanDir),
-		Path:   lockfilePath,
-		Reader: file,
-	}
-
-	inventory, err := packagelockExtractor.Extract(context.Background(), inputConfig)
-	if err != nil {
-		return nil, fmt.Errorf("failed to extract packages: %w", err)
-	}
-
-	var packages []*packagev1.PackageVersion
-
-	for _, invPkg := range inventory.Packages {
-		pkg := &packagev1.PackageVersion{
-			Package: &packagev1.Package{
-				Name:      invPkg.Name,
-				Ecosystem: packagev1.Ecosystem_ECOSYSTEM_NPM,
-			},
-			Version: invPkg.Version,
-		}
-
-		packages = append(packages, pkg)
-	}
-
-	return packages, nil
+	return parseLockfile(lockfilePath, scanDir, n.GetEcosystem())
 }
 
 // PnpmExtractor handles pnpm-lock.yaml files
@@ -85,44 +39,7 @@ func (p *PnpmExtractor) GetPackageManager() PackageManagerName {
 }
 
 func (p *PnpmExtractor) Extract(lockfilePath, scanDir string) ([]*packagev1.PackageVersion, error) {
-	return parsePnpmLockFile(lockfilePath, scanDir)
-}
-
-func parsePnpmLockFile(lockfilePath, scanDir string) ([]*packagev1.PackageVersion, error) {
-	pnpmLockExtractor := pnpmlock.New()
-
-	file, err := os.Open(lockfilePath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to open lockfile: %w", err)
-	}
-	defer file.Close()
-
-	inputConfig := &filesystem.ScanInput{
-		FS:     fs.DirFS(scanDir),
-		Path:   lockfilePath,
-		Reader: file,
-	}
-
-	inventory, err := pnpmLockExtractor.Extract(context.Background(), inputConfig)
-	if err != nil {
-		return nil, fmt.Errorf("failed to extract packages: %w", err)
-	}
-
-	var packages []*packagev1.PackageVersion
-
-	for _, invPkg := range inventory.Packages {
-		pkg := &packagev1.PackageVersion{
-			Package: &packagev1.Package{
-				Name:      invPkg.Name,
-				Ecosystem: packagev1.Ecosystem_ECOSYSTEM_NPM,
-			},
-			Version: invPkg.Version,
-		}
-
-		packages = append(packages, pkg)
-	}
-
-	return packages, nil
+	return parseLockfile(lockfilePath, scanDir, p.GetEcosystem())
 }
 
 type BunExtractor struct{}
@@ -140,42 +57,5 @@ func (n *BunExtractor) GetPackageManager() PackageManagerName {
 }
 
 func (n *BunExtractor) Extract(lockfilePath, scanDir string) ([]*packagev1.PackageVersion, error) {
-	return parseBunPackageLockFile(lockfilePath, scanDir)
-}
-
-func parseBunPackageLockFile(lockfilePath, scanDir string) ([]*packagev1.PackageVersion, error) {
-	bunlockExtractor := bunlock.New()
-
-	file, err := os.Open(lockfilePath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to open lockfile: %w", err)
-	}
-	defer file.Close()
-
-	inputConfig := &filesystem.ScanInput{
-		FS:     fs.DirFS(scanDir),
-		Path:   lockfilePath,
-		Reader: file,
-	}
-
-	inventory, err := bunlockExtractor.Extract(context.Background(), inputConfig)
-	if err != nil {
-		return nil, fmt.Errorf("failed to extract packages: %w", err)
-	}
-
-	var packages []*packagev1.PackageVersion
-
-	for _, invPkg := range inventory.Packages {
-		pkg := &packagev1.PackageVersion{
-			Package: &packagev1.Package{
-				Name:      invPkg.Name,
-				Ecosystem: packagev1.Ecosystem_ECOSYSTEM_NPM,
-			},
-			Version: invPkg.Version,
-		}
-
-		packages = append(packages, pkg)
-	}
-
-	return packages, nil
+	return parseLockfile(lockfilePath, scanDir, n.GetEcosystem())
 }