feat(python): add support for poetry dev dependencies (#8152)

Signed-off-by: nikpivkin <[email protected]>

Author: nikpivkin

docs/docs/coverage/language/python.md

@@ -26,7 +26,7 @@ The following table provides an outline of the features Trivy offers.
 |-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
 | pip             | requirements.txt |            -            |     Include      |                  -                   |    ✓     |                    ✓                     |
 | Pipenv          | Pipfile.lock     |            ✓            |     Include      |                  -                   |    ✓     |                Not needed                |
-| Poetry          | poetry.lock      |            ✓            |     Exclude      |                  ✓                   |    -     |                Not needed                |
+| Poetry          | poetry.lock      |            ✓            |     [Exclude](#poetry)      |                  ✓                   |    -     |                Not needed                |
 | uv              | uv.lock          |            ✓            |     Exclude      |                  ✓                   |    -     |                Not needed                |
 
 
@@ -128,6 +128,9 @@ To build the correct dependency graph, `pyproject.toml` also needs to be present
 
 License detection is not supported for `Poetry`.
 
+By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
+
+
 ### uv
 Trivy uses `uv.lock` to identify dependencies and find vulnerabilities.
 

pkg/fanal/analyzer/language/python/poetry/poetry.go

@@ -104,45 +104,45 @@ func (a poetryAnalyzer) mergePyProject(fsys fs.FS, dir string, app *types.Applic
 		return xerrors.Errorf("unable to parse %s: %w", path, err)
 	}
 
-	// Identify the direct/transitive dependencies
+	directDeps := directDeps(project)
+	prodDeps := prodPackages(app, project.Tool.Poetry.Dependencies)
+
+	// Identify the direct/transitive/dev dependencies
 	for i, pkg := range app.Packages {
-		if project.Tool.Poetry.Dependencies.Contains(pkg.Name) {
+		app.Packages[i].Dev = !prodDeps.Contains(pkg.ID)
+		if directDeps.Contains(pkg.Name) {
 			app.Packages[i].Relationship = types.RelationshipDirect
 		} else {
 			app.Packages[i].Indirect = true
 			app.Packages[i].Relationship = types.RelationshipIndirect
 		}
 	}
-
-	filterProdPackages(project, app)
 	return nil
 }
 
-func filterProdPackages(project pyproject.PyProject, app *types.Application) {
+func directDeps(project pyproject.PyProject) set.Set[string] {
+	deps := project.Tool.Poetry.Dependencies.Clone()
+	for _, groupDeps := range project.Tool.Poetry.Groups {
+		deps.Append(groupDeps.Dependencies.Items()...)
+	}
+	return deps
+}
+
+func prodPackages(app *types.Application, prodRootDeps set.Set[string]) set.Set[string] {
 	packages := lo.SliceToMap(app.Packages, func(pkg types.Package) (string, types.Package) {
 		return pkg.ID, pkg
 	})
 
 	visited := set.New[string]()
-	deps := project.Tool.Poetry.Dependencies
-
-	for group, groupDeps := range project.Tool.Poetry.Groups {
-		if group == "dev" {
-			continue
-		}
-		deps.Set = deps.Union(groupDeps.Dependencies)
-	}
 
 	for _, pkg := range packages {
-		if !deps.Contains(pkg.Name) {
+		if !prodRootDeps.Contains(pkg.Name) {
 			continue
 		}
 		walkPackageDeps(pkg.ID, packages, visited)
 	}
 
-	app.Packages = lo.Filter(app.Packages, func(pkg types.Package, _ int) bool {
-		return visited.Contains(pkg.ID)
-	})
+	return visited
 }
 
 func walkPackageDeps(pkgID string, packages map[string]types.Package, visited set.Set[string]) {

pkg/fanal/analyzer/language/python/poetry/poetry_test.go

@@ -187,17 +187,31 @@ func Test_poetryLibraryAnalyzer_Analyze(t *testing.T) {
 			// export PATH="/root/.local/bin:$PATH"
 			// poetry new groups && cd groups
 			// poetry add [email protected]
+			// poetry add [email protected] --extras socks
+			// poetry add --optional [email protected]
 			// poetry add --group dev [email protected]
 			// poetry add --group lint [email protected]
-			// poetry add --optional [email protected]
-			name: "skip deps from groups",
+			name: "with groups",
 			dir:  "testdata/with-groups",
 			want: &analyzer.AnalysisResult{
 				Applications: []types.Application{
 					{
 						Type:     types.Poetry,
 						FilePath: "poetry.lock",
 						Packages: types.Packages{
+							{
+								ID:           "[email protected]",
+								Name:         "anyio",
+								Version:      "4.7.0",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								DependsOn: []string{
+									"[email protected]",
+									"[email protected]",
+									"[email protected]",
+									"[email protected]",
+								},
+							},
 							{
 								ID:           "[email protected]",
 								Name:         "certifi",
@@ -212,20 +226,105 @@ func Test_poetryLibraryAnalyzer_Analyze(t *testing.T) {
 								Indirect:     true,
 								Relationship: types.RelationshipIndirect,
 							},
+							{
+								ID:           "[email protected]",
+								Name:         "colorama",
+								Version:      "0.4.6",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								Dev:          true,
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "exceptiongroup",
+								Version:      "1.2.2",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "h11",
+								Version:      "0.14.0",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "httpcore",
+								Version:      "1.0.7",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								DependsOn: []string{
+									"[email protected]",
+									"[email protected]",
+								},
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "httpx",
+								Version:      "0.28.1",
+								Relationship: types.RelationshipDirect,
+								DependsOn: []string{
+									"[email protected]",
+									"[email protected]",
+									"[email protected]",
+									"[email protected]",
+									"[email protected]",
+								},
+							},
 							{
 								ID:           "[email protected]",
 								Name:         "idna",
 								Version:      "3.10",
 								Indirect:     true,
 								Relationship: types.RelationshipIndirect,
 							},
+							{
+								ID:           "[email protected]",
+								Name:         "iniconfig",
+								Version:      "2.0.0",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								Dev:          true,
+							},
 							{
 								ID:           "[email protected]",
 								Name:         "mypy-extensions",
 								Version:      "1.0.0",
 								Indirect:     true,
 								Relationship: types.RelationshipIndirect,
 							},
+							{
+								ID:           "[email protected]",
+								Name:         "packaging",
+								Version:      "24.2",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								Dev:          true,
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "pluggy",
+								Version:      "1.5.0",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								Dev:          true,
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "pytest",
+								Version:      "8.3.4",
+								Relationship: types.RelationshipDirect,
+								Dev:          true,
+								DependsOn: []string{
+									"[email protected]",
+									"[email protected]",
+									"[email protected]",
+									"[email protected]",
+									"[email protected]",
+									"[email protected]",
+								},
+							},
 							{
 								ID:      "[email protected]",
 								Name:    "requests",
@@ -242,8 +341,30 @@ func Test_poetryLibraryAnalyzer_Analyze(t *testing.T) {
 								ID:           "[email protected]",
 								Name:         "ruff",
 								Version:      "0.8.3",
+								Relationship: types.RelationshipDirect,
+								Dev:          true,
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "sniffio",
+								Version:      "1.3.1",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "socksio",
+								Version:      "1.0.0",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "tomli",
+								Version:      "2.2.1",
 								Indirect:     true,
 								Relationship: types.RelationshipIndirect,
+								Dev:          true,
 							},
 							{
 								ID:           "[email protected]",

pkg/fanal/analyzer/language/python/poetry/testdata/with-groups/poetry.lock

@@ -9,6 +9,7 @@ readme = "README.md"
 python = "^3.9"
 requests = "2.32.3"
 typing-inspect = {version = "0.9.0", optional = true}
+httpx = {version = "0.28.1", extras = ["socks"]}
 
 
 [tool.poetry.group.dev.dependencies]