feat(library/pylock): add pylock.toml support

shino · shino · commit 89c725e38d5e · 2026-05-11T18:28:12.000+09:00
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -26,7 +26,7 @@ jobs:
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         repository: vulsio/integration
-        ref: 6dfd74510f5944e7c973e40d7844020d53dbb3a7
+        ref: 9b7a17582cd4f4521f71fe64757c7397a47a36c3
         path: integration
         persist-credentials: false
     - name: Set up Go 1.x
diff --git a/GNUmakefile b/GNUmakefile
@@ -91,7 +91,7 @@ NOW=$(shell date '+%Y-%m-%dT%H-%M-%S%z')
 NOW_JSON_DIR := '${BASE_DIR}/$(NOW)'
 ONE_SEC_AFTER=$(shell date -d '+1 second' '+%Y-%m-%dT%H-%M-%S%z')
 ONE_SEC_AFTER_JSON_DIR := '${BASE_DIR}/$(ONE_SEC_AFTER)'
-LIBS := 'bundler' 'dart' 'elixir' 'pip' 'pipenv' 'poetry-v1' 'poetry-v2' 'uv' 'composer' 'composer-vendor-pear' 'composer-vendor-packagist' 'npm-v1' 'npm-v2' 'npm-v3' 'yarn' 'pnpm' 'pnpm-v9' 'bun' 'cargo' 'gomod' 'gosum' 'gobinary' 'jar' 'jar-wrong-name-log4j-core' 'war' 'pom' 'gradle' 'nuget-lock' 'nuget-config' 'dotnet-deps' 'dotnet-package-props' 'conan-v1' 'conan-v2' 'swift-cocoapods' 'swift-swift' 'rust-binary'
+LIBS := 'bundler' 'dart' 'elixir' 'pip' 'pipenv' 'poetry-v1' 'poetry-v2' 'pylock' 'uv' 'composer' 'composer-vendor-pear' 'composer-vendor-packagist' 'npm-v1' 'npm-v2' 'npm-v3' 'yarn' 'pnpm' 'pnpm-v9' 'bun' 'cargo' 'gomod' 'gosum' 'gobinary' 'jar' 'jar-wrong-name-log4j-core' 'war' 'pom' 'gradle' 'nuget-lock' 'nuget-config' 'dotnet-deps' 'dotnet-package-props' 'conan-v1' 'conan-v2' 'swift-cocoapods' 'swift-swift' 'rust-binary'
 
 diff:
 	# git clone git@github.com:vulsio/vulsctl.git
diff --git a/integration b/integration
@@ -1 +1 @@
-Subproject commit 1e7bacca9b14c449747f7262d566c13632ca448f
+Subproject commit 9b7a17582cd4f4521f71fe64757c7397a47a36c3
diff --git a/models/library.go b/models/library.go
@@ -68,7 +68,7 @@ var FindLockFiles = []string{
 	// php
 	ftypes.ComposerLock, ftypes.ComposerInstalledJson,
 	// python
-	ftypes.PipRequirements, ftypes.PipfileLock, ftypes.PoetryLock, ftypes.UvLock,
+	ftypes.PipRequirements, ftypes.PipfileLock, ftypes.PoetryLock, ftypes.PyLockFile, "pylock.*.toml", ftypes.UvLock,
 	// .net
 	ftypes.NuGetPkgsLock, ftypes.NuGetPkgsConfig, "*.deps.json", "*Packages.props",
 	// gomod
@@ -98,7 +98,7 @@ func (s LibraryScanner) GetLibraryKey() string {
 		return "node"
 	case ftypes.NuGet, ftypes.DotNetCore:
 		return ".net"
-	case ftypes.Pipenv, ftypes.Poetry, ftypes.Uv, ftypes.Pip, ftypes.PythonPkg:
+	case ftypes.Pip, ftypes.Pipenv, ftypes.Poetry, ftypes.PyLock, ftypes.PythonPkg, ftypes.Uv:
 		return "python"
 	case ftypes.Conan:
 		return "c"
diff --git a/scanner/analyze_golden_test.go b/scanner/analyze_golden_test.go
@@ -42,8 +42,8 @@ var lockfiles = []lockfileEntry{
 	{"Pipfile.lock", 0644, false},
 	{"poetry-v1/poetry.lock", 0644, false},
 	{"poetry-v2/poetry.lock", 0644, false},
-	{"uv.lock", 0644, false},
 	{"pylock.toml", 0644, false},
+	{"uv.lock", 0644, false},
 
 	// Ruby
 	{"Gemfile.lock", 0644, false},
diff --git a/scanner/base.go b/scanner/base.go
@@ -780,10 +780,10 @@ func parseByType(ctx context.Context, pt parserType, filePath string, r xio.Read
 		return parseLockfile(ctx, ftypes.Pipenv, filePath, r, pipenv.NewParser())
 	case parserPoetry:
 		return parseLockfile(ctx, ftypes.Poetry, filePath, r, poetry.NewParser())
-	case parserUv:
-		return parseLockfile(ctx, ftypes.Uv, filePath, r, uv.NewParser())
 	case parserPylock:
 		return parseLockfile(ctx, ftypes.PyLock, filePath, r, pylock.NewParser())
+	case parserUv:
+		return parseLockfile(ctx, ftypes.Uv, filePath, r, uv.NewParser())
 
 	// Ruby
 	case parserBundler:
diff --git a/scanner/dispatch.go b/scanner/dispatch.go
@@ -22,8 +22,8 @@ const (
 	parserPip            parserType = "pip"
 	parserPipenv         parserType = "pipenv"
 	parserPoetry         parserType = "poetry"
-	parserUv             parserType = "uv"
 	parserPylock         parserType = "pylock"
+	parserUv             parserType = "uv"
 	parserBundler        parserType = "bundler"
 	parserCargo          parserType = "cargo"
 	parserComposer       parserType = "composer"
@@ -75,10 +75,10 @@ func detectParserType(filePath string, filemode os.FileMode) parserType {
 		return parserPipenv
 	case ftypes.PoetryLock: // poetry.lock
 		return parserPoetry
-	case ftypes.UvLock: // uv.lock
-		return parserUv
 	case ftypes.PyLockFile: // pylock.toml
 		return parserPylock
+	case ftypes.UvLock: // uv.lock
+		return parserUv
 
 	// Ruby
 	case ftypes.GemfileLock: // Gemfile.lock
diff --git a/scanner/dispatch_test.go b/scanner/dispatch_test.go
@@ -29,12 +29,12 @@ func TestDetectParserType(t *testing.T) {
 		{"uv.lock", 0644, parserUv},
 		{"pylock.toml", 0644, parserPylock},
 		{"app/pylock.toml", 0644, parserPylock},
-		{"pylock.uv.toml", 0644, parserPylock},       // PEP 751 named variant
-		{"pylock.dev.toml", 0644, parserPylock},      // PEP 751 named variant
-		{"pylock..toml", 0644, parserNone},           // empty identifier → invalid
-		{"pylock.foo.bar.toml", 0644, parserNone},    // identifier with a dot → invalid
-		{"my-pylock.toml", 0644, parserNone},         // no `pylock.` prefix → invalid
-		{"pylock.toml.bak", 0644, parserNone},        // wrong suffix → invalid
+		{"pylock.uv.toml", 0644, parserPylock},    // PEP 751 named variant
+		{"pylock.dev.toml", 0644, parserPylock},   // PEP 751 named variant
+		{"pylock..toml", 0644, parserNone},        // empty identifier → invalid
+		{"pylock.foo.bar.toml", 0644, parserNone}, // identifier with a dot → invalid
+		{"my-pylock.toml", 0644, parserNone},      // no `pylock.` prefix → invalid
+		{"pylock.toml.bak", 0644, parserNone},     // wrong suffix → invalid
 
 		// === Ruby ===
 		{"Gemfile.lock", 0644, parserBundler},
diff --git a/scanner/testdata/golden/pylock.toml.json b/scanner/testdata/golden/pylock.toml.json
@@ -50,8 +50,8 @@
       },
       {
         "name": "jinja2",
-        "version": "3.1.6",
-        "purl": "pkg:pypi/jinja2@3.1.6"
+        "version": "3.1.4",
+        "purl": "pkg:pypi/jinja2@3.1.4"
       },
       {
         "name": "linklint",
@@ -80,8 +80,8 @@
       },
       {
         "name": "requests",
-        "version": "2.33.1",
-        "purl": "pkg:pypi/requests@2.33.1"
+        "version": "2.31.0",
+        "purl": "pkg:pypi/requests@2.31.0"
       },
       {
         "name": "roman-numerals",
@@ -145,8 +145,8 @@
       },
       {
         "name": "urllib3",
-        "version": "2.6.3",
-        "purl": "pkg:pypi/urllib3@2.6.3"
+        "version": "2.2.1",
+        "purl": "pkg:pypi/urllib3@2.2.1"
       }
     ]
   }

Original file line number	Diff line number	Diff line change
`@@ -50,8 +50,8 @@`
`50`	`50`	`},`
`51`	`51`	`{`
`52`	`52`	`"name": "jinja2",`
`53`		`- "version": "3.1.6",`
`54`		`- "purl": "pkg:pypi/jinja2@3.1.6"`
	`53`	`+ "version": "3.1.4",`
	`54`	`+ "purl": "pkg:pypi/jinja2@3.1.4"`
`55`	`55`	`},`
`56`	`56`	`{`
`57`	`57`	`"name": "linklint",`
`@@ -80,8 +80,8 @@`
`80`	`80`	`},`
`81`	`81`	`{`
`82`	`82`	`"name": "requests",`
`83`		`- "version": "2.33.1",`
`84`		`- "purl": "pkg:pypi/requests@2.33.1"`
	`83`	`+ "version": "2.31.0",`
	`84`	`+ "purl": "pkg:pypi/requests@2.31.0"`
`85`	`85`	`},`
`86`	`86`	`{`
`87`	`87`	`"name": "roman-numerals",`
`@@ -145,8 +145,8 @@`
`145`	`145`	`},`
`146`	`146`	`{`
`147`	`147`	`"name": "urllib3",`
`148`		`- "version": "2.6.3",`
`149`		`- "purl": "pkg:pypi/urllib3@2.6.3"`
	`148`	`+ "version": "2.2.1",`
	`149`	`+ "purl": "pkg:pypi/urllib3@2.2.1"`
`150`	`150`	`}`
`151`	`151`	`]`
`152`	`152`	`}`