feat(scanner): add pylock.toml detection (PEP 751)

[shino]

Summary

• Wire Trivy v0.70.0's pylock parser into the scanner dispatch so vuls can detect Python dependencies declared in PEP 751 pylock.toml files.
• Recognise both the canonical pylock.toml filename and the named variant pylock.<identifier>.toml (non-empty identifier, no dots), matching Trivy's fanal analyzer behaviour.
• Skip the pyproject.toml-driven direct/indirect relationship enrichment that Trivy's pylock PostAnalyzer performs, since vuls calls the dependency parsers directly and intentionally bypasses the fanal post-analyzer framework.
• Pin requests, urllib3, and jinja2 in the integration pylock fixture to versions with published advisories so the end-to-end pipeline exercises real CVE detection through the new code path:
  • requests 2.31.0 — CVE-2024-35195 / GHSA-9wx4-h78v-vm56
  • urllib3 2.2.1 — CVE-2024-37891 / GHSA-34jh-p97f-mpxf
  • jinja2 3.1.4 — CVE-2024-56201 / GHSA-q2x7-8rv6-6q7h and CVE-2025-27516 / GHSA-cpwx-vrp4-4pq7

Test plan

• go test ./scanner/... passes. TestDetectParserType covers pylock.toml, a sub-path, the PEP 751 named variants pylock.uv.toml / pylock.dev.toml, and rejection of pylock..toml, pylock.foo.bar.toml, my-pylock.toml, and pylock.toml.bak.
• TestAnalyzeLibrary_Golden/pylock.toml parses the integration fixture into 29 PyPI packages; golden output is checked in at scanner/testdata/golden/pylock.toml.json.
• make build succeeds on the current branch.
• Integration tests: int-config.toml / int-redis-config.toml (in the bumped submodule) already include the servers.pylock pseudo-server; with the vulnerable pins above, the scan report should surface at least the four advisories listed in the Summary.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds support in Vuls’ scanner to detect and parse Python PEP 751 pylock.toml lockfiles (including pylock.<identifier>.toml variants) by wiring in Trivy v0.70.0’s pylock parser, and updates integration/golden fixtures to exercise the new path.

Changes:

• Add pylock.toml + pylock.<identifier>.toml detection in the scanner dispatch logic and route to a new pylock parser type.
• Wire Trivy’s python/pylock dependency parser into parseByType.
• Extend golden/integration tests and fixtures to include pylock.toml coverage.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
scanner/dispatch.go	Adds pylock parser type, detection for pylock.toml, and support for named PEP 751 variants.
scanner/dispatch_test.go	Expands dispatch tests to cover canonical and named pylock variants plus invalid cases.
scanner/base.go	Wires Trivy’s pylock parser into the scanner’s parse dispatch.
scanner/analyze_golden_test.go	Adds pylock.toml fixture to the golden test matrix.
scanner/testdata/golden/pylock.toml.json	Introduces golden output for pylock.toml parsing results.
GNUmakefile	Adds pylock to integration scan target list.
.github/workflows/test.yml	Bumps the pinned vulsio/integration fixture SHA used in CI.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.