Skip to content

fix: read exact versions from Python lockfiles for OSV#263

Open
Root-Aamir wants to merge 1 commit into
NVIDIA:mainfrom
Root-Aamir:fix/osv-query-with-version
Open

fix: read exact versions from Python lockfiles for OSV#263
Root-Aamir wants to merge 1 commit into
NVIDIA:mainfrom
Root-Aamir:fix/osv-query-with-version

Conversation

@Root-Aamir

Copy link
Copy Markdown

Fixes #233.
This adds support for reading exact package versions from Python TOML lockfiles such as uv.lock and poetry.lock, so OSV queries use the installed package version instead of falling back to package-name-only lookups.
Changes:

  • Detect uv.lock and poetry.lock as Python dependency files.
  • Parse [[package]] entries and their exact versions.
  • Pass extracted versions through the existing OSV query flow.
  • Add regression tests for uv.lock and poetry.lock version handling.
    Test:
  • ..venv\Scripts\python.exe -m pytest tests\nodes\analyzers\test_static_patterns_supply_chain_lockfiles.py -q

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OSV analyzer reports historical CVEs even when fixed version installed

1 participant