Skip to content

Flag local Python packages in SBOM metadata (OSS-1389)#17

Merged
dreadn0ught merged 1 commit into
mainfrom
claude/oss-1389-local-packages-sni549
Jul 10, 2026
Merged

Flag local Python packages in SBOM metadata (OSS-1389)#17
dreadn0ught merged 1 commit into
mainfrom
claude/oss-1389-local-packages-sni549

Conversation

@dreadn0ught

Copy link
Copy Markdown
Collaborator

Summary

This change adds support for identifying and flagging locally-defined Python packages in the generated SBOM. Packages declared as local sources (via uv's path/workspace sources or poetry's path dependencies) are now marked with metadata so the platform can filter them before scanning, preventing spurious NOT_FOUND warnings for internal code that is never published.

Key Changes

  • New local.go module: Implements package name canonicalization (PEP 503 compliant) and parsing of pyproject.toml files to extract locally-declared packages from both uv and poetry configurations

    • canonicalPackageName(): Normalizes package names by lowercasing and converting separators (-, _, .) to dashes
    • findLocalPackageNames(): Walks the filesystem to find all pyproject.toml files and collects local package names
    • collectLocalNames(): Parses a single manifest and identifies local packages
    • Handles uv's array-based source tables (per-marker entries) and poetry's path dependencies
  • Updated syft.go:

    • Added Local boolean field to the Package struct with documentation
    • Integrated local package detection into the Catalog() function
    • Added markLocalPackages() to match catalogued packages against locally-declared names using canonical comparison
  • Updated scan.go:

    • Modified component creation to include metadata with "local": true flag for locally-defined packages
    • Metadata is preserved through OSSBOM serialization for platform consumption
  • Comprehensive test coverage (local_test.go):

    • Tests for package name canonicalization
    • Tests for uv sources parsing (path deps, workspace members, git sources)
    • Tests for poetry path dependencies
    • Tests for edge cases (malformed TOML, empty sources, array sources)
    • End-to-end integration test verifying local packages are flagged in the SBOM

Implementation Details

  • Local package detection is best-effort: malformed manifests or unreadable files are silently ignored to prevent scan failures
  • Vendored paths are skipped during filesystem traversal, matching cataloguer behavior
  • Package name matching is case-insensitive and separator-agnostic (PEP 503 canonical form) to handle discrepancies between manifest declarations and cataloguer output
  • The Local flag only applies to pypi packages; other ecosystems are unaffected

https://claude.ai/code/session_01VWy9UuisvAKvwc8fLJjgCR

Monorepos declare internal packages as editable path or workspace
dependencies (uv [tool.uv.sources], poetry path deps). These are the
repo's own code, never published to a registry, so the scanner warns on
every one when it can't find them upstream (OSS-1389).

Detect them by parsing the local-source tables in pyproject.toml and mark
matching pypi components with metadata.local=true. The flag rides in
component metadata so it round-trips through the OSSBOM the platform parses
from --local output; the platform filters on it. Names are compared PEP 503
canonically so casing/separator differences don't matter.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VWy9UuisvAKvwc8fLJjgCR
@dreadn0ught dreadn0ught merged commit 3e2407d into main Jul 10, 2026
7 checks passed
@dreadn0ught dreadn0ught deleted the claude/oss-1389-local-packages-sni549 branch July 10, 2026 09:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants