Add pdm lockfile support (#776)

Add support for parsing package information from `pdm.lock` -files used
by `pdm`, package and dependency manager for Python
(https://pdm-project.org/latest/)

Author: jtt

docs/supported_languages_and_lockfiles.md

@@ -22,19 +22,19 @@ nav_order: 2
 
 A wide range of lockfiles are supported by utilizing this [lockfile package](https://github.com/google/osv-scanner/tree/main/pkg/lockfile).
 
-| Language   | Compatible Lockfile(s)                                                                                               |
-| :--------- | :------------------------------------------------------------------------------------------------------------------- |
-| C/C++      | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning)                                                                |
-| Dart       | `pubspec.lock`                                                                                                       |
-| Elixir     | `mix.lock`                                                                                                           |
-| Go         | `go.mod`                                                                                                             |
-| Java       | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`pom.xml`[\*](https://github.com/google/osv-scanner/issues/35) |
-| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock`                                                               |
-| PHP        | `composer.lock`                                                                                                      |
-| Python     | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)           |
-| R          | `renv.lock`                                                                                                          |
-| Ruby       | `Gemfile.lock`                                                                                                       |
-| Rust       | `Cargo.lock`                                                                                                         |
+| Language   | Compatible Lockfile(s)                                                                                                   |
+| :--------- | :----------------------------------------------------------------------------------------------------------------------- |
+| C/C++      | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning)                                                                    |
+| Dart       | `pubspec.lock`                                                                                                           |
+| Elixir     | `mix.lock`                                                                                                               |
+| Go         | `go.mod`                                                                                                                 |
+| Java       | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`pom.xml`[\*](https://github.com/google/osv-scanner/issues/35)     |
+| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock`                                                                   |
+| PHP        | `composer.lock`                                                                                                          |
+| Python     | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`<br>`pdm.lock`[\*](https://github.com/google/osv-scanner/issues/34) |
+| R          | `renv.lock`                                                                                                              |
+| Ruby       | `Gemfile.lock`                                                                                                           |
+| Rust       | `Cargo.lock`                                                                                                             |
 
 ## Alpine Package Keeper and Debian Package Keeper
 

pkg/lockfile/ecosystems_test.go

@@ -35,10 +35,10 @@ func TestKnownEcosystems(t *testing.T) {
 	expectedCount := numberOfLockfileParsers(t)
 
 	// - npm, yarn, and pnpm,
-	// - pip, poetry, and pipenv,
+	// - pip, poetry, pdm and pipenv,
 	// - maven and gradle,
 	// all use the same ecosystem so "ignore" those parsers in the count
-	expectedCount -= 5
+	expectedCount -= 6
 
 	ecosystems := lockfile.KnownEcosystems()
 

pkg/lockfile/extract_test.go

@@ -41,6 +41,7 @@ func TestFindExtractor(t *testing.T) {
 		"go.mod":                      "go.mod",
 		"gradle.lockfile":             "gradle.lockfile",
 		"mix.lock":                    "mix.lock",
+		"pdm.lock":                    "pdm.lock",
 		"Pipfile.lock":                "Pipfile.lock",
 		"package-lock.json":           "package-lock.json",
 		"packages.lock.json":          "packages.lock.json",
@@ -92,6 +93,7 @@ func TestExtractDeps_FindsExpectedExtractor(t *testing.T) {
 		"go.mod",
 		"gradle.lockfile",
 		"mix.lock",
+		"pdm.lock",
 		"Pipfile.lock",
 		"package-lock.json",
 		"packages.lock.json",

pkg/lockfile/fixtures/pdm/dev-dependency.toml

@@ -0,0 +1,42 @@
+# This file is @generated by PDM.
+# It is not intended for manual editing.
+
+[metadata]
+groups = ["default", "dev"]
+strategy = ["cross_platform", "inherit_metadata"]
+lock_version = "4.4.1"
+content_hash = "sha256:5a543e4cbf50fa2fae6c9180c8c4b4031bbaf7e95c26484384109782ebdfd647"
+
+[[package]]
+name = "pyroute2"
+version = "0.7.11"
+summary = "Python Netlink library"
+groups = ["dev"]
+dependencies = [
+    "win-inet-pton; platform_system == \"Windows\"",
+]
+files = [
+    {file = "pyroute2-0.7.11-py3-none-any.whl", hash = "sha256:95852e702149b3d6abc8484d3291c38c45660168e8db76e5566a60ef0e133d5b"},
+]
+
+[[package]]
+name = "toml"
+version = "0.10.2"
+requires_python = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*"
+summary = "Python Library for Tom's Obvious, Minimal Language"
+groups = ["default"]
+files = [
+    {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"},
+    {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"},
+]
+
+[[package]]
+name = "win-inet-pton"
+version = "1.1.0"
+summary = "Native inet_pton and inet_ntop implementation for Python on Windows (with ctypes)."
+groups = ["dev"]
+marker = "platform_system == \"Windows\""
+files = [
+    {file = "win_inet_pton-1.1.0-py2.py3-none-any.whl", hash = "sha256:eaf0193cbe7152ac313598a0da7313fb479f769343c0c16c5308f64887dc885b"},
+    {file = "win_inet_pton-1.1.0.tar.gz", hash = "sha256:dd03d942c0d3e2b1cf8bab511844546dfa5f74cb61b241699fa379ad707dea4f"},
+]

pkg/lockfile/fixtures/pdm/empty.toml

@@ -0,0 +1,8 @@
+# This file is @generated by PDM.
+# It is not intended for manual editing.
+
+[metadata]
+groups = ["default"]
+strategy = ["cross_platform", "inherit_metadata"]
+lock_version = "4.4.1"
+content_hash = "sha256:ebb844511b46d2da311c9adf39499a26883e110605ef99ca9c6762905dcb3e56"

pkg/lockfile/fixtures/pdm/git-dependency.toml

@@ -0,0 +1,17 @@
+# This file is @generated by PDM.
+# It is not intended for manual editing.
+
+[metadata]
+groups = ["default"]
+strategy = ["cross_platform", "inherit_metadata"]
+lock_version = "4.4.1"
+content_hash = "sha256:93fc3209615f0fa4a29b2bd263bb5e72c2343ebc334df8c56c5d9f2cacfc0241"
+
+[[package]]
+name = "toml"
+version = "0.10.2"
+requires_python = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*"
+git = "https://github.com/uiri/toml.git"
+revision = "65bab7582ce14c55cdeec2244c65ea23039c9e6f"
+summary = "Python Library for Tom's Obvious, Minimal Language"
+groups = ["default"]

pkg/lockfile/fixtures/pdm/not-toml.txt

@@ -0,0 +1 @@
+this is not valid toml! (I think)

pkg/lockfile/fixtures/pdm/optional-dependency.toml

@@ -0,0 +1,42 @@
+# This file is @generated by PDM.
+# It is not intended for manual editing.
+
+[metadata]
+groups = ["default", "tmp"]
+strategy = ["cross_platform", "inherit_metadata"]
+lock_version = "4.4.1"
+content_hash = "sha256:dfa3dd060fb1217f183be92d3a42fc9b77ca2ca340a7ac15c6786de5bbced943"
+
+[[package]]
+name = "pyroute2"
+version = "0.7.11"
+summary = "Python Netlink library"
+groups = ["tmp"]
+dependencies = [
+    "win-inet-pton; platform_system == \"Windows\"",
+]
+files = [
+    {file = "pyroute2-0.7.11-py3-none-any.whl", hash = "sha256:95852e702149b3d6abc8484d3291c38c45660168e8db76e5566a60ef0e133d5b"},
+]
+
+[[package]]
+name = "toml"
+version = "0.10.2"
+requires_python = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*"
+summary = "Python Library for Tom's Obvious, Minimal Language"
+groups = ["default"]
+files = [
+    {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"},
+    {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"},
+]
+
+[[package]]
+name = "win-inet-pton"
+version = "1.1.0"
+summary = "Native inet_pton and inet_ntop implementation for Python on Windows (with ctypes)."
+groups = ["tmp"]
+marker = "platform_system == \"Windows\""
+files = [
+    {file = "win_inet_pton-1.1.0-py2.py3-none-any.whl", hash = "sha256:eaf0193cbe7152ac313598a0da7313fb479f769343c0c16c5308f64887dc885b"},
+    {file = "win_inet_pton-1.1.0.tar.gz", hash = "sha256:dd03d942c0d3e2b1cf8bab511844546dfa5f74cb61b241699fa379ad707dea4f"},
+]

pkg/lockfile/fixtures/pdm/single-package.toml

@@ -0,0 +1,19 @@
+# This file is @generated by PDM.
+# It is not intended for manual editing.
+
+[metadata]
+groups = ["default"]
+strategy = ["cross_platform", "inherit_metadata"]
+lock_version = "4.4.1"
+content_hash = "sha256:0cee617a22cf58c87c4b154a4a31e08351b4e38f471f6c82edbb1ee185bda2cf"
+
+[[package]]
+name = "toml"
+version = "0.10.2"
+requires_python = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*"
+summary = "Python Library for Tom's Obvious, Minimal Language"
+groups = ["default"]
+files = [
+    {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"},
+    {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"},
+]

pkg/lockfile/fixtures/pdm/two-packages.toml

@@ -0,0 +1,30 @@
+# This file is @generated by PDM.
+# It is not intended for manual editing.
+
+[metadata]
+groups = ["default"]
+strategy = ["cross_platform", "inherit_metadata"]
+lock_version = "4.4.1"
+content_hash = "sha256:0acb7cdc3e805d9bec1f3347b79b69d92ba257d2cd82b5ef4355010930d46deb"
+
+[[package]]
+name = "six"
+version = "1.16.0"
+requires_python = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*"
+summary = "Python 2 and 3 compatibility utilities"
+groups = ["default"]
+files = [
+    {file = "six-1.16.0-py2.py3-none-any.whl", hash = "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"},
+    {file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"},
+]
+
+[[package]]
+name = "toml"
+version = "0.10.2"
+requires_python = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*"
+summary = "Python Library for Tom's Obvious, Minimal Language"
+groups = ["default"]
+files = [
+    {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"},
+    {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"},
+]

pkg/lockfile/parse-pdm-lock.go

@@ -0,0 +1,79 @@
+package lockfile
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"github.com/BurntSushi/toml"
+)
+
+type PdmLockPackage struct {
+	Name     string   `toml:"name"`
+	Version  string   `toml:"version"`
+	Groups   []string `toml:"groups"`
+	Revision string   `toml:"revision"`
+}
+
+type PdmLockFile struct {
+	Version  string           `toml:"lock-version"`
+	Packages []PdmLockPackage `toml:"package"`
+}
+
+const PdmEcosystem = PipEcosystem
+
+type PdmLockExtractor struct{}
+
+func (p PdmLockExtractor) ShouldExtract(path string) bool {
+	return filepath.Base(path) == "pdm.lock"
+}
+
+func (p PdmLockExtractor) Extract(f DepFile) ([]PackageDetails, error) {
+	var parsedLockFile *PdmLockFile
+
+	_, err := toml.NewDecoder(f).Decode(&parsedLockFile)
+	if err != nil {
+		return []PackageDetails{}, fmt.Errorf("could not extract from %s: %w", f.Path(), err)
+	}
+	packages := make([]PackageDetails, 0, len(parsedLockFile.Packages))
+
+	for _, pkg := range parsedLockFile.Packages {
+		details := PackageDetails{
+			Name:      pkg.Name,
+			Version:   pkg.Version,
+			Ecosystem: PdmEcosystem,
+			CompareAs: PdmEcosystem,
+		}
+
+		var optional = true
+		for _, gr := range pkg.Groups {
+			if gr == "dev" {
+				details.DepGroups = append(details.DepGroups, "dev")
+				optional = false
+			} else if gr == "default" {
+				optional = false
+			}
+		}
+		if optional {
+			details.DepGroups = append(details.DepGroups, "optional")
+		}
+
+		if pkg.Revision != "" {
+			details.Commit = pkg.Revision
+		}
+
+		packages = append(packages, details)
+	}
+
+	return packages, nil
+}
+
+var _ Extractor = PdmLockExtractor{}
+
+//nolint:gochecknoinits
+func init() {
+	registerExtractor("pdm.lock", PdmLockExtractor{})
+}
+
+func ParsePdmLock(pathToLockfile string) ([]PackageDetails, error) {
+	return extractFromFile(pathToLockfile, PdmLockExtractor{})
+}