Catalog python `uv.lock` files

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Apache License 2.0

6.12k stars 562 forks source link

Catalog python `uv.lock` files #3268

Open willmurphyscode opened 3 weeks ago

willmurphyscode commented 3 weeks ago

What would you like to be added:

A Python cataloger that can understand uv.lock files, see https://docs.astral.sh/uv/concepts/projects/#project-lockfile for general docs.

Additional context:

According to this comment our best source for the structure of this file is to look at the uv code for the moment.

We should make sure the cataloger is extensible so that as new versions of the uv.lock format are released, Syft and switch on the version and parse the new versions.

jgehrcke commented 5 days ago

Thank you for tracking that! Nice.

Indeed, this already is important to various orgs. And importance will only rise from here.