Merge pull request #1497 from snyk/feat/add-poetry-support

Feat: add poetry support

Author: razzmadaz

package.json

@@ -86,7 +86,7 @@
     "snyk-nuget-plugin": "1.19.3",
     "snyk-php-plugin": "1.9.2",
     "snyk-policy": "1.14.1",
-    "snyk-python-plugin": "1.17.1",
+    "snyk-python-plugin": "1.18.0",
     "snyk-resolve": "1.0.1",
     "snyk-resolve-deps": "4.4.0",
     "snyk-sbt-plugin": "2.11.0",

src/lib/detect.ts

@@ -29,6 +29,8 @@ const DETECTABLE_FILES: string[] = [
   'composer.lock',
   'Podfile',
   'Podfile.lock',
+  'pyproject.toml',
+  'poetry.lock',
 ];
 
 export const AUTO_DETECTABLE_FILES: string[] = [
@@ -53,6 +55,8 @@ export const AUTO_DETECTABLE_FILES: string[] = [
   'build.sbt',
   'build.gradle',
   'build.gradle.kts',
+  'pyproject.toml',
+  'poetry.lock',
 ];
 
 // when file is specified with --file, we look it up here
@@ -86,6 +90,8 @@ const DETECTABLE_PACKAGE_MANAGERS: {
   'CocoaPods.podfile.yaml': 'cocoapods',
   'CocoaPods.podfile': 'cocoapods',
   Podfile: 'cocoapods',
+  'pyproject.toml': 'poetry',
+  'poetry.lock': 'poetry',
 };
 
 export function isPathToPackageFile(path) {

src/lib/find-files.ts

@@ -305,6 +305,15 @@ function chooseBestManifest(
       );
       return defaultManifest.path;
     }
+    case 'poetry': {
+      const defaultManifest = files.filter((path) =>
+        ['pyproject.toml'].includes(path.base),
+      )[0];
+      debug(
+        `Encountered multiple poetry manifest files, defaulting to ${defaultManifest.path}`,
+      );
+      return defaultManifest.path;
+    }
     default: {
       return null;
     }

src/lib/package-managers.ts

@@ -12,7 +12,8 @@ export type SupportedPackageManagers =
   | 'nuget'
   | 'paket'
   | 'composer'
-  | 'cocoapods';
+  | 'cocoapods'
+  | 'poetry';
 
 export const SUPPORTED_PACKAGE_MANAGER_NAME: {
   readonly [packageManager in SupportedPackageManagers]: string;
@@ -31,6 +32,7 @@ export const SUPPORTED_PACKAGE_MANAGER_NAME: {
   paket: 'Paket',
   composer: 'Composer',
   cocoapods: 'CocoaPods',
+  poetry: 'Poetry',
 };
 
 export const WIZARD_SUPPORTED_PACKAGE_MANAGERS: SupportedPackageManagers[] = [
@@ -46,6 +48,7 @@ export const GRAPH_SUPPORTED_PACKAGE_MANAGERS: SupportedPackageManagers[] = [
   'sbt',
   'yarn',
   'rubygems',
+  'poetry',
 ];
 // For ecosystems with a flat set of libraries (e.g. Python, JVM), one can
 // "pin" a transitive dependency

src/lib/plugins/index.ts

@@ -34,7 +34,8 @@ export function loadPlugin(
     case 'yarn': {
       return nodejsPlugin;
     }
-    case 'pip': {
+    case 'pip':
+    case 'poetry': {
       return pythonPlugin;
     }
     case 'golangdep':

test/acceptance/cli-monitor/cli-monitor.acceptance.test.ts

@@ -923,6 +923,22 @@ if (!isWindows) {
     );
   });
 
+  test('`monitor poetry-app`', async (t) => {
+    chdirWorkspaces();
+    await cli.monitor('poetry-app');
+    const req = server.popRequest();
+    t.equal(req.method, 'PUT', 'makes PUT request');
+    t.equal(
+      req.headers['x-snyk-cli-version'],
+      versionNumber,
+      'sends version number',
+    );
+    t.match(req.url, '/monitor/poetry/graph', 'puts at correct url');
+    t.equal(req.body.targetFile, 'pyproject.toml', 'sends targetFile');
+    const depGraphJSON = req.body.depGraphJSON;
+    t.ok(depGraphJSON);
+  });
+
   test('`monitor pip-app --file=requirements.txt`', async (t) => {
     chdirWorkspaces();
     const plugin = {

test/acceptance/cli-monitor/cli-monitor.all-projects.spec.ts

@@ -944,5 +944,38 @@ export const AllProjectsTests: AcceptanceTests = {
         );
       });
     },
+    '`monitor mono-repo-poetry with --all-projects --detection-depth=2`': (
+      params,
+      utils,
+    ) => async (t) => {
+      utils.chdirWorkspaces();
+      const result = await params.cli.monitor('mono-repo-poetry', {
+        allProjects: true,
+        detectionDepth: 2,
+      });
+      t.match(
+        result,
+        'npm/graph/some/project-id',
+        'npm project was monitored ',
+      );
+      t.match(
+        result,
+        'poetry/graph/some/project-id',
+        'poetry project was monitored ',
+      );
+      const requests = params.server.popRequests(2);
+      requests.forEach((request) => {
+        const urlOk =
+          request.url === '/api/v1/monitor/npm' ||
+          '/api/v1/monitor/poetry/graph';
+        t.ok(urlOk, 'puts at correct url');
+        t.equal(request.method, 'PUT', 'makes PUT request');
+        t.equal(
+          request.headers['x-snyk-cli-version'],
+          params.versionNumber,
+          'sends version number',
+        );
+      });
+    },
   },
 };

test/acceptance/cli-test/cli-test.all-projects.spec.ts

@@ -1154,5 +1154,26 @@ export const AllProjectsTests: AcceptanceTests = {
         'Go dep package manager',
       );
     },
+    '`test mono-repo-poetry --all-projects`': (params, utils) => async (t) => {
+      utils.chdirWorkspaces();
+      const res: CommandResult = await params.cli.test('mono-repo-poetry', {
+        allProjects: true,
+      });
+      t.match(
+        res.getDisplayResults(),
+        /Tested 2 projects, no vulnerable paths were found./,
+        'Two projects tested',
+      );
+      t.match(
+        res.getDisplayResults(),
+        'Package manager:   npm',
+        'Npm package manager',
+      );
+      t.match(
+        res.getDisplayResults(),
+        'Package manager:   poetry',
+        'Poetry package manager',
+      );
+    },
   },
 };

test/acceptance/cli-test/cli-test.python.spec.ts

@@ -279,5 +279,22 @@ export const PythonTests: AcceptanceTests = {
         'calls python plugin',
       );
     },
+    '`test poetry-app with pyproject.toml and poetry.lock`': (
+      params,
+      utils,
+    ) => async (t) => {
+      utils.chdirWorkspaces();
+      await params.cli.test('poetry-app', {});
+      const req = params.server.popRequest();
+      t.equal(req.method, 'POST', 'makes POST request');
+      t.equal(
+        req.headers['x-snyk-cli-version'],
+        params.versionNumber,
+        'sends version number',
+      );
+      t.match(req.url, '/test-dep-graph', 'posts to correct url');
+      t.equal(req.body.targetFile, 'pyproject.toml', 'specifies target');
+      t.equal(req.body.depGraph.pkgManager.name, 'poetry');
+    },
   },
 };

test/acceptance/workspaces/mono-repo-poetry/package-lock.json

@@ -0,0 +1,14 @@
+{
+  "name": "shallow-goof",
+  "version": "0.0.1",
+  "description": "A vulnerable demo application",
+  "homepage": "https://snyk.io/",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Snyk/shallow-goof"
+  },
+  "dependencies": {
+    "qs": "0.0.6",
+    "node-uuid": "1.4.0"
+  }
+}

test/acceptance/workspaces/mono-repo-poetry/package.json

@@ -0,0 +1,13 @@
+[tool.poetry]
+name = "poetry-fixtures-project"
+version = "0.1.0"
+description = ""
+authors = []
+
+[tool.poetry.dependencies]
+python = "~2.7 || ^3.5"
+jinja2 = "^2.11"
+
+[build-system]
+requires = ["poetry>=0.12"]
+build-backend = "poetry.masonry.api"