uv detector improvements - multi group dev dependencies, git source detection, transitive dev propagation #1631
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,20 @@ | ||
| # uv Detection | ||
|
|
||
| ## Requirements | ||
|
|
||
| [uv](https://docs.astral.sh/uv/) detection relies on a [uv.lock](https://docs.astral.sh/uv/concepts/projects/layout/#the-lockfile) file being present. | ||
|
|
||
| ## Detection strategy | ||
|
|
||
| uv detection is performed by parsing a <em>uv.lock</em> found under the scan directory. | ||
|
|
||
| Full dependency graph generation is supported. | ||
|
|
||
| Dev dependencies across all dependency groups (e.g., `dev`, `lint`, `test`) are identified via transitive reachability analysis. A package reachable from both production and dev roots is classified as non-dev. | ||
|
|
||
| Git-sourced packages are registered as `GitComponent` with the repository URL and commit hash extracted from the lockfile. | ||
|
|
||
| ## Known limitations | ||
|
|
||
| 1. Editable (`source = { editable = "..." }`) and non-root workspace member packages are registered as regular components rather than being filtered out. | ||
| 2. Lockfile version validation is not performed; only lockfile version 1 has been tested. |
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -26,7 +26,7 @@ | |||||
|
|
||||||
| public override IList<string> SearchPatterns { get; } = ["uv.lock"]; | ||||||
|
|
||||||
| public override IEnumerable<ComponentType> SupportedComponentTypes => [ComponentType.Pip, ComponentType.Git]; | ||||||
|
|
||||||
| public override int Version => 1; | ||||||
|
|
||||||
|
|
@@ -37,6 +37,40 @@ | |||||
| return pck.Source?.Virtual != null; | ||||||
| } | ||||||
|
|
||||||
| internal static (Uri RepositoryUrl, string CommitHash) ParseGitUrl(string gitUrl) | ||||||
| { | ||||||
| var uri = new Uri(gitUrl); | ||||||
| var repoUrl = new Uri(uri.GetLeftPart(UriPartial.Path)); | ||||||
| var commitHash = uri.Fragment.TrimStart('#'); | ||||||
| return (repoUrl, commitHash); | ||||||
| } | ||||||
|
|
||||||
| internal static HashSet<string> GetTransitivePackages(IEnumerable<string> roots, List<UvPackage> packages) | ||||||
| { | ||||||
| var lookup = packages.ToDictionary(p => p.Name, p => p, StringComparer.OrdinalIgnoreCase); | ||||||
| var visited = new HashSet<string>(StringComparer.OrdinalIgnoreCase); | ||||||
| var queue = new Queue<string>(roots); | ||||||
|
|
||||||
| while (queue.Count > 0) | ||||||
| { | ||||||
| var name = queue.Dequeue(); | ||||||
| if (!visited.Add(name)) | ||||||
| { | ||||||
| continue; | ||||||
| } | ||||||
|
|
||||||
| if (lookup.TryGetValue(name, out var pkg)) | ||||||
| { | ||||||
| foreach (var dep in pkg.Dependencies) | ||||||
| { | ||||||
| queue.Enqueue(dep.Name); | ||||||
| } | ||||||
| } | ||||||
| } | ||||||
|
|
||||||
| return visited; | ||||||
| } | ||||||
|
|
||||||
| protected override Task OnFileFoundAsync(ProcessRequest processRequest, IDictionary<string, string> detectorArgs, CancellationToken cancellationToken = default) | ||||||
| { | ||||||
| var singleFileComponentRecorder = processRequest.SingleFileComponentRecorder; | ||||||
|
|
@@ -49,8 +83,8 @@ | |||||
| var uvLock = UvLock.Parse(file.Stream); | ||||||
|
|
||||||
| var rootPackage = uvLock.Packages.FirstOrDefault(IsRootPackage); | ||||||
| var explicitPackages = new HashSet<string>(StringComparer.OrdinalIgnoreCase); | ||||||
| var devRootNames = new HashSet<string>(StringComparer.OrdinalIgnoreCase); | ||||||
|
|
||||||
| if (rootPackage != null) | ||||||
| { | ||||||
|
|
@@ -61,30 +95,57 @@ | |||||
|
|
||||||
| foreach (var devDep in rootPackage.MetadataRequiresDev) | ||||||
| { | ||||||
| devRootNames.Add(devDep.Name); | ||||||
| } | ||||||
| } | ||||||
|
|
||||||
| // Compute dev-only packages via transitive reachability analysis. | ||||||
| // A package is dev-only if it is reachable from dev roots but NOT from production roots. | ||||||
| var prodRoots = rootPackage?.Dependencies.Select(d => d.Name) ?? []; | ||||||
|
There was a problem hiding this comment.
Suggested change
Collaborator
There was a problem hiding this comment. @theztefan - This is a valid recommendation to investigate, just because a package is a root it doesn't mean it is a runtime dependency, if the manifest explicitly says is it a dev dependency it should be classified as such, so will its children dependencies. |
||||||
| var prodTransitive = GetTransitivePackages(prodRoots, uvLock.Packages); | ||||||
| var devTransitive = GetTransitivePackages(devRootNames, uvLock.Packages); | ||||||
| var devOnlyPackages = new HashSet<string>(devTransitive.Except(prodTransitive), StringComparer.OrdinalIgnoreCase); | ||||||
|
|
||||||
| foreach (var pkg in uvLock.Packages) | ||||||
| { | ||||||
| if (IsRootPackage(pkg)) | ||||||
| { | ||||||
| continue; | ||||||
| } | ||||||
|
|
||||||
| var isExplicit = explicitPackages.Contains(pkg.Name); | ||||||
| var isDev = devOnlyPackages.Contains(pkg.Name); | ||||||
|
|
||||||
| TypedComponent component; | ||||||
| if (pkg.Source?.Git != null) | ||||||
| { | ||||||
| var (repoUrl, commitHash) = ParseGitUrl(pkg.Source.Git); | ||||||
| component = new GitComponent(repoUrl, commitHash); | ||||||
| } | ||||||
|
Comment on lines
40
to
124
There was a problem hiding this comment.
Author
There was a problem hiding this comment. My comment from above is valid here as well. Don't think we should be handling this here. |
||||||
| else | ||||||
| { | ||||||
| component = new PipComponent(pkg.Name, pkg.Version); | ||||||
| } | ||||||
|
|
||||||
| var detectedComponent = new DetectedComponent(component); | ||||||
| singleFileComponentRecorder.RegisterUsage(detectedComponent, isDevelopmentDependency: isDev, isExplicitReferencedDependency: isExplicit); | ||||||
|
|
||||||
| foreach (var dep in pkg.Dependencies) | ||||||
| { | ||||||
| var depPkg = uvLock.Packages.FirstOrDefault(p => p.Name.Equals(dep.Name, StringComparison.OrdinalIgnoreCase)); | ||||||
| if (depPkg != null) | ||||||
| { | ||||||
| TypedComponent depComponent; | ||||||
| if (depPkg.Source?.Git != null) | ||||||
| { | ||||||
| var (depRepoUrl, depCommitHash) = ParseGitUrl(depPkg.Source.Git); | ||||||
| depComponent = new GitComponent(depRepoUrl, depCommitHash); | ||||||
| } | ||||||
| else | ||||||
| { | ||||||
| depComponent = new PipComponent(depPkg.Name, depPkg.Version); | ||||||
| } | ||||||
|
Check failure on line 147 in src/Microsoft.ComponentDetection.Detectors/uv/UvLockComponentDetector.cs
|
||||||
| singleFileComponentRecorder.RegisterUsage(new DetectedComponent(depComponent), parentComponentId: component.Id, isDevelopmentDependency: isDev); | ||||||
|
Comment on lines
133
to
+148
There was a problem hiding this comment. Dependency edge registration does a linear search for every dependency ( |
||||||
| } | ||||||
| else | ||||||
| { | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ParseGitUrl assumes the git URL is always a valid absolute URI and always contains a non-empty fragment. If the URL is malformed or doesn’t include a commit hash fragment, new Uri(...) or GitComponent construction will throw, causing the detector to bail out for the entire uv.lock. Consider using Uri.TryCreate plus an explicit check for a non-empty commit hash (and falling back to logging + treating it as a non-git package or skipping just that package) to avoid a single bad entry breaking detection.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this is false and not a concern we should take care of at this level. The
uv.lockfiles are machine generated and follow the strict specs which for git sources afaik always includes the commit hash. This means that this could potentially take effect in cases where we have malformeduv.lockbut then it should fail because it's malformed 😄