guacsec
diff --git a/‎src/provider.js‎
Lines changed: 2 additions & 0 deletions b/‎src/provider.js‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/providers/python_pip_pyproject.js‎
Lines changed: 132 additions & 0 deletions b/‎src/providers/python_pip_pyproject.js‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎test/providers/python_pyproject.test.js‎
Lines changed: 122 additions & 0 deletions b/‎test/providers/python_pyproject.test.js‎
Lines changed: 122 additions & 0 deletions
diff --git a/‎test/providers/tst_manifests/pyproject/pip_pep621/expected_component_sbom.json‎
Lines changed: 36 additions & 0 deletions b/‎test/providers/tst_manifests/pyproject/pip_pep621/expected_component_sbom.json‎
Lines changed: 36 additions & 0 deletions
@@ -8,6 +8,7 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js'
+import Python_pip_pyproject from './providers/python_pip_pyproject.js'
 import Python_poetry from './providers/python_poetry.js'
 import Python_uv from './providers/python_uv.js'
 import rustCargoProvider from './providers/rust_cargo.js'
@@ -30,6 +31,7 @@ export const availableProviders = [
 	pythonPipProvider,
 	new Python_poetry(),
 	new Python_uv(),
+	new Python_pip_pyproject(),
 	rustCargoProvider]
 
 /**
 
@@ -0,0 +1,132 @@
+import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js'
+
+import Base_pyproject from './base_pyproject.js'
+
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+
+	/** @returns {string} */
+	_lockFileName() {
+		return '.pip-lock-nonexistent'
+	}
+
+	/** @returns {string} */
+	_cmdName() {
+		return 'pip'
+	}
+
+	/**
+	 * Always returns true — pip provider is the fallback when no lock file is found.
+	 * @param {string} manifestDir
+	 * @param {{}} [opts={}]
+	 * @returns {boolean}
+	 */
+	// eslint-disable-next-line no-unused-vars
+	validateLockFile(manifestDir, opts = {}) {
+		return true
+	}
+
+	/**
+	 * Get pip report output from env var override or by running pip.
+	 * @param {string} manifestDir - directory containing pyproject.toml
+	 * @param {{}} [opts={}]
+	 * @returns {string} pip report JSON string
+	 */
+	_getPipReportOutput(manifestDir, opts) {
+		if (environmentVariableIsPopulated('TRUSTIFY_DA_PIP_REPORT')) {
+			return Buffer.from(process.env['TRUSTIFY_DA_PIP_REPORT'], 'base64').toString('ascii')
+		}
+		let pipBin = getCustomPath('pip3', opts)
+		try {
+			invokeCommand(pipBin, ['--version'])
+		} catch {
+			pipBin = getCustomPath('pip', opts)
+		}
+		return invokeCommand(pipBin, [
+			'install', '--dry-run', '--ignore-installed', '--report', '-', '.'
+		], { cwd: manifestDir }).toString()
+	}
+
+	/**
+	 * Parse pip report JSON and build dependency graph.
+	 * @param {string} reportJson - pip report JSON string
+	 * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+	 */
+	_parsePipReport(reportJson) {
+		let report = JSON.parse(reportJson)
+		let packages = report.install || []
+
+		let rootEntry = packages.find(p => p.download_info?.dir_info !== undefined)
+		let rootRequires = rootEntry?.metadata?.requires_dist || []
+
+		let directDepNames = new Set()
+		for (let req of rootRequires) {
+			if (this._hasExtraMarker(req)) { continue }
+			let name = this._extractDepName(req)
+			if (name) { directDepNames.add(this._canonicalize(name)) }
+		}
+
+		let graph = new Map()
+		let nonRootPackages = packages.filter(p => p.download_info?.dir_info === undefined)
+
+		for (let pkg of nonRootPackages) {
+			let name = pkg.metadata.name
+			let version = pkg.metadata.version
+			let key = this._canonicalize(name)
+			graph.set(key, { name, version, children: [] })
+		}
+
+		for (let pkg of nonRootPackages) {
+			let key = this._canonicalize(pkg.metadata.name)
+			let entry = graph.get(key)
+			let requires = pkg.metadata.requires_dist || []
+			for (let req of requires) {
+				if (this._hasExtraMarker(req)) { continue }
+				let depName = this._extractDepName(req)
+				if (!depName) { continue }
+				let depKey = this._canonicalize(depName)
+				if (graph.has(depKey)) {
+					entry.children.push(depKey)
+				}
+			}
+		}
+
+		let directDeps = [...directDepNames].filter(key => graph.has(key))
+		return { directDeps, graph }
+	}
+
+	/**
+	 * Check if a requires_dist entry is an extras-only dependency.
+	 * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+	 * @returns {boolean}
+	 */
+	_hasExtraMarker(req) {
+		return /;\s*.*extra\s*==/.test(req)
+	}
+
+	/**
+	 * Extract package name from a requires_dist entry.
+	 * @param {string} req - e.g. "charset_normalizer<4,>=2"
+	 * @returns {string|null}
+	 */
+	_extractDepName(req) {
+		let match = req.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/)
+		return match ? match[1] : null
+	}
+
+	/**
+	 * Resolve dependencies using pip install --dry-run --report.
+	 * @param {string} manifestDir
+	 * @param {object} parsed - parsed pyproject.toml
+	 * @param {{}} [opts={}]
+	 * @returns {Promise<{directDeps: string[], graph: Map}>}
+	 */
+	async _getDependencyData(manifestDir, parsed, opts) {
+		let reportOutput = this._getPipReportOutput(manifestDir, opts)
+		return this._parsePipReport(reportOutput)
+	}
+}
@@ -4,6 +4,7 @@ import path from 'path'
 import { expect } from 'chai'
 import { useFakeTimers } from 'sinon'
 
+import Python_pip_pyproject from '../../src/providers/python_pip_pyproject.js'
 import Python_poetry from '../../src/providers/python_poetry.js'
 import Python_uv from '../../src/providers/python_uv.js'
 
@@ -13,6 +14,7 @@ const TIMEOUT = process.env.GITHUB_ACTIONS ? 30000 : 10000
 
 const uvProvider = new Python_uv()
 const poetryProvider = new Python_poetry()
+const pipProvider = new Python_pip_pyproject()
 
 suite('testing the python-pyproject data provider', () => {
 	[
@@ -184,6 +186,126 @@ suite('testing the python-pyproject data provider', () => {
 		}).timeout(TIMEOUT)
 	})
 
+	/** Verifies the pip provider's validateLockFile always returns true (fallback). */
+	test('verify pip validateLockFile always returns true (fallback provider)', () => {
+		expect(pipProvider.validateLockFile('test/providers/tst_manifests/pyproject/pip_pep621')).to.equal(true)
+		expect(pipProvider.validateLockFile('/nonexistent/dir')).to.equal(true)
+	})
+
+	suite('pip projects (via pip --dry-run --report)', () => {
+		const pipFixtureDir = 'test/providers/tst_manifests/pyproject/pip_pep621'
+		const pipIgnoreDir = 'test/providers/tst_manifests/pyproject/pip_pep621_ignore'
+		let savedEnv
+
+		setup(() => {
+			savedEnv = process.env.TRUSTIFY_DA_PIP_REPORT
+			let report = fs.readFileSync(path.join(pipFixtureDir, 'pip_report.json'), 'utf-8')
+			process.env.TRUSTIFY_DA_PIP_REPORT = Buffer.from(report).toString('base64')
+		})
+
+		teardown(() => {
+			if (savedEnv === undefined) {
+				delete process.env.TRUSTIFY_DA_PIP_REPORT
+			} else {
+				process.env.TRUSTIFY_DA_PIP_REPORT = savedEnv
+			}
+		})
+
+		/** Verifies stack analysis produces correct SBOM with transitive deps. */
+		test('verify pyproject.toml sbom provided for stack analysis with pip', async () => {
+			// Given a PEP 621 pyproject.toml and pre-recorded pip report
+			let expectedSbom = fs.readFileSync(path.join(pipFixtureDir, 'expected_stack_sbom.json')).toString()
+			expectedSbom = JSON.stringify(JSON.parse(expectedSbom))
+
+			// When running stack analysis
+			let result = await pipProvider.provideStack(path.join(pipFixtureDir, 'pyproject.toml'))
+
+			// Then the SBOM matches expected output
+			expect(result).to.deep.equal({
+				ecosystem: 'pip',
+				contentType: 'application/vnd.cyclonedx+json',
+				content: expectedSbom
+			})
+		}).timeout(TIMEOUT)
+
+		/** Verifies component analysis produces correct SBOM with direct deps only. */
+		test('verify pyproject.toml sbom provided for component analysis with pip', async () => {
+			// Given a PEP 621 pyproject.toml and pre-recorded pip report
+			let expectedSbom = fs.readFileSync(path.join(pipFixtureDir, 'expected_component_sbom.json')).toString().trim()
+			expectedSbom = JSON.stringify(JSON.parse(expectedSbom))
+
+			// When running component analysis
+			let result = await pipProvider.provideComponent(path.join(pipFixtureDir, 'pyproject.toml'))
+
+			// Then the SBOM matches expected output
+			expect(result).to.deep.equal({
+				ecosystem: 'pip',
+				contentType: 'application/vnd.cyclonedx+json',
+				content: expectedSbom
+			})
+		}).timeout(TIMEOUT)
+
+		/** Verifies direct and transitive deps are correctly classified in stack SBOM. */
+		test('stack analysis classifies direct and transitive dependencies correctly', async () => {
+			// When running stack analysis
+			let result = await pipProvider.provideStack(path.join(pipFixtureDir, 'pyproject.toml'))
+			let sbom = JSON.parse(result.content)
+
+			// Then requests is a direct dep of the root
+			let rootDep = sbom.dependencies.find(d => d.ref.includes('/test-project@'))
+			expect(rootDep.dependsOn).to.have.lengthOf(1)
+			expect(rootDep.dependsOn[0]).to.include('/requests@')
+
+			// And requests has its own transitive deps
+			let requestsDep = sbom.dependencies.find(d => d.ref.includes('/requests@'))
+			let transNames = requestsDep.dependsOn.map(d => d.split('/').pop().split('@')[0])
+			expect(transNames).to.include('certifi')
+			expect(transNames).to.include('charset-normalizer')
+			expect(transNames).to.include('idna')
+			expect(transNames).to.include('urllib3')
+		}).timeout(TIMEOUT)
+
+		/** Verifies extras-only dependencies (e.g. PySocks for socks extra) are excluded. */
+		test('extras-only dependencies are filtered from the dependency tree', async () => {
+			let result = await pipProvider.provideStack(path.join(pipFixtureDir, 'pyproject.toml'))
+			let sbom = JSON.parse(result.content)
+			let names = sbom.components.map(c => c.name)
+			expect(names).to.not.include('PySocks')
+			expect(names).to.not.include('pysocks')
+		}).timeout(TIMEOUT)
+
+		/** Verifies exhortignore marker in PEP 621 dependencies excludes the dep. */
+		test('exhortignore marker excludes dep from component analysis', async () => {
+			// Given a pyproject.toml with requests marked as exhortignore
+			let result = await pipProvider.provideComponent(path.join(pipIgnoreDir, 'pyproject.toml'))
+			let sbom = JSON.parse(result.content)
+
+			// Then requests is excluded
+			let names = sbom.components.map(c => c.name)
+			expect(names).to.not.include('requests')
+		}).timeout(TIMEOUT)
+
+		/** Verifies exhortignore excludes dep and its exclusive transitive deps from stack analysis. */
+		test('exhortignore marker excludes dep from stack analysis', async () => {
+			// Given a pyproject.toml with requests marked as exhortignore
+			let result = await pipProvider.provideStack(path.join(pipIgnoreDir, 'pyproject.toml'))
+			let sbom = JSON.parse(result.content)
+
+			// Then requests and all its exclusive transitive deps are excluded
+			let names = sbom.components.map(c => c.name)
+			expect(names).to.not.include('requests')
+		}).timeout(TIMEOUT)
+
+		/** Verifies name canonicalization (charset_normalizer → charset-normalizer). */
+		test('name canonicalization: charset_normalizer resolved as charset-normalizer', async () => {
+			let result = await pipProvider.provideStack(path.join(pipFixtureDir, 'pyproject.toml'))
+			let sbom = JSON.parse(result.content)
+			let pkg = sbom.components.find(c => c.name === 'charset-normalizer')
+			expect(pkg).to.exist
+			expect(pkg.version).to.equal('3.4.7')
+		}).timeout(TIMEOUT)
+	})
+
 	test('validateLockFile returns false when no lock file is present', () => {
 		let tmpDir = 'test/providers/tst_manifests/pyproject/no_lock_file_dummy'
 		fs.mkdirSync(tmpDir, { recursive: true })
 
@@ -0,0 +1,36 @@
+{
+	"bomFormat": "CycloneDX",
+	"specVersion": "1.4",
+	"version": 1,
+	"metadata": {
+		"timestamp": "2023-10-01T00:00:00.000Z",
+		"component": {
+			"name": "test-project",
+			"version": "1.0.0",
+			"purl": "pkg:pypi/test-project@1.0.0",
+			"type": "application",
+			"bom-ref": "pkg:pypi/test-project@1.0.0"
+		}
+	},
+	"components": [
+		{
+			"name": "requests",
+			"version": "2.33.1",
+			"purl": "pkg:pypi/requests@2.33.1",
+			"type": "library",
+			"bom-ref": "pkg:pypi/requests@2.33.1"
+		}
+	],
+	"dependencies": [
+		{
+			"ref": "pkg:pypi/test-project@1.0.0",
+			"dependsOn": [
+				"pkg:pypi/requests@2.33.1"
+			]
+		},
+		{
+			"ref": "pkg:pypi/requests@2.33.1",
+			"dependsOn": []
+		}
+	]
+}