Poetry dependencies no longer found in Trivy 61.x

[willem-delbare]

Description

Trivy recently made a change to suppress devdeps in Poetry.lockfiles, but it suppresses too many packages.

Having the following code in pyproject.toml will result in a sentry-sdk CVE not being detected.

[tool.poetry.dependencies]
python = ">=3.11,<3.13"
pandas = "1.5.0"

[tool.poetry.group.release]
optional = false

[tool.poetry.group.release.dependencies]
sentry-sdk = {version = "^2.0.0"}

[tool.poetry.group.dev.dependencies]
black = "^24.4.0"

Desired Behavior

Detect the CVE once again

Actual Behavior

No CVE detected

Reproduction Steps

- add pyproject.toml file, generate poetry.lock file
- scan with new trivy
- no CVE pops up for sentry-sdk

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

irrelevant

Operating System

Win

Version

61.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Hi @willem-delbare !

PEP-735 does not define the concept of developer dependencies, so Trivy counts all dependencies outside the main group tool.poetry.dependencies as dev dependencies.

[willem-delbare]

@nikpivkin That might be true, but the end user will still think it's broken

[nikpivkin]

@knqyf263 WDYT?

[knqyf263]

My understanding is that dependencies defined in a custom group aren’t installed by poetry install, so I think Trivy not detecting them is the correct behavior. They can be detected with --include-dev-deps, but is your point that this flag isn’t obvious enough? For example, if there are any non-main groups defined, do you think the issue could be resolved by emitting an INFO-level log?

[bitterpanda63]

Hi!
The tool.poetry.group.dev.dependencies seems to be recognized by poetry themselves, see PRs such as
https://github.com/python-poetry/poetry-core/pull/754/files

It is also the standard amongst a lot of projects, I think it makes more sense to only mark this specific group as dev dependencies and keep scanning the other groups