feat(sbom): extract SHA-256 hashes from uv.lock for uv provider#533
Open
a-oren wants to merge 3 commits into
Open
feat(sbom): extract SHA-256 hashes from uv.lock for uv provider#533a-oren wants to merge 3 commits into
a-oren wants to merge 3 commits into
Conversation
Parse uv.lock TOML to extract SHA-256 artifact hashes (from sdist or wheels entries) and attach them to the dependency graph, so generated CycloneDX SBOMs include per-component hash data. This enables the backend to compare artifact SHAs against the Trusted Libraries registry. Implements TC-4332 Assisted-by: Claude Code
Reviewer's GuideThis PR extends the Python uv provider to read SHA-256 hashes from uv.lock and attach them to dependency graph entries, updating the CycloneDX SBOM output and corresponding uv-related golden fixtures. Sequence diagram for uv provider dependency resolution with uv.lock hash attachmentsequenceDiagram
participant Python_uv
participant UvExport as _getUvExportOutput
participant UvParse as _parseUvExport
participant Fs as fs
participant Toml as parseToml
Python_uv->>UvExport: _getUvExportOutput(manifestDir, opts)
UvExport-->>Python_uv: uvOutput
Python_uv->>UvParse: _parseUvExport(uvOutput, projectName, workspaceDir)
UvParse-->>Python_uv: directDeps, graph
Python_uv->>Fs: readFileSync(workspaceDir/uv.lock, utf-8)
alt lock file readable
Fs-->>Python_uv: lockContent
Python_uv->>Toml: parseToml(lockContent)
alt TOML parsed
Toml-->>Python_uv: parsed
Python_uv->>Python_uv: _attachHashesFromLockFile(lockFilePath, graph)
else parse error
Toml-->>Python_uv: [throw]
end
else missing lock file
Fs-->>Python_uv: [throw]
end
Python_uv-->>Python_uv: return {directDeps, graph}
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The new
_attachHashesFromLockFilehelper silently ignores both file read and TOML parse errors; consider at least debug-level logging so issues with malformed or missinguv.lockfiles are discoverable during troubleshooting. - The JSDoc for
_attachHashesFromLockFilestill describes thegraphentries as{name, version, children}while_getDependencyDatanow documentsGraphEntry; it would be good to align this type annotation with the actualGraphEntryshape to avoid confusion. - When attaching hashes, the code overwrites
entry.hashesunconditionally; if other parts of the pipeline might already populate hashes, you may want to append or merge rather than replace to avoid losing existing data.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The new `_attachHashesFromLockFile` helper silently ignores both file read and TOML parse errors; consider at least debug-level logging so issues with malformed or missing `uv.lock` files are discoverable during troubleshooting.
- The JSDoc for `_attachHashesFromLockFile` still describes the `graph` entries as `{name, version, children}` while `_getDependencyData` now documents `GraphEntry`; it would be good to align this type annotation with the actual `GraphEntry` shape to avoid confusion.
- When attaching hashes, the code overwrites `entry.hashes` unconditionally; if other parts of the pipeline might already populate hashes, you may want to append or merge rather than replace to avoid losing existing data.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
- Log errors when uv.lock cannot be read or parsed instead of silently ignoring, so issues are discoverable during troubleshooting - Align JSDoc graph parameter type with GraphEntry typedef - Skip hash assignment when entry already has hashes to avoid overwriting data from other pipeline stages Implements TC-4332 Assisted-by: Claude Code
Contributor
Author
|
/review |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
uv.lockTOML to extract SHA-256 artifact hashes (fromsdist.hashorwheels[0].hash) and attach them to dependency graph entrieshashesarrays for uv-managed projectsImplements TC-4332
Test plan
🤖 Generated with Claude Code
Summary by Sourcery
Extract SHA-256 hashes from uv.lock and attach them to uv dependency graph entries so generated SBOMs include per-component hash metadata.
New Features:
Tests: