Support Poetry (#49)

* Support Poetry

* Fix conflict

* Tidy go.sum

README.md

@@ -75,7 +75,7 @@ See [here](#continuous-integration-ci) for details.
 
 - Detect comprehensive vulnerabilities
   - OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Debian and Ubuntu)
-  - **Application dependencies** (Bundler, Composer, Pipenv, npm, yarn and Cargo)
+  - **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo)
 - Simple
   - Specify only an image name
   - See [Quick Start](#quick-start) and [Examples](#examples)
@@ -983,6 +983,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 
 - Gemfile.lock
 - Pipfile.lock
+- poetry.lock
 - composer.lock
 - package-lock.json
 - yarn.lock

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/genuinetools/reg v0.16.0
 	github.com/gliderlabs/ssh v0.1.3 // indirect
 	github.com/golang/protobuf v1.3.1 // indirect
-	github.com/knqyf263/fanal v0.0.0-20190521151359-0fd9299f80ad
+	github.com/knqyf263/fanal v0.0.0-20190521154631-a2dde7e171c6
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-dep-parser v0.0.0-20190521150559-1ef8521d17a0
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936

go.sum

@@ -114,8 +114,8 @@ github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e h1:RgQk53JHp
 github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662/go.mod h1:bu1CcN4tUtoRcI/B/RFHhxMNKFHVq/c3SV+UTyduoXg=
-github.com/knqyf263/fanal v0.0.0-20190521151359-0fd9299f80ad h1:bb0NViiP1zI6KdnFFkCXSXyn8USU2vPrRNeiQzYY4d4=
-github.com/knqyf263/fanal v0.0.0-20190521151359-0fd9299f80ad/go.mod h1:guPOH3Sfj5M4j/LvCOoWmuYCXnjReDIwJO+S89Fje1E=
+github.com/knqyf263/fanal v0.0.0-20190521154631-a2dde7e171c6 h1:qfIU7I6yo7zWpqqj0Zxt3iWY51N5D3BFUXdMjKjrAXU=
+github.com/knqyf263/fanal v0.0.0-20190521154631-a2dde7e171c6/go.mod h1:guPOH3Sfj5M4j/LvCOoWmuYCXnjReDIwJO+S89Fje1E=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4Kn3JPupAwwWuo4AzYp16P0OyLO9d7OnMZc/c=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
 github.com/knqyf263/go-dep-parser v0.0.0-20190521150559-1ef8521d17a0 h1:DOQ2UbTciy48dV9vpZ25BOiShrWIWZwBdMOy7SD1Wow=

pkg/scanner/library/python/advisory.go

@@ -1,4 +1,4 @@
-package pipenv
+package python
 
 import (
 	"encoding/json"

pkg/scanner/library/python/scan.go

@@ -1,4 +1,4 @@
-package pipenv
+package python
 
 import (
 	"os"
@@ -9,21 +9,24 @@ import (
 	"golang.org/x/xerrors"
 
 	"github.com/knqyf263/go-dep-parser/pkg/pipenv"
+	"github.com/knqyf263/go-dep-parser/pkg/poetry"
 	ptypes "github.com/knqyf263/go-dep-parser/pkg/types"
 	"github.com/knqyf263/go-version"
 	"github.com/knqyf263/trivy/pkg/scanner/utils"
 )
 
 const (
-	scannerType = "pipenv"
+	ScannerTypePipenv = "pipenv"
+	ScannerTypePoetry = "poetry"
 )
 
 type Scanner struct {
-	db AdvisoryDB
+	db          AdvisoryDB
+	scannerType string
 }
 
-func NewScanner() *Scanner {
-	return &Scanner{}
+func NewScanner(scannerType string) *Scanner {
+	return &Scanner{scannerType: scannerType}
 }
 
 func (s *Scanner) Detect(pkgName string, pkgVer *version.Version) ([]vulnerability.DetectedVulnerability, error) {
@@ -63,12 +66,28 @@ func createFixedVersions(specs []string) string {
 }
 
 func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) {
+	if s.Type() == ScannerTypePipenv {
+		return s.parsePipenv(f)
+	}
+	return s.parsePoetry(f)
+}
+
+func (s *Scanner) parsePipenv(f *os.File) ([]ptypes.Library, error) {
 	libs, err := pipenv.Parse(f)
 	if err != nil {
 		return nil, xerrors.Errorf("invalid Pipfile.lock format: %w", err)
 	}
 	return libs, nil
 }
-func (s *Scanner) Type() string {
-	return scannerType
+
+func (s *Scanner) parsePoetry(f *os.File) ([]ptypes.Library, error) {
+	libs, err := poetry.Parse(f)
+	if err != nil {
+		return nil, xerrors.Errorf("invalid poetry.lock format: %w", err)
+	}
+	return libs, nil
+}
+
+func (s *Scanner) Type() string {
+	return s.scannerType
 }

pkg/scanner/library/scan.go

@@ -12,6 +12,7 @@ import (
 	_ "github.com/knqyf263/fanal/analyzer/library/composer"
 	_ "github.com/knqyf263/fanal/analyzer/library/npm"
 	_ "github.com/knqyf263/fanal/analyzer/library/pipenv"
+	_ "github.com/knqyf263/fanal/analyzer/library/poetry"
 	_ "github.com/knqyf263/fanal/analyzer/library/yarn"
 	"github.com/knqyf263/fanal/extractor"
 	ptypes "github.com/knqyf263/go-dep-parser/pkg/types"
@@ -21,7 +22,7 @@ import (
 	"github.com/knqyf263/trivy/pkg/scanner/library/cargo"
 	"github.com/knqyf263/trivy/pkg/scanner/library/composer"
 	"github.com/knqyf263/trivy/pkg/scanner/library/node"
-	"github.com/knqyf263/trivy/pkg/scanner/library/pipenv"
+	"github.com/knqyf263/trivy/pkg/scanner/library/python"
 	"golang.org/x/xerrors"
 )
 
@@ -46,7 +47,9 @@ func NewScanner(filename string) Scanner {
 	case "yarn.lock":
 		scanner = node.NewScanner(node.ScannerTypeYarn)
 	case "Pipfile.lock":
-		scanner = pipenv.NewScanner()
+		scanner = python.NewScanner(python.ScannerTypePipenv)
+	case "poetry.lock":
+		scanner = python.NewScanner(python.ScannerTypePoetry)
 	default:
 		return nil
 	}