From 00ca43d24aef65f256dbadcc9f00f3b5f9360181 Mon Sep 17 00:00:00 2001
From: Kursat Topcuoglu <ktopcuoglu@users.noreply.github.com>
Date: Mon, 15 Jun 2026 18:34:02 +0300
Subject: [PATCH] fix: catalog uv PEP 723 script lockfiles (*.py.lock) (#4950)

Signed-off-by: Kursat Topcuoglu <7313835+ktopcuoglu@users.noreply.github.com>
Co-authored-by: Kursat Topcuoglu <7313835+ktopcuoglu@users.noreply.github.com>
---
 syft/pkg/cataloger/python/capabilities.yaml                  | 1 +
 syft/pkg/cataloger/python/cataloger.go                       | 5 ++++-
 syft/pkg/cataloger/python/cataloger_test.go                  | 1 +
 .../cataloger/python/testdata/glob-paths/src/script.py.lock  | 1 +
 4 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 syft/pkg/cataloger/python/testdata/glob-paths/src/script.py.lock

diff --git a/syft/pkg/cataloger/python/capabilities.yaml b/syft/pkg/cataloger/python/capabilities.yaml
index 30211eb71..dfbadc272 100644
--- a/syft/pkg/cataloger/python/capabilities.yaml
+++ b/syft/pkg/cataloger/python/capabilities.yaml
@@ -113,6 +113,7 @@ catalogers:
           method: glob # AUTO-GENERATED
           criteria: # AUTO-GENERATED
             - '**/uv.lock'
+            - '**/*.py.lock'
         metadata_types: # AUTO-GENERATED
           - pkg.PythonUvLockEntry
         package_types: # AUTO-GENERATED
diff --git a/syft/pkg/cataloger/python/cataloger.go b/syft/pkg/cataloger/python/cataloger.go
index dffc7b3fb..d7854b784 100644
--- a/syft/pkg/cataloger/python/cataloger.go
+++ b/syft/pkg/cataloger/python/cataloger.go
@@ -23,7 +23,10 @@ func NewPackageCataloger(cfg CatalogerConfig) pkg.Cataloger {
 		WithParserByGlobs(poetryLockParser.parsePoetryLock, "**/poetry.lock").
 		WithParserByGlobs(pipfileLockParser.parsePipfileLock, "**/Pipfile.lock").
 		WithParserByGlobs(setupFileParser.parseSetupFile, "**/setup.py").
-		WithParserByGlobs(uvLockParser.parseUvLock, "**/uv.lock").
+		// uv lock files are named "uv.lock", but PEP 723 script lock files
+		// (created by "uv lock --script <name>.py") are named "<name>.py.lock"
+		// and use the same format, so catalog both.
+		WithParserByGlobs(uvLockParser.parseUvLock, "**/uv.lock", "**/*.py.lock").
 		WithParserByGlobs(pdmLockParser.parsePdmLock, "**/pdm.lock")
 }
 
diff --git a/syft/pkg/cataloger/python/cataloger_test.go b/syft/pkg/cataloger/python/cataloger_test.go
index 3d9f64311..8da2c6092 100644
--- a/syft/pkg/cataloger/python/cataloger_test.go
+++ b/syft/pkg/cataloger/python/cataloger_test.go
@@ -501,6 +501,7 @@ func Test_IndexCataloger_Globs(t *testing.T) {
 				"src/poetry.lock",
 				"src/Pipfile.lock",
 				"src/uv.lock",
+				"src/script.py.lock",
 				"src/pdm.lock",
 			},
 		},
diff --git a/syft/pkg/cataloger/python/testdata/glob-paths/src/script.py.lock b/syft/pkg/cataloger/python/testdata/glob-paths/src/script.py.lock
new file mode 100644
index 000000000..5ffba7b57
--- /dev/null
+++ b/syft/pkg/cataloger/python/testdata/glob-paths/src/script.py.lock
@@ -0,0 +1 @@
+bogus