fix: catalog uv PEP 723 script lockfiles (*.py.lock) (#4950)

Signed-off-by: Kursat Topcuoglu <7313835+ktopcuoglu@users.noreply.github.com> Co-authored-by: Kursat Topcuoglu <7313835+ktopcuoglu@users.noreply.github.com>
2026-06-17 09:48:24 +02:00 · 2026-06-15 18:34:02 +03:00 · 2026-06-15 18:34:02 +03:00 · 00ca43d24a
commit 00ca43d24a
parent 6a27678036
4 changed files with 7 additions and 1 deletions
--- a/syft/pkg/cataloger/python/capabilities.yaml
+++ b/syft/pkg/cataloger/python/capabilities.yaml
@ -113,6 +113,7 @@ catalogers:
          method: glob # AUTO-GENERATED
          criteria: # AUTO-GENERATED
            - '**/uv.lock'
+            - '**/*.py.lock'
        metadata_types: # AUTO-GENERATED
          - pkg.PythonUvLockEntry
        package_types: # AUTO-GENERATED
--- a/syft/pkg/cataloger/python/cataloger.go
+++ b/syft/pkg/cataloger/python/cataloger.go
@ -23,7 +23,10 @@ func NewPackageCataloger(cfg CatalogerConfig) pkg.Cataloger {
 		WithParserByGlobs(poetryLockParser.parsePoetryLock, "**/poetry.lock").
 		WithParserByGlobs(pipfileLockParser.parsePipfileLock, "**/Pipfile.lock").
 		WithParserByGlobs(setupFileParser.parseSetupFile, "**/setup.py").
-		WithParserByGlobs(uvLockParser.parseUvLock, "**/uv.lock").
+		// uv lock files are named "uv.lock", but PEP 723 script lock files
+		// (created by "uv lock --script <name>.py") are named "<name>.py.lock"
+		// and use the same format, so catalog both.
+		WithParserByGlobs(uvLockParser.parseUvLock, "**/uv.lock", "**/*.py.lock").
 		WithParserByGlobs(pdmLockParser.parsePdmLock, "**/pdm.lock")
 }

--- a/syft/pkg/cataloger/python/cataloger_test.go
+++ b/syft/pkg/cataloger/python/cataloger_test.go
@ -501,6 +501,7 @@ func Test_IndexCataloger_Globs(t *testing.T) {
 				"src/poetry.lock",
 				"src/Pipfile.lock",
 				"src/uv.lock",
+				"src/script.py.lock",
 				"src/pdm.lock",
 			},
 		},
--- a/syft/pkg/cataloger/python/testdata/glob-paths/src/script.py.lock
+++ b/syft/pkg/cataloger/python/testdata/glob-paths/src/script.py.lock
@ -0,0 +1 @@
+bogus