Poetry and Archive analyzers fail when run together after building project

[andrewm-aero]

Describe the bug
When poetry build is executed, a tar.gz file is produced in the dist subdirectory, which contains the source code, along with the pyproject.toml file, per PEP-517. This tarball will not contain the poetry.lock file, as it is not part of the PEP.

If dependency-check is executed following a poetry build, this tarball is extracted, then detected as a Poetry project, due to the presence of the pyproject.toml file. The Poetry analyzer then fails due to the poetry.lock file's absence.

This behavior can be reproduced with any Poetry project, even the default template one generated by poetry init.

Version of dependency-check used
Docker image docker.io/owasp/dependency-check:9.0.7

Log file
Redacted excerpt follows

...
2024-01-03 17:01:38,806 org.owasp.dependencycheck.Engine:812
DEBUG - Parallel processing with up to 30 threads: Archive Analyzer.
2024-01-03 17:01:38,808 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/home/jenkins/agent/workspace/<redacted>/dist/<redacted>.tar.gz' (Archive Analyzer)
2024-01-03 17:01:38,823 org.owasp.dependencycheck.analyzer.ArchiveAnalyzer:712
DEBUG - Decompressing '/tmp/dctempc8d64938-ac96-49be-9024-479cce48b807/check16690950676736243985tmp/1/<redacted>.tar'
2024-01-03 17:01:38,850 org.owasp.dependencycheck.analyzer.ArchiveAnalyzer:684
DEBUG - Extracting '/tmp/dctempc8d64938-ac96-49be-9024-479cce48b807/check16690950676736243985tmp/2/<redacted>/build.py'
2024-01-03 17:01:38,851 org.owasp.dependencycheck.analyzer.ArchiveAnalyzer:684
DEBUG - Extracting '/tmp/dctempc8d64938-ac96-49be-9024-479cce48b807/check16690950676736243985tmp/2/<redacted>/pyproject.toml'
2024-01-03 17:01:38,852 org.owasp.dependencycheck.analyzer.ArchiveAnalyzer:684
DEBUG - Extracting '/tmp/dctempc8d64938-ac96-49be-9024-479cce48b807/check16690950676736243985tmp/2/<redacted>/<redacted>/__init__.py'
2024-01-03 17:01:38,853 org.owasp.dependencycheck.analyzer.ArchiveAnalyzer:684
DEBUG - Extracting '/tmp/dctempc8d64938-ac96-49be-9024-479cce48b807/check16690950676736243985tmp/2/<redacted>/<redacted>/<redacted>.py'
...
2024-01-03 17:01:38,853 org.owasp.dependencycheck.analyzer.ArchiveAnalyzer:684
DEBUG - Extracting '/tmp/dctempc8d64938-ac96-49be-9024-479cce48b807/check16690950676736243985tmp/2/<redacted>/PKG-INFO'
...
2024-01-03 17:01:38,955 org.owasp.dependencycheck.analyzer.PoetryAnalyzer:145
DEBUG - Checking file /tmp/dctempc8d64938-ac96-49be-9024-479cce48b807/check16690950676736243985tmp/2/<redacted>/pyproject.toml
2024-01-03 17:01:38,955 org.owasp.dependencycheck.AnalysisTask:90
WARN  - An error occurred while analyzing '/tmp/dctempc8d64938-ac96-49be-9024-479cce48b807/check16690950676736243985tmp/2/<redacted>/pyproject.toml' (Poetry Analyzer).
2024-01-03 17:01:38,957 org.owasp.dependencycheck.AnalysisTask:91
DEBUG - 
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Python `pyproject.toml` found and there is not a `poetry.lock` or `requirements.txt` - analysis will be incomplete
	at org.owasp.dependencycheck.analyzer.PoetryAnalyzer.ensureLock(PoetryAnalyzer.java:208)
	at org.owasp.dependencycheck.analyzer.PoetryAnalyzer.analyzeDependency(PoetryAnalyzer.java:152)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
...

To Reproduce

poetry init
poetry build
dependency-check.sh

Expected behavior
The scan to succeed.

Additional context
N/A

[jeremylong]

Have you considered not scanning the dist directory?

[andrewm-aero]

As a temporary workaround, yes, however, I don't think its too unreasonable to expect the analyzer not to fail on files that can and should be expected to be present. By analogy, if the maven analyzer failed unless --exclude target/foo.jar is set, that would be equally concerning.

If nothing else, I feel this case should be documented, and the error message should include something along the lines of "make sure to --exclude dist/** if you've run poetry build" until a complete solution can be implemented.

[jeremylong]

Any suggestion on where this should be documented?

[AbrohamLincoln]

I just ran into this today and it took me entirely too long to figure out what was going on.

[sdruskat]

Any suggestion on where this should be documented?

As the PoetryAnalyzer doesn't have its own page in the documentation, I'd suggest in the Python analyzer docs.

I'll put up a pull request, linking this issue.

I don't have the time right now to dig into the analyzer architecture, but I assume that this issue should either be left open or superseded with one that tracks the expected behaviour?