Idetect 5117 - feat(uv): Expand dependency group coverage in UV detector#1794
Open
bd-spratikbharti wants to merge 5 commits into
Open
Idetect 5117 - feat(uv): Expand dependency group coverage in UV detector#1794bd-spratikbharti wants to merge 5 commits into
bd-spratikbharti wants to merge 5 commits into
Conversation
bd-spratikbharti
requested review from
bd-samratmuk,
Copilot,
dterrybd and
zahidblackduck
bd-spratikbharti
force-pushed
the
IDETECT-5117
branch
from
7614f68 to
228e49a
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR expands Python/uv dependency detection to produce more complete results by default (including all dependency groups and extras) and adds a configuration option to restrict uv scans to specific dependency groups when desired. It also includes related robustness/documentation updates across Python and sbt dependency parsing plus release-note/doc updates.
Changes:
- UV CLI detector: default
uv treeinvocation now includes all extras and all dependency groups; newdetect.uv.dependency.groups.onlyproperty supports scanning only selected dependency groups (with defined precedence vs exclusions). - Python dependency parsing: pip inspector and setuptools setup.py parsing updated to better handle modern requirement formats (extras/markers/direct references).
- sbt DOT parsing: eviction handling reworked to correctly interpret “Evicted By” edges and avoid reporting evicted/stranded nodes as roots; docs/release notes refreshed.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main/resources/pip-inspector.py | Improves requirement name normalization and metadata-based dependency resolution behavior/documentation. |
| src/main/java/com/blackduck/integration/detect/configuration/DetectPropertyFromVersion.java | Adds 12.0.0 property version marker. |
| src/main/java/com/blackduck/integration/detect/configuration/DetectProperties.java | Introduces detect.uv.dependency.groups.only property definition/help text. |
| src/main/java/com/blackduck/integration/detect/configuration/DetectableOptionFactory.java | Wires new uv “only groups” property into UVDetectorOptions. |
| detectable/src/main/java/com/blackduck/integration/detectable/detectables/uv/UVDetectorOptions.java | Adds “only dependency groups” option storage/accessors. |
| detectable/src/main/java/com/blackduck/integration/detectable/detectables/uv/buildexe/UVBuildExtractor.java | Builds uv tree args to include all extras/groups by default and support --only-group mode with conflict warning. |
| detectable/src/test/java/com/blackduck/integration/detectable/detectables/uv/unit/UVBuildExtractorTest.java | Updates tests to expect new default uv flags. |
| detectable/src/test/java/com/blackduck/integration/detectable/detectables/uv/functional/UVDetectableFunctionalTest.java | Updates functional uv command expectation to include new flags. |
| detectable/src/test/java/com/blackduck/integration/detectable/detectables/uv/functional/UVExcludeDevGroupsFunctionalTest.java | Updates functional excluded-groups command expectation to include new flags. |
| detectable/src/main/java/com/blackduck/integration/detectable/detectables/setuptools/parse/SetupToolsPyParser.java | Adjusts parsing logic/regex to better handle requirements content and list closing. |
| detectable/src/main/java/com/blackduck/integration/detectable/detectables/sbt/dot/SbtRootNodeFinder.java | Reworks root selection in presence of evictions/stranded nodes. |
| detectable/src/main/java/com/blackduck/integration/detectable/detectables/sbt/dot/SbtGraphParserTransformer.java | Reworks eviction replacement and ignores “Evicted By” edges as dependencies. |
| detectable/src/main/java/com/blackduck/integration/detectable/detectables/sbt/dot/SbtDotExtractor.java | Uses new root-finding and eviction parsing flow. |
| detectable/src/main/java/com/blackduck/integration/detectable/detectables/sbt/dot/SbtDotEvictionParser.java | New utility to parse eviction relationships from DOT edges. |
| detectable/src/test/java/com/blackduck/integration/detectable/detectables/sbt/unit/SbtRootNodeFinderTest.java | Updates/expands tests for new sbt root-finding behavior. |
| detectable/src/test/java/com/blackduck/integration/detectable/detectables/sbt/unit/SbtGraphParserTransformerTest.java | Replaces older eviction tests with more realistic DOT fixtures and additional scenarios. |
| detectable/src/test/java/com/blackduck/integration/detectable/detectables/sbt/unit/SbtEvictionNodeUtilTest.java | Removes obsolete eviction util tests (util deleted). |
| detectable/src/main/java/com/blackduck/integration/detectable/detectables/sbt/dot/SbtEvictionNodeUtil.java | Deletes obsolete eviction detection approach. |
| README.md | Updates documentation links. |
| documentation/src/main/markdown/scripts/overview.md | Updates env var description for upload chunk sizing. |
| documentation/src/main/markdown/runningdetect/quack-patch.md | Clarifies output directory reuse behavior. |
| documentation/src/main/markdown/runningdetect/includingexcluding/directories.md | Expands directory exclusion docs (and contains a small API name typo). |
| documentation/src/main/markdown/packagemgrs/python.md | Documents new uv behavior and detect.uv.dependency.groups.only. |
| documentation/src/main/markdown/packagemgrs/docker/releasenotes.md | Small wording substitution to use doc variable. |
| documentation/src/main/markdown/currentreleasenotes.md | Adds/adjusts release note items (contains typos + one duplicate bullet). |
| build.gradle | Updates project version string. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Restore 3-argument constructor as an overload for existing callers. Delegates to 4-argument constructor with empty onlyDependencyGroups. 2. Add tests for UV --only-group behavior and conflict handling Test --only-group argument building, exclusion precedence, and edge cases. Covers: single/multiple groups, exclusion conflicts, empty results.
cpottsbd
requested changes
Jun 19, 2026
cpottsbd
left a comment
cpottsbd
left a comment
Contributor
There was a problem hiding this comment.
Reminder to add a release note. ; )
bd-spratikbharti
force-pushed
the
IDETECT-5117
branch
from
7eb8e02 to
92437d6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Overview
This PR extends the UV build detector to support broader and more flexible dependency scanning. It introduces complete coverage of dependency groups and extras, along with a new option to focus scans on specific groups when needed.
What's Changing
Inclusive scanning by default
All dependency groups and optional extras defined in pyproject.toml are now included automatically. This ensures Detect provides a comprehensive view of a project’s dependencies without requiring extra configuration.
New property:
detect.uv.dependency.groups.onlyA configuration property has been added to allow teams to narrow scans to only the groups they care about. For example, setting this property to dev,lint will restrict scanning to those groups, excluding others.
Conflict handling
If both detect.uv.dependency.groups.only and detect.uv.dependency.groups.excluded are set, exclusions take precedence. Detect will log a warning to highlight the overlap.
Why This Matters
These enhancements make the UV detector more adaptable to real‑world projects that use extras or non‑default groups (e.g. test, lint, docs). Teams gain both complete coverage by default and fine‑grained control when needed, improving accuracy and flexibility in dependency audits.