XRAY-138689 - Add Poetry support for jf ca#768
Open
Phavya-jfrog wants to merge 1 commit into
Open
Conversation
Phavya-jfrog
force-pushed
the
feature/XRAY-138689-add-poetry-support
branch
from
963c301 to
6fb0884
Compare
Phavya-jfrog
changed the title
Phavya-jfrog
force-pushed
the
feature/XRAY-138689-add-poetry-support
branch
from
6fb0884 to
4e010d2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
devbranch.go vet ./....go fmt ./....Previously jf ca had no Poetry support — running it on a Poetry project either fell back to the pip code path or produced incomplete results. This PR adds full Poetry (1.x and 2.x) support.
What changed:
Curation install via Artifactory — points Poetry's source at the api/curation/audit// endpoint and runs poetry lock against a temporary copy of the project, so all resolution routes through curation and 403 responses surface blocked packages. The user's pyproject.toml and poetry.lock are never modified. The original source name is preserved in the temp copy so existing poetry.lock entries stay valid.
Smart lock handling — checks whether poetry.lock is missing, stale, or up-to-date before changing the source URL (Poetry 1.x stores the URL in the lock and would otherwise always look stale). Generates, refreshes, or skips the lock accordingly, with automatic fallbacks for both Poetry 1.x and 2.x flag differences.
Blocked package table from poetry.lock — parses both v1 and v2 lock layouts and probes Artifactory for each package so blocked ones show up in the same table users already see for npm/pip.
CVS-blocked detection for Poetry — Poetry reports CVS-hidden versions as "doesn't match any versions" instead of a 403; that pattern is now picked up and rendered as a blocked package.
Graceful 403 handling — Poetry-emitted 403s now render the standard curation-blocked message instead of raw Poetry output.
Minimum Poetry version — 1.2.0 required for curation, with a clear error otherwise.
Testing done is documented here https://jfrog-int.atlassian.net/browse/XRAY-141531