fix(python): skip dev group's deps for poetry (#8106)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>

pkg/dependency/parser/python/pyproject/pyproject.go

@@ -4,7 +4,10 @@ import (
 	"io"
 
 	"github.com/BurntSushi/toml"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/trivy/pkg/dependency/parser/python"
 )
 
 type PyProject struct {
@@ -16,7 +19,26 @@ type Tool struct {
 }
 
 type Poetry struct {
-	Dependencies map[string]any `toml:"dependencies"`
+	Dependencies dependencies     `toml:"dependencies"`
+	Groups       map[string]Group `toml:"group"`
+}
+
+type Group struct {
+	Dependencies dependencies `toml:"dependencies"`
+}
+
+type dependencies map[string]struct{}
+
+func (d *dependencies) UnmarshalTOML(data any) error {
+	m, ok := data.(map[string]any)
+	if !ok {
+		return xerrors.Errorf("dependencies must be map, but got: %T", data)
+	}
+
+	*d = lo.MapEntries(m, func(pkgName string, _ any) (string, struct{}) {
+		return python.NormalizePkgName(pkgName), struct{}{}
+	})
+	return nil
 }
 
 // Parser parses pyproject.toml defined in PEP518.
@@ -28,10 +50,10 @@ func NewParser() *Parser {
 	return &Parser{}
 }
 
-func (p *Parser) Parse(r io.Reader) (map[string]any, error) {
+func (p *Parser) Parse(r io.Reader) (PyProject, error) {
 	var conf PyProject
 	if _, err := toml.NewDecoder(r).Decode(&conf); err != nil {
-		return nil, xerrors.Errorf("toml decode error: %w", err)
+		return PyProject{}, xerrors.Errorf("toml decode error: %w", err)
 	}
-	return conf.Tool.Poetry.Dependencies, nil
+	return conf, nil
 }

pkg/dependency/parser/python/pyproject/pyproject_test.go

@@ -15,26 +15,33 @@ func TestParser_Parse(t *testing.T) {
 	tests := []struct {
 		name    string
 		file    string
-		want    map[string]any
+		want    pyproject.PyProject
 		wantErr assert.ErrorAssertionFunc
 	}{
 		{
 			name: "happy path",
 			file: "testdata/happy.toml",
-			want: map[string]any{
-				"flask":  "^1.0",
-				"python": "^3.9",
-				"requests": map[string]any{
-					"version":  "2.28.1",
-					"optional": true,
-				},
-				"virtualenv": []any{
-					map[string]any{
-						"version": "^20.4.3,!=20.4.5,!=20.4.6",
-					},
-					map[string]any{
-						"version": "<20.16.6",
-						"markers": "sys_platform == 'win32' and python_version == '3.9'",
+			want: pyproject.PyProject{
+				Tool: pyproject.Tool{
+					Poetry: pyproject.Poetry{
+						Dependencies: map[string]struct{}{
+							"flask":      {},
+							"python":     {},
+							"requests":   {},
+							"virtualenv": {},
+						},
+						Groups: map[string]pyproject.Group{
+							"dev": {
+								Dependencies: map[string]struct{}{
+									"pytest": {},
+								},
+							},
+							"lint": {
+								Dependencies: map[string]struct{}{
+									"ruff": {},
+								},
+							},
+						},
 					},
 				},
 			},

pkg/dependency/parser/python/pyproject/testdata/happy.toml

@@ -14,6 +14,13 @@ virtualenv = [
 
 [tool.poetry.dev-dependencies]
 
+[tool.poetry.group.dev.dependencies]
+pytest = "8.3.4"
+
+
+[tool.poetry.group.lint.dependencies]
+ruff = "0.8.3"
+
 [build-system]
 requires = ["poetry-core>=1.0.0"]
 build-backend = "poetry.core.masonry.api"