feat: Add Uv Python package manager

Signed-off-by: Helio Chissini de Castro <[email protected]>

Author: heliocastro

analyzer/src/funTest/kotlin/PackageManagerFunTest.kt

@@ -69,7 +69,8 @@ class PackageManagerFunTest : WordSpec({
         "spdx-project/project.spdx.yml",
         "spm-app/Package.resolved",
         "spm-lib/Package.swift",
-        "stack/stack.yaml"
+        "stack/stack.yaml",
+        "uv/uv.lock"
     )
 
     val projectDir = tempdir()

helper-cli/src/main/kotlin/commands/repoconfig/GenerateScopeExcludesCommand.kt

@@ -291,6 +291,13 @@ private fun getScopeExcludesForPackageManager(packageManagerName: String): List<
                 comment = "Packages for testing only."
             )
         )
+        "Uv" -> listOf(
+            ScopeExclude(
+                pattern = "dev",
+                reason = ScopeExcludeReason.DEV_DEPENDENCY_OF,
+                comment = "Packages for development only."
+            )
+        )
         "SBT" -> listOf(
             ScopeExclude(
                 pattern = "provided",

integrations/schemas/package-managers-schema.json

@@ -28,6 +28,7 @@
         "Stack",
         "SwiftPM",
         "Unmanaged",
+        "Uv",
         "Yarn",
         "Yarn2"
     ]

plugins/package-managers/python/src/funTest/assets/projects/synthetic/uv/pyproject.toml

@@ -0,0 +1,49 @@
+[project]
+name = "lixo"
+version = "0.1.0"
+description = "Add your description here"
+readme = "README.md"
+requires-python = ">=3.13"
+dependencies = [
+    "graphviz>=0.20.3",
+    "jinja2>=3.1.6",
+]
+
+[dependency-groups]
+dev = [
+    "pytest>=8.3.5",
+    "ruff>=0.9.10",
+]
+
+[tool.ruff]
+fix = true
+line-length = 120
+
+[tool.ruff.lint]
+extend-select = [
+    "E",   # pycodestyle error
+    "W",   # pycodestyle warning
+    "F",   # pyflakes
+    "A",   # flakes8-builtins
+    "COM", # flakes8-commas
+    "C4",  # flake8-comprehensions
+    "Q",   # flake8-quotes
+    "SIM", # flake8-simplify
+    "PTH", # flake8-use-pathlib
+    "I",   # isort
+    "N",   # pep8 naming
+    "UP",  # pyupgrade
+    "S",   # bandit
+]
+ignore = [
+    'N802',   # function name should be lowercase
+    'SIM105', # Suggest contextlib instead of try/except with pass
+    'COM812', # missing-trailing-comma from flake8-commas
+]
+# Allow unused variables when underscore-prefixed.
+dummy-variable-rgx = "^(_+|(_+[a-zA-Z0-9_]*[a-zA-Z0-9]+?))$"
+flake8-tidy-imports.ban-relative-imports = "all"
+isort.required-imports = ["from __future__ import annotations"]
+# Unlike Flake8, default to a complexity level of 10.
+mccabe.max-complexity = 10
+per-file-ignores = {}

plugins/package-managers/python/src/funTest/assets/projects/synthetic/uv/uv.lock

@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2025 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.python
+
+import io.kotest.core.spec.style.WordSpec
+import io.kotest.matchers.should
+
+import org.ossreviewtoolkit.analyzer.resolveSingleProject
+import org.ossreviewtoolkit.model.toYaml
+import org.ossreviewtoolkit.utils.test.getAssetFile
+import org.ossreviewtoolkit.utils.test.matchExpectedResult
+
+class UvFunTest : WordSpec({
+    "Python 3" should {
+        "resolve dependencies correctly" {
+            val definitionFile = getAssetFile("projects/synthetic/uv/uv.lock")
+            val expectedResultFile = getAssetFile("projects/synthetic/uv-expected-output.yml")
+
+            val result = UvFactory.create().resolveSingleProject(definitionFile)
+
+            result.toYaml() should matchExpectedResult(expectedResultFile, definitionFile)
+        }
+    }
+})

plugins/package-managers/python/src/funTest/kotlin/UvFunTest.kt

@@ -31,6 +31,8 @@ import org.ossreviewtoolkit.model.config.Excludes
 import org.ossreviewtoolkit.plugins.api.OrtPlugin
 import org.ossreviewtoolkit.plugins.api.OrtPluginOption
 import org.ossreviewtoolkit.plugins.api.PluginDescriptor
+import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.OPTION_PYTHON_VERSION_DEFAULT
+import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.PYTHON_VERSIONS
 import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.PythonInspector
 import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.toOrtPackages
 import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.toOrtProject
@@ -40,9 +42,6 @@ import org.ossreviewtoolkit.utils.ort.showStackTrace
 
 private val OPERATING_SYSTEMS = listOf("linux", "macos", "windows")
 
-private const val OPTION_PYTHON_VERSION_DEFAULT = "3.11"
-internal val PYTHON_VERSIONS = listOf("2.7", "3.6", "3.7", "3.8", "3.9", "3.10", OPTION_PYTHON_VERSION_DEFAULT)
-
 data class PipConfig(
     /**
      * If "true", `python-inspector` resolves dependencies from setup.py files by executing them. This is a potential

plugins/package-managers/python/src/main/kotlin/Pip.kt

@@ -35,6 +35,8 @@ import org.ossreviewtoolkit.model.config.Excludes
 import org.ossreviewtoolkit.plugins.api.OrtPlugin
 import org.ossreviewtoolkit.plugins.api.PluginDescriptor
 import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.PythonInspector
+import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.getPythonVersion
+import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.getPythonVersionConstraint
 import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.toOrtPackages
 import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.toPackageReferences
 import org.ossreviewtoolkit.utils.common.CommandLineTool
@@ -43,9 +45,6 @@ import org.ossreviewtoolkit.utils.common.withoutPrefix
 import org.ossreviewtoolkit.utils.common.withoutSuffix
 import org.ossreviewtoolkit.utils.ort.createOrtTempFile
 
-import org.semver4j.RangesListFactory
-import org.semver4j.Semver
-
 internal object PoetryCommand : CommandLineTool {
     override fun command(workingDir: File?) = "poetry"
 
@@ -157,35 +156,3 @@ internal fun parseScopeNamesFromPyproject(pyprojectFile: File): Set<String> {
 
     return scopes
 }
-
-internal fun getPythonVersion(constraint: String): String? {
-    val rangeLists = constraint.split(',')
-        .map { RangesListFactory.create(it) }
-        .takeIf { it.isNotEmpty() } ?: return null
-
-    return PYTHON_VERSIONS.lastOrNull { version ->
-        rangeLists.all { rangeList ->
-            val semver = Semver.coerce(version)
-            semver != null && rangeList.isSatisfiedBy(semver)
-        }
-    }
-}
-
-internal fun getPythonVersionConstraint(pyprojectTomlFile: File): String? {
-    val dependenciesSection = getTomlSectionContent(pyprojectTomlFile, "tool.poetry.dependencies")
-        ?: return null
-
-    return dependenciesSection.split('\n').firstNotNullOfOrNull {
-        it.trim().withoutPrefix("python = ")
-    }?.removeSurrounding("\"")
-}
-
-private fun getTomlSectionContent(tomlFile: File, sectionName: String): String? {
-    val lines = tomlFile.takeIf { it.isFile }?.readLines() ?: return null
-
-    val sectionHeaderIndex = lines.indexOfFirst { it.trim() == "[$sectionName]" }
-    if (sectionHeaderIndex == -1) return null
-
-    val sectionLines = lines.subList(sectionHeaderIndex + 1, lines.size).takeWhile { !it.trim().startsWith('[') }
-    return sectionLines.joinToString("\n")
-}

plugins/package-managers/python/src/main/kotlin/Poetry.kt

@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2022 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.python
+
+import java.io.File
+
+import org.apache.logging.log4j.kotlin.logger
+
+import org.ossreviewtoolkit.analyzer.PackageManager
+import org.ossreviewtoolkit.analyzer.PackageManagerFactory
+import org.ossreviewtoolkit.downloader.VersionControlSystem
+import org.ossreviewtoolkit.model.Identifier
+import org.ossreviewtoolkit.model.Project
+import org.ossreviewtoolkit.model.ProjectAnalyzerResult
+import org.ossreviewtoolkit.model.Scope
+import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
+import org.ossreviewtoolkit.model.config.Excludes
+import org.ossreviewtoolkit.plugins.api.OrtPlugin
+import org.ossreviewtoolkit.plugins.api.PluginDescriptor
+import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.PythonInspector
+import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.getPythonVersion
+import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.getPythonVersionConstraint
+import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.toOrtPackages
+import org.ossreviewtoolkit.plugins.packagemanagers.python.utils.toPackageReferences
+import org.ossreviewtoolkit.utils.common.CommandLineTool
+import org.ossreviewtoolkit.utils.common.safeDeleteRecursively
+import org.ossreviewtoolkit.utils.ort.createOrtTempFile
+
+internal object UvCommand : CommandLineTool {
+    override fun command(workingDir: File?) = "uv"
+
+    override fun transformVersion(output: String) = output.substringAfter("version ").removeSuffix(")")
+}
+
+/**
+ * [Uv](https://github.com/astral-sh/uv) package manager for Python.
+ */
+@OrtPlugin(
+    displayName = "Uv",
+    description = "An extremely fast Python package and project manager.",
+    factory = PackageManagerFactory::class
+)
+class Uv(override val descriptor: PluginDescriptor = UvFactory.descriptor, private val config: PipConfig) :
+    PackageManager("Uv") {
+    companion object {
+        /**
+         * The name of the build system requirements and information file used by modern Python packages.
+         */
+        internal const val PYPROJECT_FILENAME = "pyproject.toml"
+    }
+
+    override val globsForDefinitionFiles = listOf("uv.lock")
+
+    override fun resolveDependencies(
+        analysisRoot: File,
+        definitionFile: File,
+        excludes: Excludes,
+        analyzerConfig: AnalyzerConfiguration,
+        labels: Map<String, String>
+    ): List<ProjectAnalyzerResult> {
+        val scopeName = parseScopeNamesFromPyproject(definitionFile.resolveSibling(PYPROJECT_FILENAME))
+        val resultsForScopeName = scopeName.associateWith { inspectLockfile(definitionFile) }
+
+        val packages = resultsForScopeName
+            .flatMap { (_, results) -> results.packages }
+            .toOrtPackages()
+            .distinctBy { it.id }
+            .toSet()
+
+        val project = Project.EMPTY.copy(
+            id = Identifier(
+                type = projectType,
+                namespace = "",
+                name = definitionFile.relativeTo(analysisRoot).path,
+                version = VersionControlSystem.getCloneInfo(definitionFile.parentFile).revision
+            ),
+            definitionFilePath = VersionControlSystem.getPathInfo(definitionFile).path,
+            scopeDependencies = resultsForScopeName.mapTo(mutableSetOf()) { (scopeName, results) ->
+                Scope(scopeName, results.resolvedDependenciesGraph.toPackageReferences())
+            },
+            vcsProcessed = processProjectVcs(definitionFile.parentFile)
+        )
+
+        return listOf(ProjectAnalyzerResult(project, packages))
+    }
+
+    /**
+     * Return the result of running Python inspector against a requirements file generated by exporting the dependencies
+     * in [lockfile] with the scope named [dependencyGroupName] via the `uv export` command.
+     */
+    private fun inspectLockfile(lockfile: File): PythonInspector.Result {
+        val workingDir = lockfile.parentFile
+        val requirementsFile = createOrtTempFile("requirements.txt")
+
+        logger.info { "Generating '${requirementsFile.name}' file in '$workingDir' directory..." }
+
+        val options = listOf(
+            "export",
+            "--no-hashes",
+            "--no-editable",
+            "--all-packages"
+        )
+
+        val requirements = UvCommand.run(workingDir, *options.toTypedArray()).requireSuccess().stdout
+        requirementsFile.writeText(requirements)
+
+        return Pip(config = config, projectType = projectType).runPythonInspector(requirementsFile) {
+            detectPythonVersion(workingDir)
+        }.also {
+            requirementsFile.parentFile.safeDeleteRecursively()
+        }
+    }
+
+    private fun detectPythonVersion(workingDir: File): String? {
+        val pyprojectFile = workingDir.resolve(PYPROJECT_FILENAME)
+        val constraint = getPythonVersionConstraint(pyprojectFile) ?: return null
+        return getPythonVersion(constraint)?.also {
+            logger.info { "Detected Python version '$it' from '$constraint'." }
+        }
+    }
+}