Skip to content

fix(supply_chain): parse pyproject.toml with tomllib instead of requirements regex#95

Open
Shrotriya-lalit wants to merge 1 commit into
NVIDIA:mainfrom
Shrotriya-lalit:fix/issue-2-pyproject-toml-parsing
Open

fix(supply_chain): parse pyproject.toml with tomllib instead of requirements regex#95
Shrotriya-lalit wants to merge 1 commit into
NVIDIA:mainfrom
Shrotriya-lalit:fix/issue-2-pyproject-toml-parsing

Conversation

@Shrotriya-lalit

@Shrotriya-lalit Shrotriya-lalit commented Jun 18, 2026

Copy link
Copy Markdown

Problem

_analyze_dependencies routed pyproject.toml through
_extract_packages_from_requirements, a line-by-line regex designed for
requirements.txt format. TOML keys such as requires-python, name,
description, and authors all look like dependency strings to the regex,
producing false-positive SC5/SC6 findings on standard PEP 621 metadata
fields.

Example: a pyproject.toml with name = "myproject" triggered an SC6
(typosquatting) alert for a non-existent package called myproject.

Root Cause

The requirements parser treats every non-comment line as a potential package
specifier. TOML files have a completely different structure and must be parsed
semantically, not line-by-line.

Fix

Add _extract_packages_from_pyproject(content) using tomllib (Python 3.11+
stdlib, no new dependencies) that reads only the three PEP 621 / PEP 517
dependency arrays:

  • [project].dependencies
  • [project.optional-dependencies].<group>
  • [build-system].requires

A frozenset of PEP 621 metadata keys (name, version, description,
authors, …) acts as a secondary guard. Malformed TOML is caught by
TOMLDecodeError and returns [] so the analyzer never crashes.

def _extract_packages_from_pyproject(content: str) -> list[tuple[str, str | None, int]]:
    try:
        data = tomllib.loads(content)
    except tomllib.TOMLDecodeError:
        return []
    # reads only project.dependencies, project.optional-dependencies, build-system.requires
    ...

Tests

  • Standard [project].dependencies extracted correctly
  • [project.optional-dependencies] groups extracted
  • [build-system].requires extracted
  • Malformed TOML returns [] without exception
  • PEP 621 metadata keys (name, version, description) never treated as packages
  • End-to-end false-positive regression: pyproject.toml with metadata fields produces no SC5/SC6 findings

Closes #2

Checklist

  • make lint passes
  • Tests added covering false-positive regression
  • DCO sign-off on commit (git commit -s)

@Shrotriya-lalit
fix(supply_chain): parse pyproject.toml with tomllib instead of requi…
bc507c0 
…rements regex

_analyze_dependencies routed pyproject.toml through
_extract_packages_from_requirements, which treats every TOML key
(requires-python, name, description, authors…) as a package name, causing
false-positive SC5/SC6 findings on metadata fields.

Add _extract_packages_from_pyproject (Python 3.11+ tomllib, stdlib) that reads
only [project].dependencies, [project.optional-dependencies], and
[build-system].requires — the three PEP 621 / PEP 517 dependency arrays.
A frozen set of PEP 621 metadata keys acts as a secondary guard.  Malformed
TOML is caught and returns [] so the analyzer never crashes.

Closes NVIDIA#2

Signed-off-by: Lalit Shrotriya <shrotriya.lalit@outlook.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

False positive: 'requires-python' pyproject field flagged as malicious PyPI package (MAL-2025-41747)

1 participant

@Shrotriya-lalit