rye support for Dependency Scanning

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

rye is a package manager for Python which supports lock files.

Rye currently uses pip-tools to download and install dependencies. For this purpose it creates two "lockfiles" (called requirements.lock and requirements-dev.lock). These are not real lockfiles but they fulfill a similar purpose until a better solution has been implemented.

Whenever rye sync is called, it will update lockfiles as well as the virtualenv. If you only want to update the lockfiles, then rye lock can be used.

Right now rye isn't supported by Dependency Scanning.

Proposal

Add the ability to parse requirements.lock and requirements-dev.lock files to gemnasium-python. This overlaps with Handle requirements.txt files produced by pip-c... (#418321 - closed), which is about processing requirements.txt as a lock file (instead of having distinct names for lock files).

gemnasium-python should parse lock files without running any Python command. As a result, the scan should be scan and compatible with any version of Python.

See #418321 (comment 1746440053)