Skip to content

DS analyzer fails for poetry.lock when referenced dependency doesn't have a corresponding [[package]] section

Summary

The Dependency Scanning (DS) analyzer fails to generate an SBOM report when processing poetry.lock files that contain dependency references without corresponding [[package]] sections. This is a valid poetry.lock structure for built-in packages like setuptools, but causes the analyzer to fail entirely.

Steps to reproduce

  1. Create a Python project with Poetry that includes dependencies referencing built-in packages
  2. Generate a poetry.lock file where some dependencies (like setuptools) are referenced but don't have their own [[package]] section
  3. Run dependency scanning on the project
  4. Observe that SBOM generation fails

Example Project

https://gitlab.com/gitlab-org/security-products/tests/python-poetry

The poetry.lock file contains:

[[package]]
name = "pytest"
[package.dependencies]
setuptools = "*"

But no corresponding:

[[package]]
name = "setuptools"
# ... package details

What is the current bug behavior?

The DS analyzer fails to produce an SBOM report when encountering poetry.lock files with dependency references that lack corresponding [[package]] sections, even though this is valid Poetry syntax for built-in/system packages.

What is the expected correct behavior?

The DS analyzer should not fail execution and skip known built in packages that miss a [[package]] section.

Relevant logs and/or screenshots

The analyzer fails to generate SBOM reports for projects with this valid poetry.lock structure.

[DEBU] [dependency-scanning] [2025-09-15T14:39:33Z] [/go/src/app/scanner/scanner.go:162] ▶ parseable file found /builds/gitlab-org/security-products/tests/python-poetry/poetry.lock
[FATA] [dependency-scanning] [2025-09-15T14:39:33Z] [/go/src/app/cmd/dependency-scanning/main.go:58] ▶ parsing file poetry.lock: package pytest 3.10.1 referenced an unknown dependency setuptools in its dependency list

Output of checks

This affects GitLab.com SaaS dependency scanning functionality.

Possible fixes

The poetry.lock parser should be updated to handle cases where dependencies are referenced in [package.dependencies] sections but don't have corresponding [[package]] sections.

  • ignore the error if the package is setuptools or pip
Edited by Olivier Gonzalez