add uv.lock support

[cataggar]

This is an attempt to get uv support started by adding a UvLockComponentDetector.

• Add uv package manager support #1372

Hopefully, I am on the right track. Let me know.

uv is gaining adoption within Microsoft. I have been moving Python projects for Azure that I help manage to it. Relevant sections from a Makefile look like this:

venv:
	# create a virtual environment and download the locked dependencies
	uv sync --locked 2>&1

test:
	# run unit tests
	uv run -m pytest tests
	# check dependencies
	uv run -m deptry . 2>&1

test-coverage:
	# run unit tests along with the code coverage
	uv run -m pytest --cov --cov-config=.coveragerc --cov-report=xml:report.xml
	# check dependencies
	uv run -m deptry . 2>&1

clean:
	rm -rf .venv

lock:
	# updates uv.lock
	uv sync
	# updates requirements.txt for component-detection
	uv pip compile --python-platform linux pyproject.toml -o requirements.txt

The lock target exports a requirements.txt so that this tool can detect security vulnerabilities. See https://docs.astral.sh/uv/concepts/projects/sync/ . This feature would allow us to skip that workaround. It also will allow additional details to be added in follow-up pull requests.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.8%. Comparing base (5289cf1) to head (c2d9c07).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##            main   #1425     +/-   ##
=======================================
+ Coverage   89.6%   89.8%   +0.2%     
=======================================
  Files        404     413      +9     
  Lines      32169   32851    +682     
  Branches    2003    2040     +37     
=======================================
+ Hits       28830   29512    +682     
  Misses      2928    2928             
  Partials     411     411             

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cataggar]

@grvillic, I created the experiment config as requested. I had to make some adjustments to be able to run it as described in https://github.com/microsoft/component-detection/blob/main/docs/enable-default-off.md, but now I'm able to run it with:

dotnet run --project ./src/Microsoft.ComponentDetection/Microsoft.ComponentDetection.csproj scan --DetectorsFilter UvLock --DetectorArgs UvLock=EnableIfDefaultOff --SourceDirectory $sourceDir

[grvillic]

Double check the tests, they seem to be failing in some environments.

[cataggar]

@grvillic, I fixed the unit tests and removed the DetectorRestrictionService changes, but how to I run just the UvLockDetector locally?

PS C:\Users\cataggar\ms\component-detection> dotnet run --project ./src/Microsoft.ComponentDetection/Microsoft.ComponentDetection.csproj scan --DetectorsFilter UvLock --DetectorArgs UvLock=EnableIfDefaultOff --SourceDirectory $sourceDir
[13:05:57 ERR] An error occurred while executing the command
Microsoft.ComponentDetection.Orchestrator.Exceptions.InvalidDetectorFilterException: Detector 'UvLock' was not found
   at Microsoft.ComponentDetection.Orchestrator.Services.DetectorRestrictionService.ApplyRestrictions(DetectorRestrictions restrictions, IEnumerable`1 detectors) in C:\Users\cataggar\ms\component-detection\src\Microsoft.ComponentDetection.Orchestrator\Services\DetectorRestrictionService.cs:line 46
   at Microsoft.ComponentDetection.Orchestrator.Services.ScanExecutionService.ExecuteScanAsync(ScanSettings settings) in C:\Users\cataggar\ms\component-detection\src\Microsoft.ComponentDetection.Orchestrator\Services\ScanExecutionService.cs:line 42
   at Microsoft.ComponentDetection.Orchestrator.Commands.ScanCommand.ExecuteAsync(CommandContext context, ScanSettings settings) in C:\Users\cataggar\ms\component-detection\src\Microsoft.ComponentDetection.Orchestrator\Commands\ScanCommand.cs:line 43
   at Spectre.Console.Cli.CommandExecutor.Execute(CommandTree leaf, CommandTree tree, CommandContext context, ITypeResolver resolver, IConfiguration configuration) in /_/src/Spectre.Console.Cli/Internal/CommandExecutor.cs:line 166

[github-actions]

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

• The detector detects more or fewer components than before
• The detector generates different parent/child graph relationships than before
• The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

[cataggar]

Looks like this should have been DefaultOffComponentDetector to begin with https://github.com/microsoft/component-detection/blob/main/docs/creating-a-new-detector.md#detector-lifecycle.