pysentry-rs 0.1.5__tar.gz → 0.2.1__tar.gz

pysentry_rs-0.2.1/.github/FUNDING.yml

@@ -0,0 +1 @@
+buy_me_a_coffee: nyudenkov

{pysentry_rs-0.1.5 → pysentry_rs-0.2.1}/.github/workflows/ci.yml

@@ -4,19 +4,21 @@ on:
   push:
     branches: [main]
     paths-ignore:
-      - '**.md'
-      - 'LICENSE'
-      - '.gitignore'
-      - '.editorconfig'
-      - '.github/dependabot.yml'
+      - "**.md"
+      - "LICENSE"
+      - ".gitignore"
+      - ".editorconfig"
+      - ".github/dependabot.yml"
+      - ".github/FUNDING.yml"
   pull_request:
     branches: [main]
     paths-ignore:
-      - '**.md'
-      - 'LICENSE'
-      - '.gitignore'
-      - '.editorconfig'
-      - '.github/dependabot.yml'
+      - "**.md"
+      - "LICENSE"
+      - ".gitignore"
+      - ".editorconfig"
+      - ".github/dependabot.yml"
+      - ".github/FUNDING.yml"
 
 env:
   CARGO_TERM_COLOR: always

{pysentry_rs-0.1.5 → pysentry_rs-0.2.1}/Cargo.lock

@@ -1067,7 +1067,7 @@ dependencies = [
 
 [[package]]
 name = "pysentry"
-version = "0.1.5"
+version = "0.2.1"
 dependencies = [
  "anyhow",
  "async-trait",

{pysentry_rs-0.1.5 → pysentry_rs-0.2.1}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "pysentry"
-version = "0.1.5"
+version = "0.2.1"
 edition = "2021"
 rust-version = "1.79"
 description = "Security vulnerability auditing for Python packages"

{pysentry_rs-0.1.5 → pysentry_rs-0.2.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pysentry-rs
-Version: 0.1.5
+Version: 0.2.1
 Classifier: Development Status :: 4 - Beta
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
@@ -26,30 +26,32 @@ Project-URL: Issues, https://github.com/nyudenkov/pysentry/issues
 
 # 🐍 PySentry
 
+[![OSV Integration](https://img.shields.io/badge/OSV-Integrated-blue)](https://google.github.io/osv.dev/)
+
 [Help to test and improve](https://github.com/nyudenkov/pysentry/issues/12)
 
 A fast, reliable security vulnerability scanner for Python projects, written in Rust.
 
 ## Overview
 
-PySentry audits Python projects for known security vulnerabilities by analyzing dependency files (`uv.lock`, `pyproject.toml`, `requirements.txt`) and cross-referencing them against multiple vulnerability databases. It provides comprehensive reporting with support for various output formats and filtering options.
+PySentry audits Python projects for known security vulnerabilities by analyzing dependency files (`uv.lock`, `poetry.lock`, `pyproject.toml`, `requirements.txt`) and cross-referencing them against multiple vulnerability databases. It provides comprehensive reporting with support for various output formats and filtering options.
 
 ## Key Features
 
-- **Multiple Project Formats**: Supports `uv.lock`, `pyproject.toml`, and `requirements.txt` files
+- **Multiple Project Formats**: Supports `uv.lock`, `poetry.lock`, `pyproject.toml`, and `requirements.txt` files
 - **External Resolver Integration**: Leverages `uv` and `pip-tools` for accurate requirements.txt constraint solving
 - **Multiple Data Sources**:
   - PyPA Advisory Database (default)
   - PyPI JSON API
   - OSV.dev (Open Source Vulnerabilities)
-- **Flexible Output**: Human-readable, JSON, and SARIF formats
+- **Flexible Output for different workflows**: Human-readable, JSON, SARIF, and Markdown formats
 - **Performance Focused**:
   - Written in Rust for speed
   - Async/concurrent processing
   - Intelligent caching system
 - **Comprehensive Filtering**:
   - Severity levels (low, medium, high, critical)
-  - Dependency types (production, development, optional)
+  - Dependency scopes (main only vs all [optional, dev, prod, etc] dependencies)
   - Direct vs. transitive dependencies
 - **Enterprise Ready**: SARIF output for IDE/CI integration
 
@@ -174,7 +176,7 @@ pip install pip-tools
   ```
 - Alternatively, install resolvers globally for system-wide availability
 
-**Auto-detection:** PySentry automatically detects and prefers: `uv` > `pip-tools`. Without a resolver, only `uv.lock` and `pyproject.toml` files can be scanned.
+**Auto-detection:** PySentry automatically detects and prefers: `uv` > `pip-tools`. Without a resolver, only `uv.lock` and `poetry.lock` files can be scanned.
 
 ## Quick Start
 
@@ -189,15 +191,15 @@ uvx pysentry-rs /path/to/python/project
 pysentry
 pysentry /path/to/python/project
 
-# Scan requirements.txt (auto-detects resolver)
+# Automatically detects project type (uv.lock, poetry.lock, pyproject.toml, requirements.txt)
 pysentry /path/to/project
 
 # Force specific resolver
 pysentry --resolver uv /path/to/project
 pysentry --resolver pip-tools /path/to/project
 
-# Include development dependencies
-pysentry --dev
+# Include all dependencies (main + dev + optional)
+pysentry --all-extras
 
 # Filter by severity (only show high and critical)
 pysentry --severity high
@@ -210,14 +212,22 @@ pysentry --format json --output audit-results.json
 
 ```bash
 # Using uvx for comprehensive audit
-uvx pysentry-rs --dev --optional --format sarif --output security-report.sarif
+uvx pysentry-rs --all-extras --format sarif --output security-report.sarif
+
+# Check multiple vulnerability sources concurrently
+uvx pysentry-rs --sources pypa,osv,pypi /path/to/project
+uvx pysentry-rs --sources pypa --sources osv --sources pypi
+
+# Generate markdown report
+uvx pysentry-rs --format markdown --output security-report.md
 
-# Check only direct dependencies using OSV database
-uvx pysentry-rs --direct-only --source osv
+# Control CI exit codes - only fail on critical vulnerabilities
+uvx pysentry-rs --fail-on critical
 
 # Or with installed binary
-pysentry --dev --optional --format sarif --output security-report.sarif
-pysentry --direct-only --source osv
+pysentry --all-extras --format sarif --output security-report.sarif
+pysentry --sources pypa,osv --direct-only
+pysentry --format markdown --output security-report.md
 
 # Ignore specific vulnerabilities
 pysentry --ignore CVE-2023-12345 --ignore GHSA-xxxx-yyyy-zzzz
@@ -246,26 +256,45 @@ pysentry /path/to/project
 pysentry --verbose --resolver uv /path/to/project
 ```
 
+### CI/CD Integration Examples
+
+```bash
+# Development environment - only fail on critical vulnerabilities
+pysentry --fail-on critical --format json --output security-report.json
+
+# Staging environment - fail on high+ vulnerabilities
+pysentry --fail-on high --sources pypa,osv --format sarif --output security.sarif
+
+# Production deployment - strict security (fail on medium+, default)
+pysentry --sources pypa,pypi,osv --format json --output prod-security.json
+
+# Generate markdown report for GitHub issues/PRs
+pysentry --format markdown --output SECURITY-REPORT.md
+
+# Comprehensive audit with all sources and full reporting
+pysentry --sources pypa,pypi,osv --all-extras --format json --fail-on low
+```
+
 ## Configuration
 
 ### Command Line Options
 
-| Option           | Description                                           | Default             |
-| ---------------- | ----------------------------------------------------- | ------------------- |
-| `--format`       | Output format: `human`, `json`, `sarif`               | `human`             |
-| `--severity`     | Minimum severity: `low`, `medium`, `high`, `critical` | `low`               |
-| `--source`       | Vulnerability source: `pypa`, `pypi`, `osv`           | `pypa`              |
-| `--dev`          | Include development dependencies                      | `false`             |
-| `--optional`     | Include optional dependencies                         | `false`             |
-| `--direct-only`  | Check only direct dependencies                        | `false`             |
-| `--ignore`       | Vulnerability IDs to ignore (repeatable)              | `[]`                |
-| `--output`       | Output file path                                      | `stdout`            |
-| `--no-cache`     | Disable caching                                       | `false`             |
-| `--cache-dir`    | Custom cache directory                                | `~/.cache/pysentry` |
-| `--verbose`      | Enable verbose output                                 | `false`             |
-| `--quiet`        | Suppress non-error output                             | `false`             |
-| `--resolver`     | Dependency resolver: `auto`, `uv`, `pip-tools`        | `auto`              |
-| `--requirements` | Additional requirements files (repeatable)            | `[]`                |
+| Option           | Description                                             | Default             |
+| ---------------- | ------------------------------------------------------- | ------------------- |
+| `--format`       | Output format: `human`, `json`, `sarif`, `markdown`     | `human`             |
+| `--severity`     | Minimum severity: `low`, `medium`, `high`, `critical`   | `low`               |
+| `--fail-on`      | Fail (exit non-zero) on vulnerabilities ≥ severity      | `medium`            |
+| `--sources`      | Vulnerability sources: `pypa`, `pypi`, `osv` (multiple) | `pypa`              |
+| `--all-extras`   | Include all dependencies (main + dev + optional)        | `false`             |
+| `--direct-only`  | Check only direct dependencies                          | `false`             |
+| `--ignore`       | Vulnerability IDs to ignore (repeatable)                | `[]`                |
+| `--output`       | Output file path                                        | `stdout`            |
+| `--no-cache`     | Disable caching                                         | `false`             |
+| `--cache-dir`    | Custom cache directory                                  | `~/.cache/pysentry` |
+| `--verbose`      | Enable verbose output                                   | `false`             |
+| `--quiet`        | Suppress non-error output                               | `false`             |
+| `--resolver`     | Dependency resolver: `auto`, `uv`, `pip-tools`          | `auto`              |
+| `--requirements` | Additional requirements files (repeatable)              | `[]`                |
 
 ### Cache Management
 
@@ -293,6 +322,23 @@ PySentry has support for `uv.lock` files:
 - Source tracking
 - Dependency classification (main, dev, optional) including transitive dependencies
 
+### poetry.lock Files
+
+Full support for Poetry lock files:
+
+- **Exact Version Resolution**: Scans exact dependency versions locked by Poetry
+- **Lock-File Only Analysis**: Relies purely on the lock file structure, no pyproject.toml parsing needed
+- **Complete Dependency Tree**: Analyzes all resolved dependencies including transitive ones
+- **Dependency Classification**: Distinguishes between main dependencies and optional groups (dev, test, etc.)
+- **Source Tracking**: Supports PyPI registry, Git repositories, local paths, and direct URLs
+
+**Key Features:**
+
+- No external tools required
+- Fast parsing with exact version information
+- Handles Poetry's dependency groups and optional dependencies
+- Perfect for Poetry-managed projects with established lock files
+
 ### requirements.txt Files (External Resolution)
 
 Advanced support for `requirements.txt` files using external dependency resolvers:
@@ -360,6 +406,10 @@ Support for projects without lock files:
 
 Most comfortable to read.
 
+### Markdown
+
+GitHub-friendly format with structured sections and severity indicators. Perfect for documentation, GitHub issues, and security reports.
+
 ### JSON
 
 ```json
@@ -447,7 +497,7 @@ src/
 
 ```bash
 # Ensure you're in a Python project directory
-ls pyproject.toml uv.lock requirements.txt
+ls pyproject.toml uv.lock poetry.lock requirements.txt
 
 # Or specify the path explicitly
 pysentry /path/to/python/project
@@ -494,8 +544,9 @@ pysentry --verbose /path/to/project
 # Check network connectivity
 curl -I https://osv-vulnerabilities.storage.googleapis.com/
 
-# Try with different source
-pysentry --source pypi
+# Try with different or multiple sources
+pysentry --sources pypi
+pysentry --sources pypa,osv
 ```
 
 **Slow requirements.txt resolution**
@@ -524,7 +575,7 @@ pysentry /path/to/python/project
 pysentry --requirements requirements-dev.txt --requirements requirements-test.txt
 
 # Check if higher-priority files exist (they take precedence)
-ls uv.lock pyproject.toml
+ls uv.lock poetry.lock pyproject.toml
 ```
 
 **Performance Issues**

{pysentry_rs-0.1.5 → pysentry_rs-0.2.1}/README.md

@@ -1,29 +1,31 @@
 # 🐍 PySentry
 
+[![OSV Integration](https://img.shields.io/badge/OSV-Integrated-blue)](https://google.github.io/osv.dev/)
+
 [Help to test and improve](https://github.com/nyudenkov/pysentry/issues/12)
 
 A fast, reliable security vulnerability scanner for Python projects, written in Rust.
 
 ## Overview
 
-PySentry audits Python projects for known security vulnerabilities by analyzing dependency files (`uv.lock`, `pyproject.toml`, `requirements.txt`) and cross-referencing them against multiple vulnerability databases. It provides comprehensive reporting with support for various output formats and filtering options.
+PySentry audits Python projects for known security vulnerabilities by analyzing dependency files (`uv.lock`, `poetry.lock`, `pyproject.toml`, `requirements.txt`) and cross-referencing them against multiple vulnerability databases. It provides comprehensive reporting with support for various output formats and filtering options.
 
 ## Key Features
 
-- **Multiple Project Formats**: Supports `uv.lock`, `pyproject.toml`, and `requirements.txt` files
+- **Multiple Project Formats**: Supports `uv.lock`, `poetry.lock`, `pyproject.toml`, and `requirements.txt` files
 - **External Resolver Integration**: Leverages `uv` and `pip-tools` for accurate requirements.txt constraint solving
 - **Multiple Data Sources**:
   - PyPA Advisory Database (default)
   - PyPI JSON API
   - OSV.dev (Open Source Vulnerabilities)
-- **Flexible Output**: Human-readable, JSON, and SARIF formats
+- **Flexible Output for different workflows**: Human-readable, JSON, SARIF, and Markdown formats
 - **Performance Focused**:
   - Written in Rust for speed
   - Async/concurrent processing
   - Intelligent caching system
 - **Comprehensive Filtering**:
   - Severity levels (low, medium, high, critical)
-  - Dependency types (production, development, optional)
+  - Dependency scopes (main only vs all [optional, dev, prod, etc] dependencies)
   - Direct vs. transitive dependencies
 - **Enterprise Ready**: SARIF output for IDE/CI integration
 
@@ -148,7 +150,7 @@ pip install pip-tools
   ```
 - Alternatively, install resolvers globally for system-wide availability
 
-**Auto-detection:** PySentry automatically detects and prefers: `uv` > `pip-tools`. Without a resolver, only `uv.lock` and `pyproject.toml` files can be scanned.
+**Auto-detection:** PySentry automatically detects and prefers: `uv` > `pip-tools`. Without a resolver, only `uv.lock` and `poetry.lock` files can be scanned.
 
 ## Quick Start
 
@@ -163,15 +165,15 @@ uvx pysentry-rs /path/to/python/project
 pysentry
 pysentry /path/to/python/project
 
-# Scan requirements.txt (auto-detects resolver)
+# Automatically detects project type (uv.lock, poetry.lock, pyproject.toml, requirements.txt)
 pysentry /path/to/project
 
 # Force specific resolver
 pysentry --resolver uv /path/to/project
 pysentry --resolver pip-tools /path/to/project
 
-# Include development dependencies
-pysentry --dev
+# Include all dependencies (main + dev + optional)
+pysentry --all-extras
 
 # Filter by severity (only show high and critical)
 pysentry --severity high
@@ -184,14 +186,22 @@ pysentry --format json --output audit-results.json
 
 ```bash
 # Using uvx for comprehensive audit
-uvx pysentry-rs --dev --optional --format sarif --output security-report.sarif
+uvx pysentry-rs --all-extras --format sarif --output security-report.sarif
+
+# Check multiple vulnerability sources concurrently
+uvx pysentry-rs --sources pypa,osv,pypi /path/to/project
+uvx pysentry-rs --sources pypa --sources osv --sources pypi
+
+# Generate markdown report
+uvx pysentry-rs --format markdown --output security-report.md
 
-# Check only direct dependencies using OSV database
-uvx pysentry-rs --direct-only --source osv
+# Control CI exit codes - only fail on critical vulnerabilities
+uvx pysentry-rs --fail-on critical
 
 # Or with installed binary
-pysentry --dev --optional --format sarif --output security-report.sarif
-pysentry --direct-only --source osv
+pysentry --all-extras --format sarif --output security-report.sarif
+pysentry --sources pypa,osv --direct-only
+pysentry --format markdown --output security-report.md
 
 # Ignore specific vulnerabilities
 pysentry --ignore CVE-2023-12345 --ignore GHSA-xxxx-yyyy-zzzz
@@ -220,26 +230,45 @@ pysentry /path/to/project
 pysentry --verbose --resolver uv /path/to/project
 ```
 
+### CI/CD Integration Examples
+
+```bash
+# Development environment - only fail on critical vulnerabilities
+pysentry --fail-on critical --format json --output security-report.json
+
+# Staging environment - fail on high+ vulnerabilities
+pysentry --fail-on high --sources pypa,osv --format sarif --output security.sarif
+
+# Production deployment - strict security (fail on medium+, default)
+pysentry --sources pypa,pypi,osv --format json --output prod-security.json
+
+# Generate markdown report for GitHub issues/PRs
+pysentry --format markdown --output SECURITY-REPORT.md
+
+# Comprehensive audit with all sources and full reporting
+pysentry --sources pypa,pypi,osv --all-extras --format json --fail-on low
+```
+
 ## Configuration
 
 ### Command Line Options
 
-| Option           | Description                                           | Default             |
-| ---------------- | ----------------------------------------------------- | ------------------- |
-| `--format`       | Output format: `human`, `json`, `sarif`               | `human`             |
-| `--severity`     | Minimum severity: `low`, `medium`, `high`, `critical` | `low`               |
-| `--source`       | Vulnerability source: `pypa`, `pypi`, `osv`           | `pypa`              |
-| `--dev`          | Include development dependencies                      | `false`             |
-| `--optional`     | Include optional dependencies                         | `false`             |
-| `--direct-only`  | Check only direct dependencies                        | `false`             |
-| `--ignore`       | Vulnerability IDs to ignore (repeatable)              | `[]`                |
-| `--output`       | Output file path                                      | `stdout`            |
-| `--no-cache`     | Disable caching                                       | `false`             |
-| `--cache-dir`    | Custom cache directory                                | `~/.cache/pysentry` |
-| `--verbose`      | Enable verbose output                                 | `false`             |
-| `--quiet`        | Suppress non-error output                             | `false`             |
-| `--resolver`     | Dependency resolver: `auto`, `uv`, `pip-tools`        | `auto`              |
-| `--requirements` | Additional requirements files (repeatable)            | `[]`                |
+| Option           | Description                                             | Default             |
+| ---------------- | ------------------------------------------------------- | ------------------- |
+| `--format`       | Output format: `human`, `json`, `sarif`, `markdown`     | `human`             |
+| `--severity`     | Minimum severity: `low`, `medium`, `high`, `critical`   | `low`               |
+| `--fail-on`      | Fail (exit non-zero) on vulnerabilities ≥ severity      | `medium`            |
+| `--sources`      | Vulnerability sources: `pypa`, `pypi`, `osv` (multiple) | `pypa`              |
+| `--all-extras`   | Include all dependencies (main + dev + optional)        | `false`             |
+| `--direct-only`  | Check only direct dependencies                          | `false`             |
+| `--ignore`       | Vulnerability IDs to ignore (repeatable)                | `[]`                |
+| `--output`       | Output file path                                        | `stdout`            |
+| `--no-cache`     | Disable caching                                         | `false`             |
+| `--cache-dir`    | Custom cache directory                                  | `~/.cache/pysentry` |
+| `--verbose`      | Enable verbose output                                   | `false`             |
+| `--quiet`        | Suppress non-error output                               | `false`             |
+| `--resolver`     | Dependency resolver: `auto`, `uv`, `pip-tools`          | `auto`              |
+| `--requirements` | Additional requirements files (repeatable)              | `[]`                |
 
 ### Cache Management
 
@@ -267,6 +296,23 @@ PySentry has support for `uv.lock` files:
 - Source tracking
 - Dependency classification (main, dev, optional) including transitive dependencies
 
+### poetry.lock Files
+
+Full support for Poetry lock files:
+
+- **Exact Version Resolution**: Scans exact dependency versions locked by Poetry
+- **Lock-File Only Analysis**: Relies purely on the lock file structure, no pyproject.toml parsing needed
+- **Complete Dependency Tree**: Analyzes all resolved dependencies including transitive ones
+- **Dependency Classification**: Distinguishes between main dependencies and optional groups (dev, test, etc.)
+- **Source Tracking**: Supports PyPI registry, Git repositories, local paths, and direct URLs
+
+**Key Features:**
+
+- No external tools required
+- Fast parsing with exact version information
+- Handles Poetry's dependency groups and optional dependencies
+- Perfect for Poetry-managed projects with established lock files
+
 ### requirements.txt Files (External Resolution)
 
 Advanced support for `requirements.txt` files using external dependency resolvers:
@@ -334,6 +380,10 @@ Support for projects without lock files:
 
 Most comfortable to read.
 
+### Markdown
+
+GitHub-friendly format with structured sections and severity indicators. Perfect for documentation, GitHub issues, and security reports.
+
 ### JSON
 
 ```json
@@ -421,7 +471,7 @@ src/
 
 ```bash
 # Ensure you're in a Python project directory
-ls pyproject.toml uv.lock requirements.txt
+ls pyproject.toml uv.lock poetry.lock requirements.txt
 
 # Or specify the path explicitly
 pysentry /path/to/python/project
@@ -468,8 +518,9 @@ pysentry --verbose /path/to/project
 # Check network connectivity
 curl -I https://osv-vulnerabilities.storage.googleapis.com/
 
-# Try with different source
-pysentry --source pypi
+# Try with different or multiple sources
+pysentry --sources pypi
+pysentry --sources pypa,osv
 ```
 
 **Slow requirements.txt resolution**
@@ -498,7 +549,7 @@ pysentry /path/to/python/project
 pysentry --requirements requirements-dev.txt --requirements requirements-test.txt
 
 # Check if higher-priority files exist (they take precedence)
-ls uv.lock pyproject.toml
+ls uv.lock poetry.lock pyproject.toml
 ```
 
 **Performance Issues**