poetry.lock Processor

The poetry.lock processor parses Python poetry.lock files to extract all resolved package dependencies with their exact versions.

Default File

poetry.lock

What It Does

poetry.lock is a TOML-formatted lock file generated by Poetry that contains the exact resolved versions of all dependencies.

The processor:

• Extracts all packages from the lock file (both direct and transitive dependencies)
• Captures exact versions from the version field
• Processes all categories - both main and dev dependencies are included

Supported Formats

Package with Name and Version

[[package]]
name = "requests"
version = "2.31.0"
description = "Python HTTP for Humans."
category = "main"
optional = false
python-versions = ">=3.7"

Result: Package requests with version 2.31.0

Malformed Entry

[[package]]
name = "incomplete-package"
# Missing version field

Result: Entry skipped (both name and version are required)

What It Doesn't Detect

The poetry.lock scanner only processes package entries in lock files. It does not detect:

Malformed entries:

• Missing name field - Package entries without a name are skipped
• Missing version field - Package entries without a version are skipped

Not detected from the project:

• Standalone pyproject.toml files - Only poetry.lock is supported; pyproject.toml alone is not processed
• Dependencies not in poetry.lock - Any packages installed or used that are not listed in the lock file
• Manually copied Python libraries - Code copied directly into your project
• Embedded or copy-pasted code - Open source code integrated without declaring dependencies

WARNING

Ensure the lock file is up to date before scanning:

poetry lock --no-update

For complete open source detection including undeclared components and copied code, enable the OSS Knowledge Base scanning option in the Scanners step, which analyzes actual file content to identify all open source usage.