Python scanner for poetry.lock doesn't exclude dev dependencies for Poetry >= 1.5.0

[slayo11]

Hello,

Starting from poetry 1.5.0 ref the "category" field based on which capycli skips dev dependency is no more part of the poetry.lock file. #7637

This causes capycli to list all the dependencies, included dev ones, and in our projects to load also those into SW360.

I'm not so acquainted with poetry internals, but I guess that a solution would require reading the main dependencies from pyproject.toml file and resolving the transitive dependencies of the main dependencies from the poetry.lock, as by looking only at the lock file isn't enough to exclude dev dependencies.

[tngraf]

This is bad. I even added support for the dev flag to the CycloneDX tool.
But we have to accept their justification: at the end the lock file format is not officially documented
and they are free to change it.
We could try to use poetry show --without dev ... but this is again a proprietary format
or maybe use poetry export -f requirements.txt --output requirements.txt --without-hashes.
As far as I can see, -without dev has no effect on the requirements file.

[slayo11]

--without dev has no effect because it's default behaviour of poetry export plugin to not include group dev dependencies (ref)

If you try poetry export -f requirements.txt --with dev -o requirements.txt --without-hashes then we'll obtain a requirements.txt with both main and dev dependencies.

So if going with export plugin is the way, I think poetry export -f requirements.txt --output requirements.txt --without-hashes is the right command

[tngraf]

cyclonedx-python 5.1.0 still manages to exclude dev dependencies. Their trick seems to be that they also load pyproject.tom and evaluate this file to determine the final list of dependencies.