Description
Trivy's uv parser currently requires exactly one root package in uv.lock (source = { virtual = "." } or source = { editable = "." }). This does not support uv workspace projects:
- Virtual workspaces — workspace root has no
[project] section, so no root package exists in the lockfile. Trivy fails with: WARN [uv] Failed to parse uv lockfile err="failed to parse uv.lock: uv lockfile must contain 1 root package"
- Rooted workspaces — workspace root has a
[project] section, so the root package is found, but workspace member dependencies are misclassified as dev dependencies and suppressed by default. Vulnerabilities in workspace member dependencies are only shown with --include-dev-deps.
Expected Behavior
Trivy should parse uv workspace lockfiles and report vulnerabilities for all workspace members. Workspace members should be marked with RelationshipWorkspace (similar to Cargo workspace handling).
Workspace lockfile structure
uv workspace lockfiles contain a [manifest] section listing workspace members:
[manifest]
members = ["a", "b"]
[[package]]
name = "a"
version = "0.1.0"
source = { editable = "src/a" }
dependencies = [
{ name = "requests" },
]
[[package]]
name = "b"
version = "0.1.0"
source = { editable = "src/b" }
dependencies = [
{ name = "pillow" },
]Reproduction Steps
mkdir -p /tmp/uv-ws/src/a/src/a /tmp/uv-ws/src/b/src/b
cat > /tmp/uv-ws/pyproject.toml << 'TOML'
[tool.uv.sources]
a = { workspace = true }
b = { workspace = true }
[tool.uv.workspace]
members = ["src/*"]
TOML
cat > /tmp/uv-ws/src/a/pyproject.toml << 'TOML'
[project]
name = "a"
version = "0.1.0"
requires-python = ">=3.13"
dependencies = ["requests==2.32.3"]
[build-system]
requires = ["uv_build>=0.9.25,<0.10.0"]
build-backend = "uv_build"
TOML
cat > /tmp/uv-ws/src/b/pyproject.toml << 'TOML'
[project]
name = "b"
version = "0.1.0"
requires-python = ">=3.13"
dependencies = ["pillow==11.0.0"]
[build-system]
requires = ["uv_build>=0.9.25,<0.10.0"]
build-backend = "uv_build"
TOML
touch /tmp/uv-ws/src/a/src/a/__init__.py /tmp/uv-ws/src/b/src/b/__init__.py
cd /tmp/uv-ws && uv lock && trivy fs .Virtual workspace result
WARN [uv] Failed to parse uv lockfile err="failed to parse uv.lock: uv lockfile must contain 1 root package"
WARN [report] Supported files for scanner(s) not found. scanners=[vuln]
Rooted workspace result (add [project] section to root pyproject.toml)
INFO Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
Report Summary
┌─────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
│ uv.lock │ uv │ 0 │ - │
└─────────┴──────┴─────────────────┴─────────┘
With --include-dev-deps, 2 vulnerabilities are found (requests CVE-2024-47081, pillow CVE-2026-25990).
References
Description
Trivy's uv parser currently requires exactly one root package in
uv.lock(source = { virtual = "." }orsource = { editable = "." }). This does not support uv workspace projects:[project]section, so no root package exists in the lockfile. Trivy fails with:WARN [uv] Failed to parse uv lockfile err="failed to parse uv.lock: uv lockfile must contain 1 root package"[project]section, so the root package is found, but workspace member dependencies are misclassified as dev dependencies and suppressed by default. Vulnerabilities in workspace member dependencies are only shown with--include-dev-deps.Expected Behavior
Trivy should parse uv workspace lockfiles and report vulnerabilities for all workspace members. Workspace members should be marked with
RelationshipWorkspace(similar to Cargo workspace handling).Workspace lockfile structure
uv workspace lockfiles contain a
[manifest]section listing workspace members:Reproduction Steps
Virtual workspace result
Rooted workspace result (add
[project]section to root pyproject.toml)With
--include-dev-deps, 2 vulnerabilities are found (requests CVE-2024-47081, pillow CVE-2026-25990).References