feat: set target file for identity

Author: james-snyk

pkg/ecosystems/options.go

@@ -25,6 +25,7 @@ type GlobalOptions struct {
 	AllowOutOfSync                bool                 // Derived from --strict-out-of-sync (inverted); parsed in NewPluginOptionsFromRawFlags.
 	ForceSingleGraph              bool                 `arg:"--force-single-graph"`
 	ForceIncludeWorkspacePackages bool                 `arg:"--internal-uv-workspace-packages"`
+	ProjectName                   *string              `arg:"--project-name"`
 	RawFlags                      []string
 }
 

pkg/ecosystems/orchestrator/orchestrator.go

@@ -229,10 +229,35 @@ func depGraphOutputToSCAResult(output *parsers.DepGraphOutput, ictx workflow.Inv
 
 		if dg.PkgManager.Name != "" {
 			result.ProjectDescriptor.Identity.Type = dg.PkgManager.Name
-			// Extract runtime from depgraph if available
-			result.ProjectDescriptor.Identity.TargetRuntime = &dg.PkgManager.Name
+			result.ProjectDescriptor.Identity.TargetFile = getProjectTargetFileBasedOnType(dg.PkgManager.Name, output.NormalisedTargetFile)
 		}
 	}
 
 	return result, nil
 }
+
+// getProjectTargetFileBasedOnType determines if a plugin sets targetFile based on package manager type.
+// Plugin audit: https://snyksec.atlassian.net/wiki/spaces/TOE1/pages/4651909131/Plugin+Audit
+func getProjectTargetFileBasedOnType(projectType, file string) *string {
+	switch projectType {
+	case "pip":
+		// snyk-python-plugin sets targetFile for Pipfile and setup.py, but not for requirements.txt
+		if strings.HasSuffix(file, "requirements.txt") {
+			return nil
+		}
+		return &file
+	case "gradle":
+		// snyk-gradle-plugin sets targetFile for build.gradle.kts but not for build.gradle
+		if strings.HasSuffix(file, "build.gradle.kts") {
+			return &file
+		}
+		return nil
+	case "poetry", "gomodules", "golangdep", "nuget", "paket", "composer", "cocoapods", "hex", "swift":
+		// These plugins set relative path to provided targetFile
+		return &file
+	case "npm", "yarn", "pnpm", "maven", "sbt", "rubygems":
+		// These plugins do not set plugin.targetFile
+		return nil
+	}
+	return nil
+}

pkg/ecosystems/python/pip/depgraph.go

@@ -65,18 +65,24 @@ func getNodeID(item *InstallItem) string {
 // ToDependencyGraph converts a pip install Report into a DepGraph using the dep-graph builder.
 // The root node represents the project and points to all direct dependencies.
 // The pkgManager parameter specifies the package manager name (e.g., PkgManagerPip, PkgManagerPipenv).
-func (r *Report) ToDependencyGraph(ctx context.Context, log logger.Logger, pkgManager PkgManagerName) (*depgraph.DepGraph, error) {
+// The projectName parameter sets the root package name (defaults to "root" if empty).
+func (r *Report) ToDependencyGraph(ctx context.Context, log logger.Logger, pkgManager PkgManagerName, projectName string) (*depgraph.DepGraph, error) {
 	if r == nil {
 		return nil, fmt.Errorf("report cannot be nil")
 	}
 
 	numPackages := len(r.Install)
 	log.Debug(ctx, "Converting pip report to dependency graph", logger.Attr("total_packages", numPackages))
 
+	// Use provided project name or default to "root"
+	if projectName == "" {
+		projectName = "root"
+	}
+
 	// Create a builder with the specified package manager and a root package
 	builder, err := depgraph.NewBuilder(
 		&depgraph.PkgManager{Name: pkgManager.String()},
-		&depgraph.PkgInfo{Name: "root", Version: "0.0.0"},
+		&depgraph.PkgInfo{Name: projectName, Version: "0.0.0"},
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create depgraph builder: %w", err)

pkg/ecosystems/python/pip/depgraph_test.go

@@ -73,7 +73,7 @@ func TestReport_ToDependencyGraph(t *testing.T) {
 			},
 		}
 
-		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip)
+		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip, "")
 		require.NoError(t, err)
 		require.NotNil(t, dg)
 
@@ -137,7 +137,7 @@ func TestReport_ToDependencyGraph(t *testing.T) {
 			},
 		}
 
-		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip)
+		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip, "")
 		require.NoError(t, err)
 		require.NotNil(t, dg)
 
@@ -183,7 +183,7 @@ func TestReport_ToDependencyGraph(t *testing.T) {
 			},
 		}
 
-		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip)
+		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip, "")
 		require.NoError(t, err)
 		require.NotNil(t, dg)
 
@@ -199,7 +199,7 @@ func TestReport_ToDependencyGraph(t *testing.T) {
 			Install: []InstallItem{},
 		}
 
-		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip)
+		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip, "")
 		require.NoError(t, err)
 		require.NotNil(t, dg)
 
@@ -210,7 +210,7 @@ func TestReport_ToDependencyGraph(t *testing.T) {
 
 	t.Run("nil report", func(t *testing.T) {
 		var report *Report
-		_, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip)
+		_, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip, "")
 		assert.Error(t, err)
 		assert.Contains(t, err.Error(), "cannot be nil")
 	})
@@ -268,7 +268,7 @@ func TestReport_ToDependencyGraph(t *testing.T) {
 			},
 		}
 
-		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip)
+		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip, "")
 		require.NoError(t, err)
 		require.NotNil(t, dg)
 
@@ -330,7 +330,7 @@ func TestReport_ToDependencyGraph(t *testing.T) {
 			},
 		}
 
-		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip)
+		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip, "")
 		require.NoError(t, err)
 		require.NotNil(t, dg)
 
@@ -388,7 +388,7 @@ func TestToDependencyGraph_PruningBehavior(t *testing.T) {
 			},
 		}
 
-		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip)
+		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip, "")
 		require.NoError(t, err)
 
 		// Find pkg-a's deps
@@ -452,7 +452,7 @@ func TestToDependencyGraph_PruningBehavior(t *testing.T) {
 			},
 		}
 
-		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip)
+		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip, "")
 		require.NoError(t, err)
 
 		// Find pkg-a and pkg-b deps
@@ -515,7 +515,7 @@ func TestToDependencyGraph_PruningBehavior(t *testing.T) {
 			},
 		}
 
-		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip)
+		dg, err := report.ToDependencyGraph(context.Background(), logger.Nop(), PkgManagerPip, "")
 		require.NoError(t, err)
 
 		// Find pkg-c's deps - should only have ONE pkg-d, not duplicated

pkg/ecosystems/python/pip/plugin.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os/exec"
+	"path/filepath"
 	"strings"
 	"sync"
 
@@ -65,7 +66,8 @@ func (p Plugin) BuildDepGraphsFromDir(
 
 	for _, file := range files {
 		g.Go(func() error {
-			result, err := p.buildDepGraphFromFile(ctx, log, file, pythonVersion, options.Python.NoBuildIsolation)
+			projectName := GetProjectName(file.RelPath, dir, options)
+			result, err := p.buildDepGraphFromFile(ctx, log, file, pythonVersion, options.Python.NoBuildIsolation, projectName)
 			if err != nil {
 				attrs := []logger.Field{
 					logger.Attr(logFieldFile, file.RelPath),
@@ -82,8 +84,7 @@ func (p Plugin) BuildDepGraphsFromDir(
 				result = ecosystems.SCAResult{
 					ProjectDescriptor: identity.ProjectDescriptor{
 						Identity: identity.ProjectIdentity{
-							Type:       "pip",
-							TargetFile: &file.RelPath,
+							Type: "pip",
 						},
 					},
 					Error: err,
@@ -101,9 +102,9 @@ func (p Plugin) BuildDepGraphsFromDir(
 		return nil, fmt.Errorf("error building dependency graphs: %w", err)
 	}
 
-	processedFiles := make([]string, 0, len(results))
-	for _, result := range results {
-		processedFiles = append(processedFiles, result.ProjectDescriptor.GetTargetFile())
+	processedFiles := make([]string, 0, len(files))
+	for _, file := range files {
+		processedFiles = append(processedFiles, file.RelPath)
 	}
 
 	return &ecosystems.PluginResult{
@@ -143,17 +144,43 @@ func (p Plugin) discoverRequirementsFiles(ctx context.Context, dir string, optio
 	return files, nil
 }
 
+// GetProjectName determines the project name based on the file path and options.
+// If --project-name is set, it uses that. Otherwise, it uses the directory name
+// containing the file. For example:
+//   - "project/test/requirements.txt" -> "test"
+//   - "project/requirements.txt" -> "project"
+//   - "requirements.txt" (with scanDir="/path/to/myproject") -> "myproject"
+func GetProjectName(filePath string, scanDir string, options *ecosystems.SCAPluginOptions) string {
+	// If --project-name is explicitly set, use it
+	if options.Global.ProjectName != nil && *options.Global.ProjectName != "" {
+		return *options.Global.ProjectName
+	}
+
+	// Extract the directory name from the file path
+	dir := filepath.Dir(filePath)
+	projectName := filepath.Base(dir)
+
+	// If we're at the root or the directory name is ".", use the scan directory name
+	if projectName == "." || projectName == "/" || projectName == "" {
+		return filepath.Base(scanDir)
+	}
+
+	return projectName
+}
+
 // buildDepGraphFromFile builds a dependency graph from a requirements.txt file.
 func (p Plugin) buildDepGraphFromFile(
 	ctx context.Context,
 	log logger.Logger,
 	file discovery.FindResult,
 	pythonVersion string,
 	noBuildIsolation bool,
+	projectName string,
 ) (ecosystems.SCAResult, error) {
 	log.Debug(ctx, "Building dependency graph",
 		logger.Attr(logFieldFile, file.RelPath),
-		logger.Attr("python_version", pythonVersion))
+		logger.Attr("python_version", pythonVersion),
+		logger.Attr("project_name", projectName))
 
 	// Get pip install report (dry-run, no actual installation)
 	report, err := GetInstallReport(ctx, log, file.Path, noBuildIsolation)
@@ -162,7 +189,7 @@ func (p Plugin) buildDepGraphFromFile(
 	}
 
 	// Convert report to dependency graph
-	depGraph, err := report.ToDependencyGraph(ctx, log, PkgManagerPip)
+	depGraph, err := report.ToDependencyGraph(ctx, log, PkgManagerPip, projectName)
 	if err != nil {
 		return ecosystems.SCAResult{}, fmt.Errorf("failed to convert pip report to dependency graph for %s: %w", file.RelPath, err)
 	}
@@ -174,8 +201,7 @@ func (p Plugin) buildDepGraphFromFile(
 		DepGraph: depGraph,
 		ProjectDescriptor: identity.ProjectDescriptor{
 			Identity: identity.ProjectIdentity{
-				Type:       "pip",
-				TargetFile: &file.RelPath,
+				Type: "pip",
 			},
 		},
 	}, nil

pkg/ecosystems/python/pip/plugin_integration_test.go

@@ -157,7 +157,6 @@ func TestPlugin_BuildDepGraphsFromDir_PipErrors(t *testing.T) {
 			pipResult := result.Results[0]
 
 			// Basic metadata expectations
-			assert.Equal(t, "requirements.txt", pipResult.ProjectDescriptor.GetTargetFile())
 			if pythonVersion != "" && pipResult.ProjectDescriptor.Identity.TargetRuntime != nil {
 				assert.Contains(t, *pipResult.ProjectDescriptor.Identity.TargetRuntime, fmt.Sprintf("python@%s", pythonVersion))
 			}
@@ -234,13 +233,13 @@ func assertResultsMatchExpected(t *testing.T, actual, expected []ecosystems.SCAR
 	sortActual := make([]ecosystems.SCAResult, len(actual))
 	copy(sortActual, actual)
 	sort.Slice(sortActual, func(i, j int) bool {
-		return sortActual[i].ProjectDescriptor.GetTargetFile() < sortActual[j].ProjectDescriptor.GetTargetFile()
+		return sortActual[i].DepGraph.GetRootPkg().Info.Name < sortActual[j].DepGraph.GetRootPkg().Info.Name
 	})
 
 	sortExpected := make([]ecosystems.SCAResult, len(expected))
 	copy(sortExpected, expected)
 	sort.Slice(sortExpected, func(i, j int) bool {
-		return sortExpected[i].ProjectDescriptor.GetTargetFile() < sortExpected[j].ProjectDescriptor.GetTargetFile()
+		return sortExpected[i].DepGraph.GetRootPkg().Info.Name < sortExpected[j].DepGraph.GetRootPkg().Info.Name
 	})
 
 	// Sync runtime field (varies by Python version) and clear Error field (not in JSON)

pkg/ecosystems/python/pipenv/plugin.go

@@ -68,7 +68,8 @@ func (p Plugin) BuildDepGraphsFromDir(
 
 	for _, file := range files {
 		g.Go(func() error {
-			result, err := p.buildDepGraphFromPipfile(ctx, log, file, pythonVersion, options.Python.NoBuildIsolation, options.Global.IncludeDev)
+			projectName := pip.GetProjectName(file.RelPath, dir, options)
+			result, err := p.buildDepGraphFromPipfile(ctx, log, file, pythonVersion, options.Python.NoBuildIsolation, options.Global.IncludeDev, projectName)
 			if err != nil {
 				attrs := []logger.Field{
 					logger.Attr(logFieldFile, file.RelPath),
@@ -85,7 +86,7 @@ func (p Plugin) BuildDepGraphsFromDir(
 				result = ecosystems.SCAResult{
 					ProjectDescriptor: identity.ProjectDescriptor{
 						Identity: identity.ProjectIdentity{
-							Type:       "pipenv",
+							Type:       "pip",
 							TargetFile: &file.RelPath,
 						},
 					},
@@ -153,10 +154,12 @@ func (p Plugin) buildDepGraphFromPipfile(
 	pythonVersion string,
 	noBuildIsolation bool,
 	includeDevDeps bool,
+	projectName string,
 ) (ecosystems.SCAResult, error) {
 	log.Debug(ctx, "Building dependency graph from Pipfile",
 		logger.Attr(logFieldFile, file.RelPath),
-		logger.Attr("python_version", pythonVersion))
+		logger.Attr("python_version", pythonVersion),
+		logger.Attr("project_name", projectName))
 
 	// Parse Pipfile
 	pipfile, err := ParsePipfile(file.Path)
@@ -191,7 +194,7 @@ func (p Plugin) buildDepGraphFromPipfile(
 	}
 
 	// Convert report to dependency graph
-	depGraph, err := report.ToDependencyGraph(ctx, log, pip.PkgManagerPipenv)
+	depGraph, err := report.ToDependencyGraph(ctx, log, pip.PkgManagerPipenv, projectName)
 	if err != nil {
 		return ecosystems.SCAResult{}, fmt.Errorf("failed to convert pip report to dependency graph: %w", err)
 	}
@@ -203,7 +206,7 @@ func (p Plugin) buildDepGraphFromPipfile(
 		DepGraph: depGraph,
 		ProjectDescriptor: identity.ProjectDescriptor{
 			Identity: identity.ProjectIdentity{
-				Type:       "pipenv",
+				Type:       "pip",
 				TargetFile: &file.RelPath,
 			},
 		},

pkg/ecosystems/testdata/fixtures/python/empty/expected_plugin.json

@@ -7,9 +7,9 @@
       },
       "pkgs": [
         {
-          "id": "root@0.0.0",
+          "id": "empty@0.0.0",
           "info": {
-            "name": "root",
+            "name": "empty",
             "version": "0.0.0"
           }
         }
@@ -19,15 +19,14 @@
         "nodes": [
           {
             "nodeId": "root-node",
-            "pkgId": "root@0.0.0",
+            "pkgId": "empty@0.0.0",
             "deps": []
           }
         ]
       }
     },
     "projectDescriptor": {
       "identity": {
-        "targetFile": "requirements.txt",
         "targetRuntime": "python@3.14.1"
       }
     }