fix dev and non dev lists

Author: cataggar

src/Microsoft.ComponentDetection.Detectors/uv/UvLockComponentDetector.cs

@@ -50,12 +50,10 @@ protected override Task OnFileFoundAsync(ProcessRequest processRequest, IDiction
 
                 var rootPackage = uvLock.Packages.FirstOrDefault(IsRootPackage);
 
-                // Add requires-dist as explicitly referenced component ids and dependencies
+                var explicitPackages = new HashSet<string>();
                 foreach (var dep in rootPackage.MetadataRequiresDist)
                 {
-                    var depComponent = new PipComponent(dep.Name, dep.Specifier);
-                    var detectedDep = new DetectedComponent(depComponent);
-                    singleFileComponentRecorder.RegisterUsage(detectedDep, isExplicitReferencedDependency: true, isDevelopmentDependency: false);
+                    explicitPackages.Add(dep.Name);
                 }
 
                 var devPackages = new HashSet<string>();
@@ -72,17 +70,18 @@ protected override Task OnFileFoundAsync(ProcessRequest processRequest, IDiction
                     }
 
                     var pipComponent = new PipComponent(pkg.Name, pkg.Version);
-                    var isDevelopmentDependency = devPackages.Contains(pkg.Name);
+                    var isExplicit = explicitPackages.Contains(pkg.Name);
+                    var isDev = devPackages.Contains(pkg.Name);
                     var detectedComponent = new DetectedComponent(pipComponent);
-                    singleFileComponentRecorder.RegisterUsage(detectedComponent, isDevelopmentDependency: isDevelopmentDependency);
+                    singleFileComponentRecorder.RegisterUsage(detectedComponent, isDevelopmentDependency: isDev, isExplicitReferencedDependency: isExplicit);
 
                     foreach (var dep in pkg.Dependencies)
                     {
                         var depPkg = uvLock.Packages.FirstOrDefault(p => p.Name.Equals(dep.Name, StringComparison.OrdinalIgnoreCase));
                         if (depPkg != null)
                         {
                             var depComponentWithVersion = new PipComponent(depPkg.Name, depPkg.Version);
-                            singleFileComponentRecorder.RegisterUsage(new DetectedComponent(depComponentWithVersion), isExplicitReferencedDependency: false, parentComponentId: pipComponent.Id);
+                            singleFileComponentRecorder.RegisterUsage(new DetectedComponent(depComponentWithVersion), parentComponentId: pipComponent.Id);
                         }
                         else
                         {

test/Microsoft.ComponentDetection.Detectors.Tests/UvLockDetectorTests.cs

@@ -218,4 +218,48 @@ public async Task TestUvLockDetector_ExplicitDependencies_AreMarkedExplicit()
         var barId = detected.First(d => d.Component.Id.StartsWith("bar")).Component.Id;
         graph.IsComponentExplicitlyReferenced(barId).Should().BeTrue();
     }
+
+    [TestMethod]
+    public async Task TestUvLockDetector_DevelopmentAndNonDevelopmentDependencies()
+    {
+        var uvLock = @"[[package]]
+name = 'foo'
+version = '1.2.3'
+[package.metadata]
+requires-dist = [
+    { name = 'bar', specifier = '>=2.0.0' },
+    { name = 'baz', specifier = '>=3.0.0' }
+]
+[package.metadata.requires-dev]
+dev = [
+    { name = 'devonly', specifier = '>=4.0.0' }
+]
+[[package]]
+name = 'bar'
+version = '2.0.0'
+[[package]]
+name = 'baz'
+version = '3.0.0'
+[[package]]
+name = 'devonly'
+version = '4.0.0'
+";
+        var (scanResult, componentRecorder) = await this.DetectorTestUtility
+            .WithFile("uv.lock", uvLock)
+            .ExecuteDetectorAsync();
+
+        scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);
+        var detected = componentRecorder.GetDetectedComponents().ToList();
+        var graph = componentRecorder.GetDependencyGraphsByLocation().Values.First();
+
+        var fooId = detected.First(d => d.Component.Id.StartsWith("foo ")).Component.Id;
+        var barId = detected.First(d => d.Component.Id.StartsWith("bar ")).Component.Id;
+        var bazId = detected.First(d => d.Component.Id.StartsWith("baz ")).Component.Id;
+        var devonlyId = detected.First(d => d.Component.Id.StartsWith("devonly ")).Component.Id;
+
+        // bar and baz are non-dev dependencies, devonly is a dev dependency
+        graph.IsDevelopmentDependency(barId).Should().BeFalse();
+        graph.IsDevelopmentDependency(bazId).Should().BeFalse();
+        graph.IsDevelopmentDependency(devonlyId).Should().BeTrue();
+    }
 }