fix: support PEP 621 pyproject dependency scanning

[DhineshPonnarasan]

Summary

Fixes #2206 by updating pyproject dependency confusion scanning to support standard PEP 621 layout.

Root cause:
The scanner was looking for a non-standard section shape and could miss dependencies declared under the standard project table.

What this PR changes:

• Adds TOML-aware parsing for pyproject manifests.
• Reads dependencies from:
  • project.dependencies
  • project.optional-dependencies groups
• Extracts base package names from requirement strings with support for:
  • version specifiers
  • extras
  • markers
  • direct reference forms
  • multiline dependency arrays
• Preserves existing scanner behavior for non-pyproject manifests.
• Keeps legacy pyproject fallback behavior for compatibility.
• Adds targeted regression tests for standard, optional, multiline, extras/version, unregistered package, and legacy scenarios.

Why this matters

• Aligns scanner behavior with PEP 621-compliant manifests used across the repo.
• Reduces risk of missed dependency checks in strict scanning workflows.
• Improves confidence in CI security enforcement for pyproject manifests.

Validation

• Targeted scanner tests passed.
• Full scripts test suite passed.
• Manual validation confirmed expected behavior for known/unknown dependencies across standard and optional groups.

Scope and compatibility

• No changes to requirements scanning behavior.
• No changes to package.json scanning behavior.
• No changes to Cargo.toml scanning behavior.
• Existing finding format and severity behavior remain consistent for existing paths.

---

@imran-siddique please review when available? It fixes issue #2206 for PEP 621 pyproject scanning.

[github-actions]

🤖 AI Agent: breaking-change-detector — API Compatibility

API Compatibility

No breaking changes detected.

[github-actions]

🟡 Contributor Check: MEDIUM

Check	Result
Profile	MEDIUM
Credential	NONE
Overall	MEDIUM

Automated check by AGT Contributor Check.

[github-actions]

🤖 AI Agent: docs-sync-checker — Docs Sync

Docs Sync

• check_pyproject_toml() in scripts/check_dependency_confusion.py -- missing docstring
• README.md -- dependency scanning section needs update to reflect PEP 621 support
• CHANGELOG.md -- missing entry for updated pyproject dependency scanning behavior

[github-actions]

🤖 AI Agent: code-reviewer — View details

TL;DR: 0 blockers, 1 warning. Solid implementation with minor follow-up needed.

#	Sev	Issue	Where
1	Warn	No explicit test for malformed TOML input	scripts/tests/test_check_dependency_confusion.py

Action items: None, as no blockers were identified.

Warnings:

#	Description	Resolution
1	Add a test case for malformed TOML input.	Fine as follow-up PR.

[github-actions]

🤖 AI Agent: test-generator — `scripts/check_dependency_confusion.py`

scripts/check_dependency_confusion.py

• test_check_pyproject_toml_missing_tomllib -- Validate fallback behavior when tomllib is unavailable.
• test_check_pyproject_toml_invalid_toml -- Ensure graceful handling of invalid TOML files.
• test_check_pyproject_toml_malformed_dependencies -- Test handling of malformed dependency entries in PEP 621 manifests.

[github-actions]

🤖 AI Agent: contributor-guide — View details

Hi @first-time-contributor, welcome to the project and thank you for your detailed PR! 🎉

Great job adding comprehensive regression tests to cover various scenarios—this is very thorough and well-documented.

Before merging, could you:

1. Address the unused import Any in check_dependency_confusion.py.
2. Ensure all new tests pass in CI.

For guidance, check out CONTRIBUTING.md. Let us know if you need help! 🚀

[github-actions]

🤖 AI Agent: security-scanner — View details

No security issues found.

[github-actions]

PR Review Summary

Check	Status	Details
🔍 Code Review	⚠️ Warning	See details
🛡️ Security Scan	✅ Passed	No issues found
🔄 Breaking Changes	✅ Passed	No issues found
📝 Docs Sync	✅ Completed	Analysis complete
🧪 Test Coverage	✅ Completed	Analysis complete

Verdict: ⚠️ Ready for human review

[DhineshPonnarasan]

@imran-siddique Could you please review and approve this PR? I fixed the DCO, spell-check, and dependency-scan CI issues.