feat(supply_chain): scan tool-specific dependency tables in pyproject.toml (Poetry, PDM, Hatch, uv)

[Shrotriya-lalit]

Background

PR #95 fixed false-positive SC5/SC6 findings on pyproject.toml metadata keys by switching from the requirements-regex parser to tomllib. It reads only the three PEP 621/517 standard dependency arrays:

• [project].dependencies
• [project.optional-dependencies]
• [build-system].requires

Gap

Projects using tool-specific build backends (Poetry, PDM, Hatch, uv) declare dependencies in non-standard tables that are currently not scanned. Previously these lines caused false positives; now they cause false negatives (real dependencies not checked for typosquatting/abandonment).

Tables to add

Tool	Table(s)
Poetry	[tool.poetry.dependencies], [tool.poetry.dev-dependencies], [tool.poetry.group.*.dependencies]
PDM	[tool.pdm.dev-dependencies]
Hatch	[tool.hatch.envs.*.dependencies]
uv	[tool.uv.dev-dependencies]

Implementation notes

• Extend _extract_packages_from_pyproject() to walk data.get("tool", {}) for known keys
• Poetry group dependencies use a nested {version = "..."} dict format rather than PEP 508 strings — needs separate handling
• Add tests for each tool format

Acceptance criteria

• All four tool-specific formats parsed correctly
• Malformed / unexpected structure in tool tables does not crash the analyzer
• False-positive regression tests updated (tool-table keys must not produce SC5/SC6 on metadata fields)
• New tests for each tool format