Poetry's multiple constraints seems to break the parser

[joshuatz]

What happened:

I suddenly started encountering an error in CI trying to generate spdx-json with syft, despite not making any changes to that part of the CI pipeline. After digging, I found that the syft version wasn't pinned in CI, and I was able to reproduce the exact error locally in version 1.6.0, which did not occur in 1.1.0 (that was my version jump locally, but I think CI was smaller).

EDIT: I was able to confirm that this error does not happen in 1.5.0.

Regardless - the crux of the issue is that I now get an error with 1.6.0, when previous versions do not produce it:

 syft ./poetry.lock -o spdx-json

[0000]  WARN cataloger failed cataloger=python-package-cataloger error=unable to parse poetry.lock: (0, 0): Can't convert [version = ">=5.0.0"
 extras = ["compatible-mypy"]
markers = "extra == \"compatible-mypy\""
optional = true
version = "*"
]([]*toml.Tree) to trees location=/poetry.lock

Even though this prints as a warning, and the exit code is 0, the output is essentially empty (only contains the top-level info about syft itself, with none of the dependencies included).

I think I can share some (limited) insight that might help (see below), in steps to reproduce

What you expected to happen:

To get the normal JSON output, with dependency information included.

Steps to reproduce the issue:

I am triggering this by including a specific package - djangorestframework-stubs, and the block of code in the lock file that seems to be throwing that error looks like this:

[[package]]
name = "djangorestframework-stubs"
version = "3.15.0"
description = "PEP-484 stubs for django-rest-framework"
optional = false
python-versions = ">=3.8"
files = [
    {file = "djangorestframework_stubs-3.15.0-py3-none-any.whl", hash = "sha256:6c634f16fe1f9b1654cfd921eca64cd4188ce8534ab5e3ec7e44aaa0ca969d93"},
    {file = "djangorestframework_stubs-3.15.0.tar.gz", hash = "sha256:f60ee1c80abb01a77acc0169969e07c45c2739ae64667b9a0dd4a2e32697dcab"},
]

[package.dependencies]
django-stubs = [
    {version = ">=5.0.0"},
    {version = "*", extras = ["compatible-mypy"], optional = true, markers = "extra == \"compatible-mypy\""},
]
mypy = {version = ">=1.10.0,<1.11.0", optional = true, markers = "extra == \"compatible-mypy\""}
requests = ">=2.0.0"
types-PyYAML = ">=5.4.3"
types-requests = ">=0.1.12"
typing-extensions = ">=3.10.0"

[package.extras]
compatible-mypy = ["django-stubs[compatible-mypy]", "mypy (>=1.10.0,<1.11.0)"]
coreapi = ["coreapi (>=2.0.0)"]
markdown = ["types-Markdown (>=0.1.5)"]

However, I feel like it is worth noting that this is the only dependency in my project that is using / generating Poetry's multiple constraints syntax; is there something specific about that syntax that might be breaking the parser? I'm not super familiar with Poetry's spec, nor syft's parser, or else I would try to do more digging myself.

Anything else we need to know?:

Environment:

• Output of syft version: syft 1.6.0
• OS (e.g: cat /etc/os-release or similar): Darwin