fossa-cli icon indicating copy to clipboard operation
fossa-cli copied to clipboard
verified publisher icon fossas

Analysing deep/transitive dependencies - requirements.txt

Open mneedham opened this issue 4 years ago • 3 comments

Hi,

I'm trying to run the FOSSA scanner over a Python based GitHub repository and when I use the GitHub integration on https://app.fossa.com/ it seems to pick up the deep or transitive dependencies of all the libraries in my requirements.txt.

But when I run the FOSSA CLI on that same project locally and then upload the results to fossa.com (fossa analyze) it only seems to pick up the direct dependencies.

Is there any way that I can get the CLI tool to analyse deep dependencies?

Cheers, Mark

mneedham avatar Jul 20 '21 10:07 mneedham

We have the same issue with NPM / Nodejs. In 1.1.3 it worked, but in some of the latest versions it got broken.

zenonhun avatar Aug 18 '21 09:08 zenonhun

Hi @mneedham, we don't currently support finding deep dependencies from requirements.txt files in the fossa-cli. When you scan a project in the UI it uses a slightly different method that will build a project in a manner the CLI cannot currently do. I will open a ticket for this issue (ANE-337) in our internal tracker.

@zenonhun is the issue you are referring to https://github.com/fossas/fossa-cli/issues/815 or is it a different one?

zlav avatar May 20 '22 23:05 zlav

Hi @zlav, that is different issue. In that case the cli analysis result is wrong, the UI is not involved at all.

zenonhun avatar May 21 '22 07:05 zenonhun