component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard
verified publisher icon microsoft

Parsing requirements.txt does not correctly scan conditional packages

Open cobya opened this issue 4 years ago • 4 comments

In Python requirements.txt files, the detector currently does not attempt to validate conditional requirements for package inclusion.

Example: numpy==1.16.6; python_version<"3.6" and sys_platform!="win32"

If the installed Python version is 3.9, the current parsing logic will still output numpy 1.16.6 as a package in the dependency graph.

AB#2099194

cobya avatar Jan 03 '22 22:01 cobya

The same is true for Python packages with conditional dependencies defined in their setup.py.

E.g. https://github.com/python-hyper/hyper/blob/development/setup.py#L97 defines the following, and component-detection outputs cryptography 0.9.3

':platform_python_implementation == "PyPy" and python_full_version < "2.7.9"': [
    'cryptography<1.0'
],

james-jra avatar Aug 24 '23 13:08 james-jra

This is a good reason why we should utilize pip to give us the dependency tree with pip inspect once the runner images have pip >= 22.2 installed.

melotic avatar Aug 28 '23 16:08 melotic

made a small update to the already existing parsing logic to allow for basic conditional dependency checking (at least for python_version): 973

FernandoRojo avatar Jan 17 '24 01:01 FernandoRojo