microsoft
Conflict when a package is both direct and transitive
When I use sbom-tool v3 to scan a simple python project with requirements.txt containing:
Flask
Flask-MySQL
the relationship graph looks like this:
I expect Flask as a direct package, but actually it's also a dependency of Flask-MySQL. With this relationship graph, we can't detect the correct direct components.
@kennylam91, the main branch now includes code to report all transitive dependencies. Please check it out and see if it works for your scenario. We are hoping to release version 4.1.0, which includes this change, before the end of July.
Hi @DaveTryon , I think the relationship has been improved as you mentioned. But for the direct dependencies (Flask & Flask-MySQL), it's still the same. Before:
@kennylam91, I've been able to repro this locally. The code in ExtendedScannedComponent is where we first get the data that is returned from https://github.com/microsoft/component-detection. Items with no AncestralReferrers are processed as top-level dependencies, and items with AncestralReferrers are processed as transitive dependencies.
The AncestralReferrers property for flask 3.1.1 changes when Flask-MySql is added to the requirements.txt file:
| Contents of requirements.txt | AncestralReferrers for flask 3.1.1 |
Screenshot |
|---|---|---|
| Flask | Empty | |
| Flask and Flask-MySql | Refers to flask-mysql 1.6.0 |
Ultimately, this means that the presence of Flask-MySql in the requirements file is somehow causing https://github.com/microsoft/component-detection to tell us that Flask is not a top-level dependency. That seems wrong to me, but you'd have to engage with the component-detection team to seek understanding and/or a fix. Please check their issues board to see if this is a known bug and/or submit a new one. Please let us know if they release a fix and we'll be sure to update to the newer version once it becomes available. I'll leave this open for now, but nothing will change until it's fixed in component-detection.