Sebastian Schuberth

Also maybe worth a look as a helper tool is https://github.com/trailofbits/it-depends which claims to > Finds native dependencies for high level languages like Python

Also see the [difficulties in finding Python 2 example projects](https://github.com/oss-review-toolkit/ort/issues/4901#issuecomment-1002644154).

We could also take a deeper look at [component-detection's approach for PIP](https://github.com/microsoft/component-detection/blob/main/docs/detectors/pip.md).

Some [interesting insights](https://github.com/dependabot/dependabot-core/pull/2281#discussion_r457554686) on the general topic from a Python maintainer, and a [possible solution](https://github.com/pypa/build/issues/181#issuecomment-888066457).

And yet another interesting [discussion](https://discuss.python.org/t/list-dependencies-of-a-package/12341) with links to: * https://github.com/spack/spack * https://github.com/thoth-station/solver * https://github.com/pypa/pip/pull/10748

> ScanCode does parse requirements files, setup.py, setup.cfg, pyproject.toml, Pipfile and Pipfile.lock and a few more Can you clarify on what "parse" means here exactly? I assume in the context...

Looks like we currently assume anything with `workspaces` to be a Yarn project: https://github.com/oss-review-toolkit/ort/blob/11150b4d0298fe09f24f671f63263806e3a0b167/analyzer/src/main/kotlin/managers/utils/NodeSupport.kt#L140-L151

@ppuritscher @porsche-rishisaxena this is the issue you're also affected by.

> This should be removed when upgrading base image to 22.04 LTS This comment makes me wonder whether there are any blockers to move to Ubuntu 22.04 LTS instead?

> This comment makes me wonder whether there are any blockers to move to Ubuntu 22.04 LTS instead? I propose to supersede this PR with #5651. Would that be fine...