Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for pip extras #1251

Closed
wants to merge 1 commit into from
Closed

Allow for pip extras #1251

wants to merge 1 commit into from

Conversation

shanedell
Copy link
Contributor

Allow for pip extras

  • Allow pip packages to specify extras.
    • Syntax: package_name[extra1, extra2]
    • Using regex the extras will be removed from the package name.

Closes #1246

Testing

Filename: requirements.txt
Content:

celery[redis, pytest]==4.4.7
starlette==0.17.1

Command: go run main.go file:requirements.txt

Output Before

 ✔ Vulnerability DB        [no update available]
 ✔ Indexed requirements.txt 
 ✔ Cataloged packages      [2 packages]
 ✔ Scanning image...       [1 vulnerabilities]
   ├── 0 critical, 0 high, 1 medium, 0 low, 0 negligible
   └── 1 fixed
NAME       INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY 
starlette  0.17.1     0.25.0    python  GHSA-74m5-2c7w-9w3x  Medium

Output After

 ✔ Vulnerability DB        [no update available]
 ✔ Indexed requirements.txt 
 ✔ Cataloged packages      [2 packages]
 ✔ Scanning image...       [2 vulnerabilities]
   ├── 0 critical, 1 high, 1 medium, 0 low, 0 negligible
   └── 2 fixed
NAME       INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY 
celery     4.4.7      5.2.2     python  GHSA-q4xr-rc97-m4xx  High      
starlette  0.17.1     0.25.0    python  GHSA-74m5-2c7w-9w3x  Medium

@shanedell
Allow for pip extras
acab981 
- Allow pip packages to specify extras.
  - Syntax: package_name[extra1, extra2]
  - Using regex the extras will be removed from the package name.

Closes anchore#1246

Signed-off-by: Shane Dell <shanedell100@gmail.com>
kzantow
kzantow reviewed Apr 21, 2023
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should happen in Syft when parsing requirements.txt, no?

@shanedell
Copy link
Contributor Author

@kzantow So in Syft it already works

 ✔ Indexed requirements.txt 
 ✔ Cataloged packages      [2 packages]

NAME                   VERSION  TYPE   
celery[redis, pytest]  4.4.7    python  
starlette              0.17.1   python

However, when it comes back over into Grype it doesn't scan celery[redis, pytest]. I assume it doesn't consider celery[redis, pytest] a proper package or package name? But if you remove the [redis, pytest] it works fine.

@kzantow
Copy link
Contributor

kzantow commented Apr 21, 2023

I mean: celery[redis, pytest] doesn't seem like a valid package name. This should be just celery, shouldn't it? And maybe the extras get captured in the metadata?

@shanedell
Copy link
Contributor Author

@kzantow So are you saying update Syft to remove the extras content ([.*]) from the package name, like done in this PR and then add that extras content to the metadata? If so that would make sense to me. But then would Grype need a to add a PythonMetaData type to support this parsing this data?

shanedell added a commit to shanedell/syft that referenced this pull request Apr 25, 2023
@shanedell
Remove pip extras from package name
c05cbd5 
- Update pip requirements.txt parsing to remove pip extras from package name if included.

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
@shanedell shanedell mentioned this pull request Apr 25, 2023
Merged
shanedell added a commit to shanedell/syft that referenced this pull request Apr 26, 2023
@shanedell
Remove pip extras from package name
afca5e4 
- Update pip requirements.txt parsing to remove pip extras from package name if included.
- Add unit test to test that extras are removed from package name.

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell added a commit to shanedell/syft that referenced this pull request Apr 26, 2023
@shanedell
Create python requirements metadata.
fc20beb 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove pip extras from package name, add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Will need updated in future to support more than just == for the version constraint.

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell added a commit to shanedell/syft that referenced this pull request Apr 26, 2023
@shanedell
Create python requirements metadata
53b6507 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove pip extras from package name, add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Will need updated in future to support more than just == for the version constraint.

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell added a commit to shanedell/syft that referenced this pull request Apr 26, 2023
@shanedell
Create python requirements metadata
6806723 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove pip extras from package name, add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Will need updated in future to support more than just == for the version constraint.

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell added a commit to shanedell/syft that referenced this pull request Apr 26, 2023
@shanedell
Create python requirements metadata
672e5f3 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove pip extras from package name, add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Will need updated in future to support more than just == for the version constraint.

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell added a commit to shanedell/syft that referenced this pull request Apr 26, 2023
@shanedell
Create python requirements metadata
58bd927 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove pip extras from package name, add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Will need updated in future to support more than just == for the version constraint.
- Update JSON schema data

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell added a commit to shanedell/syft that referenced this pull request Apr 26, 2023
@shanedell
Create python requirements metadata
504a707 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove pip extras from package name, add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Will need updated in future to support more than just == for the version constraint.
- Update JSON schema data

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell added a commit to shanedell/syft that referenced this pull request Apr 26, 2023
@shanedell
Create python requirements metadata
9e959f6 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove extras and url from line. Add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Update test to look at requirements metadata.
- Will need updated in future to support more than just == for the version constraint.
- Update JSON schema data

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell added a commit to shanedell/syft that referenced this pull request Apr 26, 2023
@shanedell
Create python requirements metadata
134d3d7 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove extras and url from line. Add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Update test to look at requirements metadata.
- Will need updated in future to support more than just == for the version constraint.
- Update JSON schema data

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
wagoodman pushed a commit to anchore/syft that referenced this pull request Apr 27, 2023
@shanedell
Create python requirements metadata (#1759)
a07bfe7 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove extras and url from line. Add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Update test to look at requirements metadata.
- Will need updated in future to support more than just == for the version constraint.
- Update JSON schema data

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@shanedell
Create python requirements metadata (anchore#1759)
0f8cd9f 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove extras and url from line. Add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Update test to look at requirements metadata.
- Will need updated in future to support more than just == for the version constraint.
- Update JSON schema data

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Specifying "extras" in pip / requirements.txt results in false negative
2 participants
@shanedell @kzantow