Skip to content

Commit

Permalink
pip: Properly report packages declared in requirements_build_files
Browse files Browse the repository at this point in the history 
Considering that the user configured his repository correctly, the only
dependencies that should be present in files declared as
requirements_build_files are build dependencies. Having this info in the
SBOM will help future security analysis perfomed on the built artifact.

Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
  • Loading branch information
@brunoapimentel
brunoapimentel committed Jan 29, 2025
1 parent 95aba93 commit 9dca171
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 9 deletions.
11 changes: 8 additions & 3 deletions cachi2/core/package_managers/pip.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,10 @@ def fetch_pip_source(request: Request) -> RequestOutput:
if dependency["package_type"] == "wheel":
pip_package_binary = True

pip_build_dependency = False
if dependency["build_dependency"] == "true":
pip_build_dependency = True

components.append(
Component(
name=dependency["name"],
Expand All @@ -202,6 +206,7 @@ def fetch_pip_source(request: Request) -> RequestOutput:
properties=PropertySet(
missing_hash_in_file=missing_hash_in_file,
pip_package_binary=pip_package_binary,
pip_build_dependency=pip_build_dependency,
).to_properties(),
)
)
Expand Down Expand Up @@ -2130,9 +2135,9 @@ def resolve_req_files(req_files: Optional[list[Path]], devel: bool) -> list[Root
output_dir, resolved_build_req_files, allow_binary
)

# Mark all build dependencies as Cachi2 dev dependencies
# Mark all build dependencies as such
for dependency in build_requires:
dependency["dev"] = True
dependency["build_dependency"] = True

def _version(dep: dict[str, Any]) -> str:
if dep["kind"] == "pypi":
Expand All @@ -2151,7 +2156,7 @@ def _version(dep: dict[str, Any]) -> str:
"version": _version(dep),
"index_url": dep.get("index_url"),
"type": "pip",
"dev": dep.get("dev", False),
"build_dependency": dep.get("build_dependency", False),
"kind": dep["kind"],
"requirement_file": dep["requirement_file"],
"missing_req_file_checksum": dep["missing_req_file_checksum"],
Expand Down
12 changes: 6 additions & 6 deletions tests/unit/package_managers/test_pip.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3888,7 +3888,7 @@ def test_resolve_pip(
"name": "bar",
"version": "2.1",
"type": "pip",
"dev": False,
"build_dependency": False,
"kind": "pypi",
"requirement_file": "req.txt" if custom_requirements else "requirements.txt",
"missing_req_file_checksum": False,
Expand All @@ -3899,7 +3899,7 @@ def test_resolve_pip(
"name": "baz",
"version": "0.0.5",
"type": "pip",
"dev": True,
"build_dependency": True,
"kind": "pypi",
"requirement_file": "breq.txt" if custom_requirements else "requirements-build.txt",
"missing_req_file_checksum": False,
Expand Down Expand Up @@ -4097,7 +4097,7 @@ def test_fetch_pip_source(
"name": "bar",
"version": "https://x.org/bar.zip#cachito_hash=sha256:aaaaaaaaaa",
"type": "pip",
"dev": False,
"build_dependency": False,
"kind": "url",
"requirement_file": "requirements.txt",
"missing_req_file_checksum": False,
Expand All @@ -4108,7 +4108,7 @@ def test_fetch_pip_source(
"version": "0.0.5",
"index_url": pypi_simple.PYPI_SIMPLE_ENDPOINT,
"type": "pip",
"dev": True,
"build_dependency": True,
"kind": "pypi",
"requirement_file": "requirements.txt",
"missing_req_file_checksum": False,
Expand All @@ -4125,7 +4125,7 @@ def test_fetch_pip_source(
"version": "3.2",
"index_url": CUSTOM_PYPI_ENDPOINT,
"type": "pip",
"dev": False,
"build_dependency": False,
"kind": "pypi",
"requirement_file": "requirements.txt",
"missing_req_file_checksum": True,
Expand All @@ -4135,7 +4135,7 @@ def test_fetch_pip_source(
"name": "eggs",
"version": "https://x.org/eggs.zip#cachito_hash=sha256:aaaaaaaaaa",
"type": "pip",
"dev": False,
"build_dependency": False,
"kind": "url",
"requirement_file": "requirements.txt",
"missing_req_file_checksum": True,
Expand Down

0 comments on commit 9dca171

Please sign in to comment.