You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Identified only 9 packages, 7 packages are missing.
ex : verboselog:1.7, dateparser:0.7.0, etc (These are some of missing packages to identify by sfyt)
Anything else we need to know?:
Syft is parsing only {package-name}=={version} format only, remaining all other formats are not parsing and listing in SBOM from requirements.txt . (ex: {package-name}>={version})
Please refer page, few other formats also supported by python requirements.txt file - https://packaging.python.org/en/latest/specifications/version-specifiers/#version-specifiers
Hi @gobiltd, because these requirements are not exact, but only minimums Syft by default is not including these. There is an option to enable Syft to "guess" version ranges: SYFT_PYTHON_GUESS_UNPINNED_REQUIREMENTS=true, e.g.
I think the most surprising thing here (from a user perspective) is that there are package names missing. We chatted about this in this weeks gardening live stream and came up with a few options (all variants include all packages from the requirements.txt, but vary in how the version field is handled):
allow for showing ranges as the version ( >= 4.3). This would work but would most likely confuse downstream tooling entirely, so isn't something we'd like to do first.
But another aspect from this is whatever we decide here, we should identify other ecosystem parsers that also have version ranges specified and add the same configuration and behavior (such as package.json for npm).
What happened:
SBOM generated for python is missing few packages listed in the requirements.txt file
What you expected to happen:
SBOM should list all packages mentioned in the requirements.txt file
Steps to reproduce the issue:
Run the Syft
/usr/local/bin/syft /scratch/app/gobgovin/jars/python-requirements/ -o syft-json=syft_python_bom_test.json
✔ Indexed file system /scratch/app/gobgovin/jars/python-requirements
✔ Cataloged contents beb33833a4b4aaabf7dde249b8713668b3b495f08e9619455f643cabe6be8c42
├── ✔ Packages [9 packages]
└── ✔ Executables [0 executables]
Identified only 9 packages, 7 packages are missing.
ex : verboselog:1.7, dateparser:0.7.0, etc (These are some of missing packages to identify by sfyt)
Anything else we need to know?:
Syft is parsing only {package-name}=={version} format only, remaining all other formats are not parsing and listing in SBOM from requirements.txt . (ex: {package-name}>={version})
Please refer page, few other formats also supported by python requirements.txt file - https://packaging.python.org/en/latest/specifications/version-specifiers/#version-specifiers
Environment:
Output of
syft version
:Application: syft
Version: 1.4.1
BuildDate: 2024-05-09T19:45:46Z
GitCommit: c200896
GitDescription: v1.4.1
Platform: linux/amd64
GoVersion: go1.21.9
Compiler: gc
OS (e.g:
cat /etc/os-release
or similar):NAME="Oracle Linux Server"
VERSION="7.9"
The text was updated successfully, but these errors were encountered: