Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate usage of pip install report for gathering Python dependencies #980

Open
cobya opened this issue Jan 19, 2024 · 3 comments
Open

Investigate usage of pip install report for gathering Python dependencies #980

cobya opened this issue Jan 19, 2024 · 3 comments
Assignees
@cobya
Labels
detector:pip The pip detector status:requirements Full requirements are not yet known, so implementation should not be started type:feature Feature (new functionality)

Comments

@cobya
Copy link
Contributor

cobya commented Jan 19, 2024
edited by github-actions bot
Loading

The Installation Report generated by Pip may be sufficient to gather dependency information from Python setup files. May need to be used in conjunction with pip inspect.

Originally discussed as part of #629 we should investigate whether or not the full dependency graph can be generated for Python ecosystems using this method.

AB#2141027
@cobya cobya added detector:pip The pip detector status:requirements Full requirements are not yet known, so implementation should not be started type:feature Feature (new functionality) labels Jan 19, 2024
@cobya cobya mentioned this issue Feb 1, 2024
Closed
@cobya
Copy link
Contributor Author

cobya commented May 15, 2024
edited
Loading

There has now been documentation published on the usage of --report. See https://pip.pypa.io/en/stable/reference/installation-report/

Example dry run commands using the pip command:

  • For requirements.txt:
    pip install -r .\requirements.txt --dry-run --ignore-installed --quiet --report report-req.json
  • For setup.py:
    pip install -e . --dry-run --ignore-installed --quiet --report report.json

@cobya
Copy link
Contributor Author

cobya commented May 15, 2024
edited
Loading

Note that the report format version declared stable is only available in Pip > v23.0, this should be a conditional check before running this version of detection. We also get transitive dependency detection as part of this report.
Image

@cobya cobya mentioned this issue May 22, 2024
Merged
@cobya
Copy link
Contributor Author

cobya commented May 23, 2024

@edena-legit since you've been interested in Python detection previously, I'd love to have your input on the new PipReport detector and if you encounter any issues running it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cobya cobya

Labels
detector:pip The pip detector status:requirements Full requirements are not yet known, so implementation should not be started type:feature Feature (new functionality)
Projects
Component Detection - Detector Improvements
Status: In review
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cobya