Crashes on requirements.txt with hashes

[gdetrez]

Pip supports including hashes in requirements.txt, e.g. generated with pip-tools:

$ echo requests > requirements.in
$ pip-compile --generate-hashes
#
# This file is autogenerated by pip-compile
# To update, run:
#
#    pip-compile --generate-hashes
#
certifi==2021.5.30 \
    --hash=sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee \
    --hash=sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8
    # via requests
chardet==4.0.0 \
    --hash=sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa \
    --hash=sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5
    # via requests
idna==2.10 \
    --hash=sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6 \
    --hash=sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0
    # via requests
requests==2.25.1 \
    --hash=sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804 \
    --hash=sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e
    # via -r requirements.in
urllib3==1.26.5 \
    --hash=sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c \
    --hash=sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098
    # via requests

This seems to make cyclonedx-python crash:

$ cyclonedx-py -i requirements.txt
Input file: requirements.txt
Output BOM: bom.xml
JSON output: False
Package info url: https://pypi.org/pypi/{package_name}/{package_version}/json
Generating CycloneDX BOM
Traceback (most recent call last):
  File "/usr/local/bin/cyclonedx-py", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/dist-packages/cyclonedx/client.py", line 83, in main
    bom_contents = generate_bom(args)
  File "/usr/local/lib/python3.8/dist-packages/cyclonedx/client.py", line 59, in generate_bom
    bom_contents = reader.read_bom(fd, args.package_info_url, args.json)
  File "/usr/local/lib/python3.8/dist-packages/cyclonedx/bom/reader.py", line 23, in read_bom
    for component in all_components:
  File "/usr/local/lib/python3.8/dist-packages/cyclonedx/bom/reader.py", line 18, in <genexpr>
    all_components = (get_component(req, package_info_url) for req in requirements.parse(fd))
  File "/usr/local/lib/python3.8/dist-packages/requirements/parser.py", line 50, in parse
    yield Requirement.parse(line)
  File "/usr/local/lib/python3.8/dist-packages/requirements/requirement.py", line 220, in parse
    return cls.parse_line(line)
  File "/usr/local/lib/python3.8/dist-packages/requirements/requirement.py", line 198, in parse_line
    pkg_req = Req.parse(line)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3150, in parse
    req, = parse_requirements(s)
ValueError: not enough values to unpack (expected 1, got 0)

[mgrajesh1]

Looks like above issue has been raised below with requirements-parser

madpah/requirements-parser#51

[madpah]

Raised new issue in cyclonedx-python-lib to track this request: CycloneDX/cyclonedx-python-lib#8

[madpah]

See madpah/requirements-parser#51

[jkowalleck]

generally speaking: the project is about the actually used python packages, not parsing lockfiles.
so as long as the result of pip freeze is parsed properly, everything is fine.

additional formats that pip understands or pip-tools produce are nice to have.

personal speaking: BUT YOU ARE HOLDING IT WRONG. readme clearly states ow a requirements-file should be generated - see https://github.com/CycloneDX/cyclonedx-python#requirements

[jkowalleck]

see #319
for discussion.