Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crashes on requirements with latest (without version) packeges #235

Closed
L4zyF1ng3r opened this issue Sep 20, 2021 · 2 comments · Fixed by #236
Closed

Crashes on requirements with latest (without version) packeges #235

L4zyF1ng3r opened this issue Sep 20, 2021 · 2 comments · Fixed by #236
Assignees
@madpah
Labels
enhancement New feature or request

Comments

@L4zyF1ng3r
Copy link

Hi everybody.
Found the problem, my requirements.txt has packages with no version specified.
When executing the command:

cyclonedx-py -r -rf requirements.txt -o bom.xml

I have an error:

Traceback (most recent call last):
  File "/usr/local/bin/cyclonedx-py", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 152, in main
    CycloneDxCmd().execute()
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 63, in execute
    output = self.get_output()
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 55, in get_output
    bom=Bom.from_parser(self._get_input_parser()),
  File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 139, in _get_input_parser
    return RequirementsFileParser(requirements_file=self._arguments.input_requirements_file)
  File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/requirements.py", line 51, in __init__
    super(RequirementsFileParser, self).__init__(requirements_content=r.read())
  File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/requirements.py", line 41, in __init__
    (op, version) = requirement.specs[0]
IndexError: list index out of range

If I remove packages without versions, the process goes without errors.

pip3 list | grep cyclonedx
cyclonedx-bom        1.0.2
cyclonedx-python-lib 0.4.0
@madpah
Copy link
Collaborator

madpah commented Sep 27, 2021

Hi @L4zyF1ng3r,

Thanks for reporting an issue.

This project is not intended to be able to generate a CycloneDX from a requirements file that does not contain pinned versions.

Under the current (version 1.3) CycloneDX schema, a version must be present for a Component in an SBOM (see https://cyclonedx.org/docs/1.3/#type_component).

Perhaps you may be better served by running cyclonedx-py in environment mode (-e flag) which will generate a CycloneDX from the exact packages and versions you currently have installed in your environment?

@madpah madpah self-assigned this Sep 27, 2021
@madpah madpah transferred this issue from CycloneDX/cyclonedx-python Sep 27, 2021
@madpah madpah transferred this issue from CycloneDX/cyclonedx-python-lib Sep 27, 2021
@madpah madpah mentioned this issue Sep 27, 2021
Closed
@madpah madpah added the enhancement New feature or request label Sep 27, 2021
@madpah madpah mentioned this issue Sep 27, 2021
Merged
@madpah madpah linked a pull request Sep 27, 2021 that will close this issue
fix: handle requirements.txt which contain dependencies without a v… #236
Merged
@madpah
Copy link
Collaborator

madpah commented Sep 27, 2021

@L4zyF1ng3r - version 1.0.5 adds better support for handing requirements.txt which do not include versions :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@madpah madpah

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: handle requirements.txt which contain dependencies without a v… CycloneDX/cyclonedx-python
2 participants
@madpah @L4zyF1ng3r