Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM generation is missing a few Python packages listed in the requirements.txt file #2874

Open
gobiltd opened this issue May 16, 2024 · 1 comment
Open

SBOM generation is missing a few Python packages listed in the requirements.txt file #2874

gobiltd opened this issue May 16, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@gobiltd
Copy link

gobiltd commented May 16, 2024

What happened:

SBOM generated for python is missing few packages listed in the requirements.txt file

What you expected to happen:

SBOM should list all packages mentioned in the requirements.txt file

Steps to reproduce the issue:

  1. Create requirements.txt with below content and run the syft scan for generate SBOM.
PySocks==1.7.1
coloredlogs>=7.3.1
click>=7.0
verboselogs>=1.7
dateparser>=0.7.0

urllib3==1.26.17
requests==2.25.1
retrying==1.3.3
strk-identity-auth==2.49
nwauto-python-commons==0.1.93
flask==2.0.3


wheel>=0.38.1

nose>=1.0
pytz>=2016.10
pytest==3.0.1
computec>=1.0.169
Werkzeug==2.2.2

  1. Run the Syft

    /usr/local/bin/syft /scratch/app/gobgovin/jars/python-requirements/ -o syft-json=syft_python_bom_test.json
    ✔ Indexed file system /scratch/app/gobgovin/jars/python-requirements
    ✔ Cataloged contents beb33833a4b4aaabf7dde249b8713668b3b495f08e9619455f643cabe6be8c42
    ├── ✔ Packages [9 packages]
    └── ✔ Executables [0 executables]

Identified only 9 packages, 7 packages are missing.
ex : verboselog:1.7, dateparser:0.7.0, etc (These are some of missing packages to identify by sfyt)

Anything else we need to know?:
Syft is parsing only {package-name}=={version} format only, remaining all other formats are not parsing and listing in SBOM from requirements.txt . (ex: {package-name}>={version})
Please refer page, few other formats also supported by python requirements.txt file - https://packaging.python.org/en/latest/specifications/version-specifiers/#version-specifiers

Environment:

  • Output of syft version:
    Application: syft
    Version: 1.4.1
    BuildDate: 2024-05-09T19:45:46Z
    GitCommit: c200896
    GitDescription: v1.4.1
    Platform: linux/amd64
    GoVersion: go1.21.9
    Compiler: gc

  • OS (e.g: cat /etc/os-release or similar):
    NAME="Oracle Linux Server"
    VERSION="7.9"
@gobiltd gobiltd added the bug Something isn't working label May 16, 2024
@gliptak
Copy link

gliptak commented Jun 10, 2024

https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/python/parse_requirements.go#L198 specifically drops ranges

@gliptak gliptak mentioned this issue Jun 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gliptak @gobiltd