feat(python): add line number support for requirement.txt files (#6729

)
aquasecurity · May 20, 2024 · 2bc54ad · 2bc54ad
1 parent b526e73
commit 2bc54ad
Show file tree

Hide file tree

Showing 6 changed files with 344 additions and 48 deletions.
diff --git a/docs/docs/coverage/language/python.md b/docs/docs/coverage/language/python.md
@@ -23,9 +23,9 @@ The following table provides an outline of the features Trivy offers.
 
 | Package manager | File             | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
 |-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
-| pip             | requirements.txt |            -            |     Include      |                  -                   |    -     |
+| pip             | requirements.txt |            -            |     Include      |                  -                   |    ✓     |
 | Pipenv          | Pipfile.lock     |            ✓            |     Include      |                  -                   |    ✓     |
-| Poetry          | poetry.lock      |            ✓            |     Exclude      |                  ✓                   |          |
+| Poetry          | poetry.lock      |            ✓            |     Exclude      |                  ✓                   |    -     |
 
 
 | Packaging | Dependency graph |

diff --git a/integration/testdata/pip.json.golden b/integration/testdata/pip.json.golden
@@ -25,64 +25,106 @@
           "Name": "Flask",
           "Identifier": {
             "PURL": "pkg:pypi/flask@2.0.0",
-            "UID": "301ccf5fd90d6082"
+            "UID": "8b02ba2c070d72c6"
           },
           "Version": "2.0.0",
-          "Layer": {}
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 2,
+              "EndLine": 2
+            }
+          ]
         },
         {
           "Name": "Jinja2",
           "Identifier": {
             "PURL": "pkg:pypi/jinja2@3.0.0",
-            "UID": "212193e1595e68cc"
+            "UID": "476df0c1e49c8f99"
           },
           "Version": "3.0.0",
-          "Layer": {}
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 4,
+              "EndLine": 4
+            }
+          ]
         },
         {
           "Name": "Werkzeug",
           "Identifier": {
             "PURL": "pkg:pypi/werkzeug@0.11",
-            "UID": "56b919b561299a48"
+            "UID": "4163de19df046f49"
           },
           "Version": "0.11",
-          "Layer": {}
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 6,
+              "EndLine": 6
+            }
+          ]
         },
         {
           "Name": "click",
           "Identifier": {
             "PURL": "pkg:pypi/click@8.0.0",
-            "UID": "d58cb56b4e8b1ffd"
+            "UID": "71e4c8ef31456bf"
           },
           "Version": "8.0.0",
-          "Layer": {}
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 1,
+              "EndLine": 1
+            }
+          ]
         },
         {
           "Name": "itsdangerous",
           "Identifier": {
             "PURL": "pkg:pypi/itsdangerous@2.0.0",
-            "UID": "9bf39d440e409733"
+            "UID": "389c7cbc34cb6b32"
           },
           "Version": "2.0.0",
-          "Layer": {}
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 3,
+              "EndLine": 3
+            }
+          ]
         },
         {
           "Name": "oauth2-client",
           "Identifier": {
             "PURL": "pkg:pypi/oauth2-client@4.0.0",
-            "UID": "ffc67df5ef686f77"
+            "UID": "c63f60db796a16ed"
           },
           "Version": "4.0.0",
-          "Layer": {}
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 7,
+              "EndLine": 7
+            }
+          ]
         },
         {
           "Name": "python-gitlab",
           "Identifier": {
             "PURL": "pkg:pypi/python-gitlab@2.0.0",
-            "UID": "f9cbb9736717c4d4"
+            "UID": "ccad39abab737d13"
           },
           "Version": "2.0.0",
-          "Layer": {}
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 8,
+              "EndLine": 8
+            }
+          ]
         }
       ],
       "Vulnerabilities": [
@@ -91,7 +133,7 @@
           "PkgName": "Werkzeug",
           "PkgIdentifier": {
             "PURL": "pkg:pypi/werkzeug@0.11",
-            "UID": "56b919b561299a48"
+            "UID": "4163de19df046f49"
           },
           "InstalledVersion": "0.11",
           "FixedVersion": "0.15.3",
@@ -148,7 +190,7 @@
           "PkgName": "Werkzeug",
           "PkgIdentifier": {
             "PURL": "pkg:pypi/werkzeug@0.11",
-            "UID": "56b919b561299a48"
+            "UID": "4163de19df046f49"
           },
           "InstalledVersion": "0.11",
           "FixedVersion": "0.11.6",

diff --git a/pkg/dependency/parser/python/pip/parse.go b/pkg/dependency/parser/python/pip/parse.go
@@ -37,7 +37,9 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 
 	scanner := bufio.NewScanner(decodedReader)
 	var pkgs []ftypes.Package
+	var lineNumber int
 	for scanner.Scan() {
+		lineNumber++
 		line := scanner.Text()
 		line = strings.ReplaceAll(line, " ", "")
 		line = strings.ReplaceAll(line, `\`, "")
@@ -52,6 +54,12 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		pkgs = append(pkgs, ftypes.Package{
 			Name:    s[0],
 			Version: s[1],
+			Locations: []ftypes.Location{
+				{
+					StartLine: lineNumber,
+					EndLine:   lineNumber,
+				},
+			},
 		})
 	}
 	if err := scanner.Err(); err != nil {