[Issue/Question] Support against a requirements.txt file that contains specific version pins

[karmingc]

Hi!

We are currently using pip-tools, which automatically pins every dependency against the version we specify in our requirements.in file. As such, whenever we run guarddog verify requirements.txt, it will result in a 404.

Is there any way to support this? I could write a script does a bit of regex but would like some support from the maintainers if possible.

To reproduce.

1. install pip-tools
2. create a requirements.in, and add requests, guarddog, etc...
3. run pip-compile

# requirements.txt
...
requests==2.28.1
    # via
    #   via -r requirements.in
...

5. run guarddog verify requirements.txt
6. Result in Received status code: 404 from PyPI

[christophetd]

Thanks for reporting! We're using pkg_resources.parse_requirements so I would definitely expect this to work

https://github.com/DataDog/guarddog/blob/main/guarddog/scanners/package_scanner.py#L151

[karmingc]

ah! without too much detail, it seems like the issue might be with the guarddog package given that it's pulled from github...

1. add guarddog in requirements.in
2. pip-compile
   results in

...
guarddog @ git+https://github.com/DataDog/guarddog.git
    # via -r requirements.in
...

4. returns 404

If I remove guarddog dependency line from requirements.txt, everything works as expected

[karmingc]

@christophetd i'm going to close this issue since my intention is to inject this part of the CI/CD pipeline and not necessarily have it part of the development environment. Feel free to reopen if ever this needs to be addressed. Thank you for your team's work as well!