Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python pip dependency information #2023

Open
Tracked by #1562
prosunjitbiswas opened this issue Aug 12, 2023 · 3 comments
Open
Tracked by #1562

Python pip dependency information #2023

prosunjitbiswas opened this issue Aug 12, 2023 · 3 comments
Labels
ecosystem:python related to the python ecosystem enhancement New feature or request

Comments

@prosunjitbiswas
Copy link

I am generating SBOM using syft packages dir: command. Given presence of a package manager file (eg. requirements.txt), I see syft reports both direct & transitive dependencies in the generated SBOM.

Given that, is there a way to differentiate between direct and transitive dependencies in the SBOM generated by syft?
@prosunjitbiswas prosunjitbiswas changed the title Direct & Transitive dependency Question: differentiating direct & transitive dependency in SBOM Aug 12, 2023
@kzantow
Copy link
Contributor

kzantow commented Aug 14, 2023

I do not believe the requirements.txt has information separating direct and transitive dependencies. Without this information being conveyed in the file somehow, Syft can only treat the entries as a flat list today. If there is a tool that could provide this information, it's possible in the future Syft will be able to shell out to something in order to enhance the SBOM that is created. It looks like the pipdeptree package might be able to do this; it would be nice if pip could do it directly.

@kzantow kzantow added this to OSS Aug 14, 2023
@kzantow kzantow moved this to Awaiting Response in OSS Aug 14, 2023
@kzantow
Copy link
Contributor

kzantow commented Aug 14, 2023

FYI -- we have an open epic to add this information where we can: #1562

@kzantow
Copy link
Contributor

kzantow commented Aug 14, 2023

I'll use this question as a placeholder for getting pip dependency info.

@kzantow kzantow changed the title Question: differentiating direct & transitive dependency in SBOM Python pip dependency information Aug 14, 2023
@kzantow kzantow mentioned this issue Aug 11, 2023
Open
4 tasks
@tgerla tgerla removed the status in OSS Sep 7, 2023
@tgerla tgerla moved this to Backlog in OSS Sep 7, 2023
@mykaul mykaul mentioned this issue Sep 19, 2023
Closed
@wagoodman wagoodman added enhancement New feature or request ecosystem:python related to the python ecosystem labels Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ecosystem:python related to the python ecosystem enhancement New feature or request
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wagoodman @kzantow @prosunjitbiswas