A transitive dependency is not being identified when publishing the build info for a Python project

[cmoyamoradas]

Describe the bug

In short, it is a Python project (https://github.com/akawork/jenkins-exporter) that resolves 6 dependencies during the packaging phase but when publishing the build-info in Artifactory using the JFrog CLI, there is one dependency that is missing (certifi-2024.8.30) in the build-info JSON object. Instead, the requests-2.21.0, that is one of the direct dependencies for the project, is appearing twice.

Current behavior

The build-info object doesn't reflect the transitive dependency certifi-2024-8-30. Instead, the requests-2.21.0 dependency (for which the certifi dependency is transitive) appears twice :
{
"type": "python",
"id": "jenkins-exporter:1.0",
"dependencies": [
{
"sha1": "6a578028eeb178e16c3f6796420a08825ac33552",
"sha256": "1b38b958750f66f208bcd9ab92a633c0c994d8859c831f7abc1f46724fcee490",
"md5": "07f3a06d16f8d52f5a70220b8e0cb3b2",
"id": "prometheus_client-0.6.0.tar.gz"
},
{
"sha1": "25e1a4ffa07f36024e3a5722a170f254c3d4d245",
"sha256": "7bf2a778576d825600030a110f3c0e3e8edc51dfaafe1c146e39a2027784957b",
"md5": "ed3af234ffcad0b3c1e521e1dfde19be",
"id": "requests-2.21.0-py2.py3-none-any.whl"
},
{
"sha1": "25e1a4ffa07f36024e3a5722a170f254c3d4d245",
"sha256": "7bf2a778576d825600030a110f3c0e3e8edc51dfaafe1c146e39a2027784957b",
"md5": "ed3af234ffcad0b3c1e521e1dfde19be",
"id": "requests-2.21.0-py2.py3-none-any.whl"
},
{
"sha1": "96faab7de7e9a71b37f22adb64daf2898e967e3e",
"sha256": "fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691",
"md5": "0004b00caff7bb543a1d0d0bd0185a03",
"id": "chardet-3.0.4-py2.py3-none-any.whl"
},
{
"sha1": "428950b762f04cb88c215188c4b60b2d8def8ecd",
"sha256": "ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c",
"md5": "61392a071e4a3b0f84cd6d71f94f15cc",
"id": "idna-2.8-py2.py3-none-any.whl"
},
{
"sha1": "100c48475b7db006881b14cbc3b1861ceffe5a3c",
"sha256": "a637e5fae88995b256e3409dc4d52c2e2e0ba32c42a6365fee8bbd2238de3cfb",
"md5": "cc3c42f7be135658be6d026d42503bd1",
"id": "urllib3-1.24.3-py2.py3-none-any.whl"
}
]
}

Reproduction steps

After cloning the project, these are the list of tasks I'm running:

1. Create and activate a virtual environment
2. Upgrade pip to the latest version 24.2 and install the wheel package
3. Create a setup.py file that reflects the installed_required dependencies (looking at the requirements.txt file)
4. Run the following script with all the commands:

#!/bin/bash
echo 'Configuring jf pip'
jf pip-config --repo-resolve=carlosmm-pypi-virtual &&
echo 'Installing'
jf pip install -r requirements.txt --build-name=jenkins-exporter --build-number=$1 --no-cache-dir --force-reinstall --trusted-host main.jfrog.local &&
echo 'Building'
python setup.py sdist bdist_wheel
echo 'Uploading'
jf rt u dist/ carlosmm-pypi-virtual/ --build-name=jenkins-exporter --build-number=$1 &&
echo 'Environment info'
jf rt bce jenkins-exporter $1 &&
echo 'Git info'
jf rt bag jenkins-exporter $1 &&
echo 'Publishing build info'
jf rt bp jenkins-exporter $1

Expected behavior

The transitive dependency certifi-2024.8.20 should be listed in the build-info JSON object and the requests-2.21.0 direct dependency should appear just once.

JFrog CLI version

2.67.0

Operating system type and version

Apple M1 Max - Sonoma 14.6.1

JFrog Artifactory version

7.84.12

JFrog Xray version

3.98.5