Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve resolution of Python / PIP dependencies #4637

Closed
10 tasks done
sschuberth opened this issue Oct 28, 2021 · 12 comments
Closed
10 tasks done

Improve resolution of Python / PIP dependencies #4637

sschuberth opened this issue Oct 28, 2021 · 12 comments
Assignees
Labels
analyzer About the analyzer tool enhancement Issues that are considered to be enhancements epic A "parent" issue that refers to multiple other issues

Comments

@sschuberth
Copy link
Member

sschuberth commented Oct 28, 2021

ORT's analyzer has various problems with resolving Python / PIP dependencies

@sschuberth sschuberth added enhancement Issues that are considered to be enhancements analyzer About the analyzer tool epic A "parent" issue that refers to multiple other issues labels Oct 28, 2021
@sschuberth
Copy link
Member Author

Possible solution to the above include @pombredanne's proposal for an ACT-funded "Project-Multi Python-version dependencies resolver", or leveraging / extending existing tools like https://github.com/ddelange/pipgrip.

@sschuberth
Copy link
Member Author

or leveraging / extending existing tools like https://github.com/ddelange/pipgrip.

See in particular ddelange/pipgrip#40.

@sschuberth
Copy link
Member Author

Also maybe worth a look as a helper tool is https://github.com/trailofbits/it-depends which claims to

Finds native dependencies for high level languages like Python

@pombredanne
Copy link
Contributor

@sschuberth
Copy link
Member Author

@sschuberth
Copy link
Member Author

We could also take a deeper look at component-detection's approach for PIP.

@sschuberth
Copy link
Member Author

sschuberth commented Apr 11, 2022

Some interesting insights on the general topic from a Python maintainer, and a possible solution.

@sschuberth
Copy link
Member Author

@pombredanne
Copy link
Contributor

@sschuberth FWIW, ScanCode does parse requirements files, setup.py, setup.cfg, pyproject.toml, Pipfile and Pipfile.lock and a few more and has what is likely the best requirements parser around https://github.com/nexB/pip-requirements-parser also used in CycloneDX. You can see the code in action in https://github.com/nexB/scancode-toolkit/blob/syspacfiles/src/packagedcode/pypi.py
We also parse various Python metadata files and detect packages in various installed, archive and extracted layouts. We maintain https://github.com/nexB/dparse2 and https://github.com/nexB/pkginfo2 for additional manifest formats and https://github.com/nexB/univers to parse all versions including all Python package versions. We also built utilities to resolve, collect and download actual package archives based on these. And we are continuously adding support for new formats as they come.

@sschuberth
Copy link
Member Author

ScanCode does parse requirements files, setup.py, setup.cfg, pyproject.toml, Pipfile and Pipfile.lock and a few more

Can you clarify on what "parse" means here exactly? I assume in the context of ScanCode only declared license data is parsed, but not declared direct and implied transitive dependencies, incl. resolution of version ranges to concrete versions. Correct?

@pombredanne
Copy link
Contributor

pombredanne commented Apr 12, 2022

Can you clarify on what "parse" means here exactly? I assume in the context of ScanCode only declared license data is parsed, but not declared direct and implied transitive dependencies, incl. resolution of version ranges to concrete versions. Correct?

By parse I mean collecting the data as they are and found locally without making any network call, e.g. this means:

  • parsing and normalizing actual package manifests (and of course all the declared data there such as licenses)
  • extracting direct dependencies constraints from manifests,
  • extracting resolved dependency versions from lockfiles,
  • collecting any extra data available from lockfiles (some formats have more data in their lockfiles, like newer npm lockfiles or PHP composer may contains declared license info).

This does not mean resolving dependencies and getting extra data for these dependencies yet: for Python and PyPI proper that's been the essence of the proposal I had put forward to the ACT project.

Now this will eventually happen as all parts are mostly in place now:

  • ScanCode collects all the explicit dependencies
  • Univers knows how to parse and make sense of most package version, version constraints and version ranges and how to resolve and evaluate versions constraints to concrete versions given ranges.
  • VulnerableCode and FetchCode both know how to get the list of versions for a package by querying upstream registries APIs.
  • FetchCode knows how to fetch actual package metadata from these API and also fetch the code.

The last step will be to bring these together: as it is, this could already be used to resolve transitive dependencies using a simple strategy such as getting the latest version. It would later benefit from adding extra version resolvers to emulate the behaviour of package managers such the pip solver (this was the ACT proposal), the pubgrub solver, the maven solver, etc.

@pombredanne
Copy link
Contributor

See also: #3671 (comment)

Some updates that are likely relevant here: https://github.com/nexB/python-inspector is now out and has been designed specifically to be integrated in ort and resolve pip dependencies without having the constraints of running pip. And see aboutcode-org#1 for the working ort integration that we are refining there first before submitting to ort proper

python-inspector does resolve transitive dependencies.

TG1999 added a commit to aboutcode-org/ort that referenced this issue Aug 12, 2022
…ss-review-toolkit#3671

This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: oss-review-toolkit#4637
Reference: oss-review-toolkit#3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
TG1999 added a commit to aboutcode-org/ort that referenced this issue Aug 16, 2022
…ss-review-toolkit#3671

This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: oss-review-toolkit#4637
Reference: oss-review-toolkit#3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
TG1999 added a commit to aboutcode-org/ort that referenced this issue Aug 18, 2022
…ss-review-toolkit#3671

This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: oss-review-toolkit#4637
Reference: oss-review-toolkit#3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
TG1999 added a commit to aboutcode-org/ort that referenced this issue Aug 18, 2022
…ss-review-toolkit#3671

This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: oss-review-toolkit#4637
Reference: oss-review-toolkit#3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
TG1999 added a commit to aboutcode-org/ort that referenced this issue Aug 22, 2022
…ss-review-toolkit#3671

This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: oss-review-toolkit#4637
Reference: oss-review-toolkit#3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
TG1999 added a commit to aboutcode-org/ort that referenced this issue Aug 22, 2022
…ss-review-toolkit#3671

This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: oss-review-toolkit#4637
Reference: oss-review-toolkit#3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
mnonnenmacher pushed a commit that referenced this issue Aug 23, 2022
This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: #4637
Reference: #3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
TG1999 added a commit to aboutcode-org/ort that referenced this issue Aug 23, 2022
This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: oss-review-toolkit#4637
Reference: oss-review-toolkit#3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
TG1999 added a commit to aboutcode-org/ort that referenced this issue Aug 23, 2022
This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: oss-review-toolkit#4637
Reference: oss-review-toolkit#3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
TG1999 added a commit to aboutcode-org/ort that referenced this issue Aug 23, 2022
This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: oss-review-toolkit#4637
Reference: oss-review-toolkit#3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
mnonnenmacher pushed a commit that referenced this issue Aug 24, 2022
This PR replaces pipdeptree with python-inspector to resolve
Python packages dependencies found in requirement files.
python-inspector can resolve dependencies for any target
Python version and OS (and not only the one running the tool).
In this integration in ORT, it replaces pipdeptree pretty much
in place as python-inspector implements a similar output data
structure by design to ease the integration.

Reference: https://github.com/nexB/python-inspector
Reference: #4637
Reference: #3671
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Tushar Goel <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
analyzer About the analyzer tool enhancement Issues that are considered to be enhancements epic A "parent" issue that refers to multiple other issues
Projects
None yet
Development

No branches or pull requests

3 participants