Skip to content

Commit

Permalink
feat: introduce new flag to avoid using pip freeze and pip show
Browse files Browse the repository at this point in the history
Signed-off-by: Jude Niroshan <jude.niroshan11@gmail.com>
  • Loading branch information
JudeNiroshan committed May 7, 2024
1 parent 05b9cb6 commit 8244dd6
Show file tree
Hide file tree
Showing 7 changed files with 765 additions and 166 deletions.
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -467,6 +467,11 @@ A New setting is introduced - `EXHORT_PYTHON_INSTALL_BEST_EFFORTS` (as both env
1. `EXHORT_PYTHON_INSTALL_BEST_EFFORTS`="false" - install requirements.txt while respecting declared versions for all packages.
2. `EXHORT_PYTHON_INSTALL_BEST_EFFORTS`="true" - install all packages from requirements.txt, not respecting the declared version, but trying to install a version tailored for the used python version, when using this setting,you must set setting `MATCH_MANIFEST_VERSIONS`="false"

##### Using `pipdeptree`
By Default, The API algorithm will use native commands of PIP installer as data source to build the dependency tree.
It's also possible, to use lightweight Python PIP utility [pipdeptree](https://pypi.org/project/pipdeptree/) as data source instead, in order to activate this,
Need to set environment variable/option - `EXHORT_PIP_USE_DEP_TREE` to true.

### Image Support

Generate vulnerability analysis report for container images.
Expand Down
45 changes: 18 additions & 27 deletions src/main/java/com/redhat/exhort/providers/PythonPipProvider.java
Original file line number Diff line number Diff line change
Expand Up @@ -57,11 +57,12 @@ public static void main(String[] args) {
// byte[] bytes = Files.readAllBytes(Path.of("/tmp/exhort_env/requirements.txt"));
// Content content = pythonPipProvider.provideComponent(bytes);
Content content =
pythonPipProvider.provideStack(
Path.of(
"/home/zgrinber/git/exhort-java-api/src/test/resources/tst_manifests/pip/pip_requirements_txt_ignore/requirements.txt"));
pythonPipProvider.provideComponent(
Files.readAllBytes(
Path.of("/Users/jnirosha/backstage/exhort-java-api/requirements.txt")));
String s = new String(content.buffer);
System.out.print(s);
System.out.print("JUDE ADDED===" + s);
System.out.println("====");
} catch (IOException e) {
throw new RuntimeException(e);
}
Expand All @@ -79,11 +80,9 @@ public Content provideStack(Path manifestPath) throws IOException {
printDependenciesTree(dependencies);
Sbom sbom = SbomFactory.newInstance(Sbom.BelongingCondition.PURL, "sensitive");
sbom.addRoot(toPurl(DEFAULT_PIP_ROOT_COMPONENT_NAME, DEFAULT_PIP_ROOT_COMPONENT_VERSION));
dependencies.stream()
.forEach(
(component) -> {
addAllDependencies(sbom.getRoot(), component, sbom);
});
for (Map<String, Object> component : dependencies) {
addAllDependencies(sbom.getRoot(), component, sbom);
}
byte[] requirementsFile = Files.readAllBytes(manifestPath);
handleIgnoredDependencies(new String(requirementsFile), sbom);
return new Content(
Expand All @@ -92,25 +91,17 @@ public Content provideStack(Path manifestPath) throws IOException {

private void addAllDependencies(PackageURL source, Map<String, Object> component, Sbom sbom) {

sbom.addDependency(
source, toPurl((String) component.get("name"), (String) component.get("version")));
List<Map> directDeps = (List<Map>) component.get("dependencies");
if (directDeps != null)
// {
directDeps.stream()
.forEach(
dep -> {
String name = (String) dep.get("name");
String version = (String) dep.get("version");

addAllDependencies(
toPurl((String) component.get("name"), (String) component.get("version")),
dep,
sbom);
});
//
// }
PackageURL packageURL =
toPurl((String) component.get("name"), (String) component.get("version"));
sbom.addDependency(source, packageURL);

List<Map<String, Object>> directDeps =
(List<Map<String, Object>>) component.get("dependencies");
if (directDeps != null) {
for (Map<String, Object> dep : directDeps) {
addAllDependencies(packageURL, dep, sbom);
}
}
}

@Override
Expand Down
Loading

0 comments on commit 8244dd6

Please sign in to comment.