feat: introduce new flag to avoid using pip freeze and pip show (#106)

## Description Improve Python build tree Performance in EXHORT-JAVA-API JIRA: https://issues.redhat.com/browse/APPENG-2154 **Related issue (if any):** fixes #issue_number_goes_here same fix has been done in exhort-javascript-api -> RHEcosystemAppEng/exhort-javascript-api#121 ## Checklist - [x] I have followed this repository's contributing guidelines. - [x] I will adhere to the project's code of conduct. ## Additional information > Anything else? --------- Signed-off-by: Jude Niroshan <jude.niroshan11@gmail.com>
RHEcosystemAppEng · May 16, 2024 · ec7a743 · ec7a743
1 parent 05b9cb6
commit ec7a743
Show file tree

Hide file tree

Showing 7 changed files with 738 additions and 161 deletions.
diff --git a/README.md b/README.md
@@ -467,6 +467,11 @@ A New setting is introduced - `EXHORT_PYTHON_INSTALL_BEST_EFFORTS` (as both env
 1. `EXHORT_PYTHON_INSTALL_BEST_EFFORTS`="false" - install requirements.txt while respecting declared versions for all packages.
 2. `EXHORT_PYTHON_INSTALL_BEST_EFFORTS`="true" - install all packages from requirements.txt, not respecting the declared version, but trying to install a version tailored for the used python version, when using this setting,you must set setting `MATCH_MANIFEST_VERSIONS`="false"
 
+##### Using `pipdeptree`
+By Default, The API algorithm will use native commands of PIP installer as data source to build the dependency tree.
+It's also possible, to use lightweight Python PIP utility [pipdeptree](https://pypi.org/project/pipdeptree/) as data source instead, in order to activate this,
+Need to set environment variable/option - `EXHORT_PIP_USE_DEP_TREE` to true.
+
 ### Image Support 
 
 Generate vulnerability analysis report for container images.

diff --git a/src/main/java/com/redhat/exhort/providers/PythonPipProvider.java b/src/main/java/com/redhat/exhort/providers/PythonPipProvider.java
@@ -79,11 +79,9 @@ public Content provideStack(Path manifestPath) throws IOException {
     printDependenciesTree(dependencies);
     Sbom sbom = SbomFactory.newInstance(Sbom.BelongingCondition.PURL, "sensitive");
     sbom.addRoot(toPurl(DEFAULT_PIP_ROOT_COMPONENT_NAME, DEFAULT_PIP_ROOT_COMPONENT_VERSION));
-    dependencies.stream()
-        .forEach(
-            (component) -> {
-              addAllDependencies(sbom.getRoot(), component, sbom);
-            });
+    for (Map<String, Object> component : dependencies) {
+      addAllDependencies(sbom.getRoot(), component, sbom);
+    }
     byte[] requirementsFile = Files.readAllBytes(manifestPath);
     handleIgnoredDependencies(new String(requirementsFile), sbom);
     return new Content(
@@ -92,25 +90,17 @@ public Content provideStack(Path manifestPath) throws IOException {
 
   private void addAllDependencies(PackageURL source, Map<String, Object> component, Sbom sbom) {
 
-    sbom.addDependency(
-        source, toPurl((String) component.get("name"), (String) component.get("version")));
-    List<Map> directDeps = (List<Map>) component.get("dependencies");
-    if (directDeps != null)
-      //    {
-      directDeps.stream()
-          .forEach(
-              dep -> {
-                String name = (String) dep.get("name");
-                String version = (String) dep.get("version");
-
-                addAllDependencies(
-                    toPurl((String) component.get("name"), (String) component.get("version")),
-                    dep,
-                    sbom);
-              });
-    //
-    //    }
+    PackageURL packageURL =
+        toPurl((String) component.get("name"), (String) component.get("version"));
+    sbom.addDependency(source, packageURL);
 
+    List<Map<String, Object>> directDeps =
+        (List<Map<String, Object>>) component.get("dependencies");
+    if (directDeps != null) {
+      for (Map<String, Object> dep : directDeps) {
+        addAllDependencies(packageURL, dep, sbom);
+      }
+    }
   }
 
   @Override