Coby Allred
Coby Allred
When running `go list -m`, the Go CLI detector does not currently take into account any `replace` values specified within the corresponding go.mod file. Example: go.mod ``` replace ( github.com/miekg/dns...
In Python requirements.txt files, the detector currently does not attempt to validate conditional requirements for package inclusion. Example: `numpy==1.16.6; python_version
IPyPiClient when retrieving release information will not add pre-release versions to the list of potential versions [(see IPyPiClient)](https://github.com/microsoft/component-detection/blob/main/src/Microsoft.ComponentDetection.Detectors/pip/IPyPiClient.cs#L205) to match requirements.txt versions to in PythonResolver.cs. This leads to cases where...
With #991 it came to our attention that with the more recent Poetry lock file changes (see https://github.com/python-poetry/poetry/blob/master/CHANGELOG.md#150---2023-05-19) the category field is no longer present. This was being used to...
In `PythonResolver` and `SimplePythonResolver`, as surfaced in #962 there is the potential for multiple package version specifications for the same package present in a .WHL file returned by pypi. `PythonResolver`...
The [Installation Report](https://pip.pypa.io/en/stable/reference/installation-report/) generated by Pip may be sufficient to gather dependency information from Python setup files. May need to be used in conjunction with [pip inspect](https://pip.pypa.io/en/stable/reference/inspect-report/). Originally discussed as...
For our [OpenSSF Scorecard](https://securityscorecards.dev/viewer/?uri=github.com/microsoft/component-detection), we are consistently flagged for vulnerabilities in code which does not build but are used in our [verification tests](https://github.com/microsoft/component-detection/tree/main/test/Microsoft.ComponentDetection.VerificationTests/resources). Using the documentation at https://google.github.io/osv-scanner/configuration/ we should...
[PEP 658 – Serve Distribution Metadata in the Simple Repository API](https://peps.python.org/pep-0658/) was made available in May 2021 to help improve dependency resolution across the pip tooling by serving metadata information...
This will incorporate all breaking changes for the next major version of Component Detection, v5, which has changes being tracked at #1135. PRs included in this change: - #1091 to...
A potential improvement for the PipReport detector is to see if `--no-compile` produces any benefit to performance when used in conjunction with the other existing parameters. Validate that the dependency...