jfrog-cli icon indicating copy to clipboard operation
jfrog-cli copied to clipboard
verified publisher icon jfrog

A transitive dependency is not being identified when publishing the build info for a Python project

Open cmoyamoradas opened this issue 1 year ago • 0 comments

Describe the bug

In short, it is a Python project (https://github.com/akawork/jenkins-exporter) that resolves 6 dependencies during the packaging phase but when publishing the build-info in Artifactory using the JFrog CLI, there is one dependency that is missing (certifi-2024.8.30) in the build-info JSON object. Instead, the requests-2.21.0, that is one of the direct dependencies for the project, is appearing twice.

Current behavior

The build-info object doesn't reflect the transitive dependency certifi-2024-8-30. Instead, the requests-2.21.0 dependency (for which the certifi dependency is transitive) appears twice : { "type": "python", "id": "jenkins-exporter:1.0", "dependencies": [ { "sha1": "6a578028eeb178e16c3f6796420a08825ac33552", "sha256": "1b38b958750f66f208bcd9ab92a633c0c994d8859c831f7abc1f46724fcee490", "md5": "07f3a06d16f8d52f5a70220b8e0cb3b2", "id": "prometheus_client-0.6.0.tar.gz" }, { "sha1": "25e1a4ffa07f36024e3a5722a170f254c3d4d245", "sha256": "7bf2a778576d825600030a110f3c0e3e8edc51dfaafe1c146e39a2027784957b", "md5": "ed3af234ffcad0b3c1e521e1dfde19be", "id": "requests-2.21.0-py2.py3-none-any.whl" }, { "sha1": "25e1a4ffa07f36024e3a5722a170f254c3d4d245", "sha256": "7bf2a778576d825600030a110f3c0e3e8edc51dfaafe1c146e39a2027784957b", "md5": "ed3af234ffcad0b3c1e521e1dfde19be", "id": "requests-2.21.0-py2.py3-none-any.whl" }, { "sha1": "96faab7de7e9a71b37f22adb64daf2898e967e3e", "sha256": "fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691", "md5": "0004b00caff7bb543a1d0d0bd0185a03", "id": "chardet-3.0.4-py2.py3-none-any.whl" }, { "sha1": "428950b762f04cb88c215188c4b60b2d8def8ecd", "sha256": "ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c", "md5": "61392a071e4a3b0f84cd6d71f94f15cc", "id": "idna-2.8-py2.py3-none-any.whl" }, { "sha1": "100c48475b7db006881b14cbc3b1861ceffe5a3c", "sha256": "a637e5fae88995b256e3409dc4d52c2e2e0ba32c42a6365fee8bbd2238de3cfb", "md5": "cc3c42f7be135658be6d026d42503bd1", "id": "urllib3-1.24.3-py2.py3-none-any.whl" } ] }

Reproduction steps

After cloning the project, these are the list of tasks I'm running:

  1. Create and activate a virtual environment
  2. Upgrade pip to the latest version 24.2 and install the wheel package
  3. Create a setup.py file that reflects the installed_required dependencies (looking at the requirements.txt file)
  4. Run the following script with all the commands:

#!/bin/bash echo 'Configuring jf pip' jf pip-config --repo-resolve=carlosmm-pypi-virtual && echo 'Installing' jf pip install -r requirements.txt --build-name=jenkins-exporter --build-number=$1 --no-cache-dir --force-reinstall --trusted-host main.jfrog.local && echo 'Building' python setup.py sdist bdist_wheel echo 'Uploading' jf rt u dist/ carlosmm-pypi-virtual/ --build-name=jenkins-exporter --build-number=$1 && echo 'Environment info' jf rt bce jenkins-exporter $1 && echo 'Git info' jf rt bag jenkins-exporter $1 && echo 'Publishing build info' jf rt bp jenkins-exporter $1

Expected behavior

The transitive dependency certifi-2024.8.20 should be listed in the build-info JSON object and the requests-2.21.0 direct dependency should appear just once.

JFrog CLI version

2.67.0

Operating system type and version

Apple M1 Max - Sonoma 14.6.1

JFrog Artifactory version

7.84.12

JFrog Xray version

3.98.5

cmoyamoradas avatar Sep 13 '24 12:09 cmoyamoradas