component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Investigate usage of pip install report for gathering Python dependencies

Open cobya opened this issue 1 year ago • 3 comments

The Installation Report generated by Pip may be sufficient to gather dependency information from Python setup files. May need to be used in conjunction with pip inspect.

Originally discussed as part of #629 we should investigate whether or not the full dependency graph can be generated for Python ecosystems using this method.

AB#2141027

cobya avatar Jan 19 '24 21:01 cobya

There has now been documentation published on the usage of --report. See https://pip.pypa.io/en/stable/reference/installation-report/

Example dry run commands using the pip command:

  • For requirements.txt: pip install -r .\requirements.txt --dry-run --ignore-installed --quiet --report report-req.json
  • For setup.py: pip install -e . --dry-run --ignore-installed --quiet --report report.json

cobya avatar May 15 '24 20:05 cobya

Note that the report format version declared stable is only available in Pip > v23.0, this should be a conditional check before running this version of detection. We also get transitive dependency detection as part of this report. Image

cobya avatar May 15 '24 20:05 cobya

@edena-legit since you've been interested in Python detection previously, I'd love to have your input on the new PipReport detector and if you encounter any issues running it.

cobya avatar May 23 '24 17:05 cobya