Improve setup.py analyzer
#2052
Labels
enhancement
New feature or request
Comments
|
Or is it intended that this should not be relied on?
Would that be the recommended approach? |
|
Hi @thomas-bc, your workaround to freeze the dependencies ahead of time is indeed a good approach. We recently improved the requirements.txt cataloger with the capability to "guess unpinned requirements" (#1966) which I believe would solve this problem if it were ported to the setup.py cataloger. We will add this to our backlog for the future, but if you're interested in helping port the changes over to the setup.py cataloger, let us know and we can help get you started. Outstanding question: do we need to add another configuration item for setup.py, or can we reuse the "guess-unpinned-requirements" setting? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context
From what I have seen in #59, #150, anchore/grype#126, it seems that there has been a conscious decision that was made to only capture pinned dependencies (i.e. bound with
==) insetup.py.I am trying to understand why this decision was made. Could we accept in a scenario where a dependency is lower-bound (e.g.
>=, it is acceptable to link to the lowest version of the dependency? This seems better to me than not finding the dependency at all.What would you like to be added:
Add parsing of all dependencies, including those bound with
>=,<=etc...Why is this needed:
Improve consistency of
setup.pyanalyses. It sounds in my opinion better to have a wrongfully-versioned dependency analysis, rather than no dependency at all.The text was updated successfully, but these errors were encountered: