Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a setup.py cataloger #150

Merged
merged 3 commits into from
Aug 17, 2020
Merged

Add a setup.py cataloger #150

merged 3 commits into from
Aug 17, 2020

Conversation

alfredodeza
Copy link
Contributor

It will go into setup.py files, but only capture dependencies that are pinned (using the == operator).

Closes #59

@alfredodeza alfredodeza mentioned this pull request Aug 17, 2020
Merged
wagoodman
wagoodman reviewed Aug 17, 2020
View reviewed changes
syft/cataloger/python/parse_setup.go
// integrity check
var _ common.ParserFn = parseSetup

var pinnedDependency = regexp.MustCompile(`['"]\W?(\w+\W?==\W?[\w\.]*)`)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: would be useful to add a few example matches in comments to illustrate to devs what this is trying to match on (similar to

syft/syft/cataloger/java/archive_filename.go

Lines 13 to 16 in ac9141e

// match examples:
// pkg-extra-field-4.3.2-rc1 --> match(name=pkg-extra-field version=4.3.2-rc1)
// pkg-extra-field-4.3-rc1 --> match(name=pkg-extra-field version=4.3-rc1)
// pkg-extra-field-4.3 --> match(name=pkg-extra-field version=4.3)
)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great suggestion, I'll add those

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now improved!

wagoodman
wagoodman reviewed Aug 17, 2020
View reviewed changes
syft/cataloger/python/parse_setup.go
// integrity check
var _ common.ParserFn = parseSetup

var pinnedDependency = regexp.MustCompile(`['"]\W?(\w+\W?==\W?[\w\.]*)`)
Copy link
Contributor

@wagoodman wagoodman Aug 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: there is an opportunity to be more lenient with spaces and capture more environment marker cases with ['"]\s*([\w]+\s*==\s*[\w\.]*)\s*[;'"] which would find ipaddress==1.0 in:

setup(
    ...
    install_requires=[
        'six',
        'humanize',
    ],
    extras_require={
        ':python_version == "2.7"': [
            'ipaddress==1.0',
        ],
    },
)

Not necessary to incorporate in this PR.

wagoodman
wagoodman approved these changes Aug 17, 2020
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

solid addition

Alfredo Deza added 2 commits August 17, 2020 16:00
@alfredodeza alfredodeza merged commit ae1d99b into main Aug 17, 2020
@alfredodeza alfredodeza deleted the issue-59 branch August 17, 2020 21:23
@alfredodeza alfredodeza mentioned this pull request Aug 18, 2020
Open
@thomas-bc thomas-bc mentioned this pull request Aug 23, 2023
Open
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
Merge pull request anchore#150 from anchore/issue-59
97774fa 
Add a `setup.py` cataloger
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

@luhring luhring Awaiting requested review from luhring

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add setup.py analyzer
2 participants
@alfredodeza @wagoodman