From 7b6a212abf3deaf6282df82f9a24b7c8bac0816b Mon Sep 17 00:00:00 2001 From: Ryan Link <47920994+ryanlink@users.noreply.github.com> Date: Tue, 23 Jan 2024 09:55:03 -0600 Subject: [PATCH 1/4] Add limitation to pipenv.md --- docs/references/strategies/languages/python/pipenv.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/references/strategies/languages/python/pipenv.md b/docs/references/strategies/languages/python/pipenv.md index ec624cac02..c40abe5cf6 100644 --- a/docs/references/strategies/languages/python/pipenv.md +++ b/docs/references/strategies/languages/python/pipenv.md @@ -25,6 +25,8 @@ dependencies. This will fail unless `pipenv install` has been run in that direct ## Limitations +- Our pipenv strategy currently reports all dependencies as direct. rather than differentiating between direct and transitive. + - Pipfile.lock does not report edges, if `pipenv graph --json-tree` fails, we will not be able to detect the edges between dependencies. From a624c97bb8614c2f63536352eeddaa15b6e497cf Mon Sep 17 00:00:00 2001 From: Ryan Link <47920994+ryanlink@users.noreply.github.com> Date: Tue, 23 Jan 2024 10:04:33 -0600 Subject: [PATCH 2/4] Update python.md --- docs/references/strategies/languages/python/python.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/references/strategies/languages/python/python.md b/docs/references/strategies/languages/python/python.md index 9f207a8219..5c52632342 100644 --- a/docs/references/strategies/languages/python/python.md +++ b/docs/references/strategies/languages/python/python.md @@ -5,7 +5,7 @@ The python buildtool ecosystem consists of three major toolchains: setuptools | Strategy | Direct Deps | Transitive Deps | Edges | Container Scanning | | ---------------------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ | -| [pipenv](pipenv.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | +| [pipenv](pipenv.md) | :heavy_check_mark: | :x: | :heavy_check_mark: | :x: | | [pipfile](pipenv.md) | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: | | [requirements.txt & setuptools](setuptools.md) | :heavy_check_mark: | :white_check_mark: | :white_check_mark: | :heavy_check_mark: | | [setup.py & setuptools](setuptools.md) | :heavy_check_mark: | :white_check_mark: | :white_check_mark: | :heavy_check_mark: | From 32b4339b36db9b75071b77d227f29e1cf21ca2cf Mon Sep 17 00:00:00 2001 From: Ryan Link <47920994+ryanlink@users.noreply.github.com> Date: Thu, 25 Jan 2024 14:53:47 -0600 Subject: [PATCH 3/4] Update docs/references/strategies/languages/python/pipenv.md Co-authored-by: Jessica Black --- docs/references/strategies/languages/python/pipenv.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/references/strategies/languages/python/pipenv.md b/docs/references/strategies/languages/python/pipenv.md index c40abe5cf6..819b2efd97 100644 --- a/docs/references/strategies/languages/python/pipenv.md +++ b/docs/references/strategies/languages/python/pipenv.md @@ -25,10 +25,7 @@ dependencies. This will fail unless `pipenv install` has been run in that direct ## Limitations -- Our pipenv strategy currently reports all dependencies as direct. rather than differentiating between direct and transitive. - -- Pipfile.lock does not report edges, if `pipenv graph --json-tree` fails, we will -not be able to detect the edges between dependencies. +- This strategy does not report edges between dependencies. This means that all dependencies being used in the project are found, but are all reported as direct dependencies of the project. - `pipenv graph --json-tree` relies on `pipenv install` being run in the directory beforehand. If that command was not run (such as in a freshly cloned repo), then the graph command will fail, From e7fa162f1a12f9481a20743bc718a0999a1791c7 Mon Sep 17 00:00:00 2001 From: Ryan Link <47920994+ryanlink@users.noreply.github.com> Date: Thu, 25 Jan 2024 14:54:00 -0600 Subject: [PATCH 4/4] Update docs/references/strategies/languages/python/python.md Co-authored-by: Jessica Black --- docs/references/strategies/languages/python/python.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/references/strategies/languages/python/python.md b/docs/references/strategies/languages/python/python.md index 5c52632342..fd8ffc9190 100644 --- a/docs/references/strategies/languages/python/python.md +++ b/docs/references/strategies/languages/python/python.md @@ -5,7 +5,7 @@ The python buildtool ecosystem consists of three major toolchains: setuptools | Strategy | Direct Deps | Transitive Deps | Edges | Container Scanning | | ---------------------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ | -| [pipenv](pipenv.md) | :heavy_check_mark: | :x: | :heavy_check_mark: | :x: | +| [pipenv](pipenv.md) | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: | | [pipfile](pipenv.md) | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: | | [requirements.txt & setuptools](setuptools.md) | :heavy_check_mark: | :white_check_mark: | :white_check_mark: | :heavy_check_mark: | | [setup.py & setuptools](setuptools.md) | :heavy_check_mark: | :white_check_mark: | :white_check_mark: | :heavy_check_mark: |