Adopt a dependency management strategy for utility dependencies

[rhmdnd]

Description of problem:

The utils/ directory has a bunch of useful python scripts for working with CaC content. Some of the scripts rely on libraries outside the python standard library. To make it easier to use, should we consider adopting a requirements.txt file utility dependencies?

SCAP Security Guide Version:

Operating System Version:

Steps to Reproduce:

1. Try running any utility script with non-standard library dependency

   $ python utils/duplicated_prodtypes.py -h
   Traceback (most recent call last):
   File "/home/lbragstad/Projects/content/utils/duplicated_prodtypes.py", line 8, in <module>
   import ssg
   ModuleNotFoundError: No module named 'ssg'

Actual Results:

Import failures depending on the scripts you're trying to use.

Expected Results:

Tools work as expected after installing requirements.

Additional Information/Debugging Steps:

We could update the documentation to reference requirements.txt during install process, or use tox to build a virtual environment with all the necessary dependencies for the utility scripts we rely on in CaC.

[jharmison-redhat]

I propose a third alternative which would work well for the use case of the utility scripts: https://github.com/pypa/pipenv

• Pipfile.lock would be equivalent to pinning versions in requirements.txt, except less hassle to maintain
• Unifying virtualenv and Python dependency management makes the project more approachable
• No complexity with managing testenvs and the expected behavior of shell scripts as would be experienced with tox.

The biggest argument against this, of course, is:

• It's outside of the default python ecosystem, and bringing another tool in to help above a requirements.txt might be confusing for people not used to it (this holds true for tox as well).

[rhmdnd]

That's a good point. I updated the issue to be more generic about dependency management.

I'm in favor of either approach. In my opinion, I feel like offering something to handle dependencies, even if it does add another tool to the project, makes it easier to use all the utility scripts.

[Mab879]

10487 has been merged, to help with the Python side.