Open rtfpessoa opened 1 month ago
@cuixq maybe you can help?
@PFCM knows more about this :)
Maybe while I wait for the answer I can provide some details from my side. We are very interested in this support and are currently adding parsing capabilities to osv-scanner to:
install_requires
key in setup.py and setup.cfgWhat is the deps.dev source for deps? Does it download the binaries/releases and parses the source with osv-scanner? If yes, @cuixq do you think osv-scanner would accept a PR to add support for this?
I think deps.dev fetches data from upstream (see https://docs.deps.dev/api/v3/#data) and computes dependency graph based on that.
Contribution is always welcome, so feel free to send the PR to OSV-Scanner!
@cuixq Any idea about the code that does this for python? I tried to look for it but could not find it.
The information, at least in good part only exists in the sdist
binaries on pypi, not through APIs for this cases.
I don't think the code for Python is open sourced.
Currently the deps.dev UI and APIs have a big percentage of python versions maybe 20-30% which have no known dependencies. For Python specifically, this is mostly due to lack of support for setup.py, setup.cfg and some other dependency lockfiles.
Is there a plan to support these files?