Better support for transitive deps in Python (requirements.txt)

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev

https://google.github.io/osv-scanner/

Apache License 2.0

6.12k stars 343 forks source link

Better support for transitive deps in Python (requirements.txt) #34

Open oliverchang opened 1 year ago

oliverchang commented 1 year ago

Currently requirements.txt parsing does not resolve the full dependency graph.

One option here may be to integrate pip-audit into this tool (though that introduces an external dependency from a different ecosystem)

di commented 1 year ago

Another option would be to require hashes to be specified, this ensures that the requirements file is fully resolved (because all dependencies must have hashes specified) and this dependency resolution is unnecessary.

h4sh5 commented 1 year ago

Or use pip-compile which introduces pip-tools as a dependency instead https://github.com/jazzband/pip-tools @oliverchang

agmond commented 1 year ago

Maybe deps.dev can be used here. @oliverchang

github-actions[bot] commented 1 month ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

oliverchang commented 1 month ago

Maybe deps.dev can be used here. @oliverchang

We are planning to leverage deps.dev for this, similar to how we now support transitive resolution for Maven.