package detector warning

[zongtaol]

I got two question about warning note while running component detection leveraging msft-sbom-tool.

1. Does component detection tool support C/C++ based project?

We noticed component detection isn't capturing any packages and throws the below mentioned warning. Does C/C++ projected supported? if not, will this been enabled in the future?

[warning]There were no packages detected during the generation workflow.

2. We noticed few of the component has been skipped. For example tensorflow and keras. Is this expected behavior or something need to be change on python requirement.txt.

]Candidate version ("protobuf 5.26.0 - pip") for "protobuf" already exists in map and the version is NOT valid.

[warning]Specifiers: "!=4.21.0,!=4.21.1,!=4.21.2,!=4.21.3,!=4.21.4,!=4.21.5,<5.0.0dev,>=3.20.3" for package "tensorflow-cpu-aws" caused this.

[warning]Candidate version ("tensorboard 2.15.2 - pip") for "tensorboard" already exists in map and the version is NOT valid.

[warning]Specifiers: "<2.17,>=2.16" for package "tensorflow" caused this.

[warning]Version Resolution for "tensorboard" failed, assuming last valid version is used.

[warning]Candidate version ("keras 2.15.0 - pip") for "keras" already exists in map and the version is NOT valid.

[warning]Specifiers: ">=3.0.0" for package "tensorflow" caused this.

[warning]Components skipped for "Pip" detector:

[warning]- "abi-pytestfixture-integration"

[warning]- "abi-core"

[warning]- "abi-package"

[warning]- "abi-vault"

[warning]- "numpy=1.26.4"

And I specify PIP_EXTRA_INDEX_URL as an internal link in system environment as well as in requirement.txt, but all the package is still not found in component detection. Do you know who can we resolve this warning message?

[warning]Received NotFound "Not Found" from https://pypi.org/pypi/abi-core/json

[warning]Root dependency "abi-core" not found on pypi. Skipping package.

[warning]Received NotFound "Not Found" from https://pypi.org/pypi/abi-package/json

[warning]Root dependency "abi-package" not found on pypi. Skipping package.

[warning]Received NotFound "Not Found" from https://pypi.org/pypi/abi-vault/json

[warning]Root dependency "abi-vault" not found on pypi. Skipping package.

Thank you.

[cobya]

Our support of C++ projects comes via the VCPKG detector. How are you registering the dependencies for your project?

For the second question about Python feed configuration, we have an open issue #415 for allowing internal feed configuration in the Pip detectors but we haven't had a chance to prioritize this recently. If you are interested in making the contribution I would be happy to help out how I can.