Investigate usage of pip install report for gathering Python dependencies

microsoft / component-detection

Scans your project to determine what components you use

MIT License

412 stars 87 forks source link

Investigate usage of pip install report for gathering Python dependencies #980

Open cobya opened 7 months ago

cobya commented 7 months ago

The Installation Report generated by Pip may be sufficient to gather dependency information from Python setup files. May need to be used in conjunction with pip inspect.

Originally discussed as part of #629 we should investigate whether or not the full dependency graph can be generated for Python ecosystems using this method.

AB#2141027

cobya commented 3 months ago

There has now been documentation published on the usage of --report. See https://pip.pypa.io/en/stable/reference/installation-report/

Example dry run commands using the pip command:

For requirements.txt: pip install -r .\requirements.txt --dry-run --ignore-installed --quiet --report report-req.json
For setup.py: pip install -e . --dry-run --ignore-installed --quiet --report report.json

cobya commented 3 months ago

Note that the report format version declared stable is only available in Pip > v23.0, this should be a conditional check before running this version of detection. We also get transitive dependency detection as part of this report.

cobya commented 3 months ago

@edena-legit since you've been interested in Python detection previously, I'd love to have your input on the new PipReport detector and if you encounter any issues running it.