[FEATURE] Scan dependencies determined by a requirements file without installing them

sonatype-nexus-community / jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.

https://jake.readthedocs.io/

Apache License 2.0

114 stars 24 forks source link

[FEATURE] Scan dependencies determined by a requirements file without installing them #96

Open blackstream-x opened 2 years ago

blackstream-x commented 2 years ago

What are you trying to do? Scan dependencies determined by a requirements file without having to actually having these dependencies installed
What feature or behavior is this required for? The jake installation itself has its own dependencies, and in certain cases these dependencies conflict with the dependencies of the scanned project (see https://gitlab.com/j2c-bce/helloworld-fastapi/-/jobs/2033667516 for an example situation. I solved it by upgrading the project dependencies in this case, but there might exist situation where that is not an option)
How could we solve this issue? (Not knowing is okay!) Idk, maybe generate a SBOM from the requirements file and use that to look for vulnerabilities?
Anything else?

cc @bhamail / @DarthHater

madpah commented 2 years ago

Hi @blackstream-x,

Thanks for the request.

Can you let us know:

What version of jake you are using?
What command you are invoking?

jake (should) already support passing a requirements.txt file in, so if you can let us know the above we can dig a little deeper.

Thansk!

blackstream-x commented 2 years ago

Hi @madpah ,

I was using jake==1.1.5 in a python:3.6-slim container.
I invoked jake ddt which seems to scan the installed packages only. This subcommand does not support the -i option as jake sbom does. and it does not seem to process standard input as well.

My intention was to scan project dependencies for vulnerabilities, but these dependencies caused a conflict with jake`s own dependencies:

ERROR: Cannot install -r requirements.txt (line 2) and jake==1.1.5 because these package versions have conflicting dependencies.
The conflict is caused by:
    jake 1.1.5 depends on click<9.0.0 and >=8.0.1
    uvicorn 0.13.4 depends on click==7.*
To fix this you could try to:
(...)

So my idea was to resolve the dependencies using e.g. pip-compile (from pip-tools) and pass the compiled dependencies to jake ddt

awkmon commented 2 years ago

I, too, was looking for a similar enhancement. I used -r requirements.txt and standard input to jake ddt -c in 0.2.77 (last Summer version). This all breaks as of 1.x, it seems. I need to check multiple versions for compliance.

waiyujack commented 2 years ago

Hi @blackstream-x,

Thanks for the request.

Can you let us know:

What version of jake you are using?

What command you are invoking?

jake (should) already support passing a requirements.txt file , so if you can let us know the above we can dig a little deeper.

Thansk!

@madpah

You mentioned that jake already supports passing requirements.txt.

Do you have an example code for checking requirements.txt using OSS Index without installing the requirements file to the environment?

Say for example, I have generated a few conda requirements.txt using conda list -e > requirements.txt

robjerdonek commented 2 years ago

I am seeing the same problem. The latest version of jake (v2.1.1) does not support the command line option -r requirements.txt , which was supported in previous versions such as 0.2.77

blackstream-x commented 2 years ago

This issue seems to be a part of the feature request https://github.com/sonatype-nexus-community/jake/issues/104