sw360 / capycli

CaPyCLI - Python scripts for software license compliance automation with SW360
Other
13 stars 7 forks source link

Python scanner for poetry.lock doesn't exclude dev dependencies for Poetry >= 1.5.0 #61

Closed slayo11 closed 3 weeks ago

slayo11 commented 7 months ago

Hello,

Starting from poetry 1.5.0 ref the "category" field based on which capycli skips dev dependency is no more part of the poetry.lock file. #7637

This causes capycli to list all the dependencies, included dev ones, and in our projects to load also those into SW360.

I'm not so acquainted with poetry internals, but I guess that a solution would require reading the main dependencies from pyproject.toml file and resolving the transitive dependencies of the main dependencies from the poetry.lock, as by looking only at the lock file isn't enough to exclude dev dependencies.

tngraf commented 7 months ago

This is bad. I even added support for the dev flag to the CycloneDX tool.
But we have to accept their justification: at the end the lock file format is not officially documented and they are free to change it.
We could try to use poetry show --without dev ... but this is again a proprietary format or maybe use poetry export -f requirements.txt --output requirements.txt --without-hashes. As far as I can see, -without dev has no effect on the requirements file.

slayo11 commented 7 months ago

--without dev has no effect because it's default behaviour of poetry export plugin to not include group dev dependencies (ref)

If you try poetry export -f requirements.txt --with dev -o requirements.txt --without-hashes then we'll obtain a requirements.txt with both main and dev dependencies.

So if going with export plugin is the way, I think poetry export -f requirements.txt --output requirements.txt --without-hashes is the right command

tngraf commented 1 month ago

cyclonedx-python 5.1.0 still manages to exclude dev dependencies. Their trick seems to be that they also load pyproject.tom and evaluate this file to determine the final list of dependencies.