search

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
968 stars 188 forks source link

Debian-inspector conflict while using scancode and tern #1185

Closed Jeeppler closed 1 year ago

Jeeppler commented 2 years ago

Describe the bug

Installing Scancode-toolkit 31.1.1 and Tern 2.10.1 together results in a package conflict, because both rely on a different version of the debian-inspector package.

To Reproduce

Try to install Scancode-toolkit 31.1.1 and Tern 2.10.1 together.

packages.txt

tern==2.10.1
scancode-toolkit[full]==31.1.1

Error in terminal

ERROR: Cannot install -r packages.txt (line 1), -r /packages.txt (line 2) and scancode-toolkit[full]==31.1.1 because these package versions have conflicting dependencies.

The conflict is caused by:
    scancode-toolkit[full] 31.1.1 depends on debian-inspector>=31.0.0
    scancode-toolkit 31.1.1 depends on debian-inspector>=31.0.0
    tern 2.10.1 depends on debian-inspector==30.0.0

Expected behavior

Scancode-toolkit and Tern use the same debian-inspector version.

Environment you are running Tern on

vargenau commented 1 year ago

See also #1195

rnjudge commented 1 year ago

Thanks for the issue @Jeeppler! I apologize for the delay.. I have been on maternity leave. I will get the debian-inspector dependency updated for Tern. There will be a new release before the holidays.

Jeeppler commented 1 year ago

@rnjudge thanks for your reply. I am looking forward to the release.

rnjudge commented 1 year ago

I'm not sure why pip thinks Tern depends on debian-inspector==30.0.0 when requirements.txt says debian-inspector>=30.0 but nevertheless it will be fixed in the upcoming release.

Jeeppler commented 1 year ago

@rnjudge thanks for fixing it.