oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2026-02-12 10:36:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: requirements.txt - return unicode only letter/num for version (#1361)

Browse Source
This commit is contained in:
Christopher Angelo Phillips 2022-11-22 10:43:05 -05:00 committed by GitHub
parent 74967a28ea
commit bcfe38c009
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
syft/pkg/cataloger/python/parse_requirements.go
View File

@ -4,6 +4,7 @@ import (
"bufio" "bufio"
"fmt" "fmt"
"strings" "strings"
"unicode"
"github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/log"
"github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/artifact"
@ -47,8 +48,14 @@ func parseRequirementsTxt(_ source.FileResolver, _ *generic.Environment, reader
log.WithFields("path", reader.RealPath).Warnf("unable to parse requirements.txt line: %q", line) log.WithFields("path", reader.RealPath).Warnf("unable to parse requirements.txt line: %q", line)
continue continue
} }
// check if the version contains hash declarations on the same line
version, _ := parseVersionAndHashes(parts[1])
name := strings.TrimSpace(parts[0]) name := strings.TrimSpace(parts[0])
version := strings.TrimSpace(parts[1]) version = strings.TrimFunc(version, func(r rune) bool {
return !unicode.IsLetter(r) && !unicode.IsNumber(r)
})
packages = append(packages, newPackageForIndex(name, version, reader.Location)) packages = append(packages, newPackageForIndex(name, version, reader.Location))
} }
@ -59,6 +66,15 @@ func parseRequirementsTxt(_ source.FileResolver, _ *generic.Environment, reader
return packages, nil, nil return packages, nil, nil
} }
func parseVersionAndHashes(version string) (string, []string) {
parts := strings.Split(version, "--hash=")
if len(parts) < 2 {
return version, nil
}
return parts[0], parts[1:]
}
// trimRequirementsTxtLine removes content from the given requirements.txt line // trimRequirementsTxtLine removes content from the given requirements.txt line
// that should not be considered for parsing. // that should not be considered for parsing.
func trimRequirementsTxtLine(line string) string { func trimRequirementsTxtLine(line string) string {

16
syft/pkg/cataloger/python/parse_requirements_test.go
View File

@ -37,6 +37,22 @@ func TestParseRequirementsTxt(t *testing.T) {
Language: pkg.Python, Language: pkg.Python,
Type: pkg.PythonPkg, Type: pkg.PythonPkg,
}, },
{
Name: "argh",
Version: "0.26.2",
PURL: "pkg:pypi/argh@0.26.2",
Locations: locations,
Language: pkg.Python,
Type: pkg.PythonPkg,
},
{
Name: "argh",
Version: "0.26.3",
PURL: "pkg:pypi/argh@0.26.3",
Locations: locations,
Language: pkg.Python,
Type: pkg.PythonPkg,
},
} }
var expectedRelationships []artifact.Relationship var expectedRelationships []artifact.Relationship

4
syft/pkg/cataloger/python/test-fixtures/requires/requirements.txt
View File

@ -10,3 +10,7 @@ coverage != 3.5 # Version Exclusion. Anything except version 3.5
numpyNew; sys_platform == 'win32' numpyNew; sys_platform == 'win32'
numpy >= 3.4.1; sys_platform == 'win32' numpy >= 3.4.1; sys_platform == 'win32'
Mopidy-Dirble ~= 1.1 # Compatible release. Same as >= 1.1, == 1.* Mopidy-Dirble ~= 1.1 # Compatible release. Same as >= 1.1, == 1.*
argh==0.26.2 \
--hash=sha256:a9b3aaa1904eeb78e32394cd46c6f37ac0fb4af6dc488daa58971bdc7d7fcaf3 \
--hash=sha256:e9535b8c84dc9571a48999094fda7f33e63c3f1b74f3e5f3ac0105a58405bb65
argh==0.26.3 --hash=sha256:a9b3aaa1904eeb78e32394cd46c6f37ac0fb4af6dc488daa58971bdc7d7fcaf3 --hash=sha256:e9535b8c84dc9571a48999094fda7f33e63c3f1b74f3e5f3ac0105a58405bb65