-
-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] multi-declare (optional) dependencies are treated as root dependencies #840
Comments
@rocketrose99 , thank you for the report. Are you interested in providing a fix for the bug? |
i will work on a fix soon |
I tried to reproduce, and saw the following behavior:
[tool.poetry.dependencies]
python = "^3.8"
cyclonedx-python-lib = {version = ">=8,<9", optional = true}
py-serializable = [
{version = "*", optional = true}
]
[tool.poetry.extras]
# no extras - see https://github.com/CycloneDX/cyclonedx-python/issues/840
debug output:
remarks: |
the bug was not that optional were not detected, but that multi-constraint handling (multiple version/instruction/constraint declaration for one and the same dependency) was poorly implemented. |
this was fixed via https://github.com/CycloneDX/cyclonedx-python/releases/tag/v5.1.2 |
Thank you so much! Sorry for going silent, my husband had a surgery over the weekend so I appreciate you taking care of this! |
Describe the bug
Optional dependencies are treated as root dependencies when surrounded by brackets.
In other words, there is no way to ignore them when generating the SBOM.
For example, defining a dependency like this:
vs like this:
yields different results in the sbom generated via
cyclonedx-py poetry -o sbom.json --of json --sv 1.4
. The former case includes numpy whereas the latter does not. Neither should since no extras were specified.To Reproduce
Using this example pyproject.toml, notice how the numpy dep is optional but in a bracket:
run
poetry lock
run
cyclonedx-py poetry -o sbom.json --of json --sv 1.4
Expected behavior
The contents of sbom.json to not include numpy. E.g., the expected output below was generated by defining the numpy dependency like so:
numpy = { version = "*", optional = true }
:Screenshots or output-paste
Whats actually happening is numpy is added to the sbom even though i didn't specify any extras that include it (full output here):
Environment
Additional context
I used numpy to simplify the example here, but this becomes a real issue for more complex cases like torch. torch(cpu) and torch(cuda) have different dependencies, and the way you'd allow a user to select either or would use those brackets, something like this:
When generating an sbom on something like this, even when just the
cpu
extra is given, all the cuda/nvidia dependencies are included too (and they should not be since torch 2.2.0+cpu does not depend on any nvidia stuff).The text was updated successfully, but these errors were encountered: