Skip to content

Fix: Enhance root dependency detection for requirements.txt #2031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 21, 2025
Merged

Fix: Enhance root dependency detection for requirements.txt #2031

merged 4 commits into from
Jul 21, 2025

Conversation

OfekShimko
Copy link
Contributor

This change allows cdxgen to correctly identify root packages and preserve their relationship to the parent component, for requirements.txt files, resulting in a more accurate dependency graph.

@OfekShimko OfekShimko requested a review from prabhu as a code owner July 6, 2025 15:27
@OfekShimko OfekShimko force-pushed the improve_requirements_root_detection branch from d49cdbc to 75f17f7 Compare July 6, 2025 15:31
@malice00
Copy link
Collaborator

malice00 commented Jul 7, 2025

Can you please run the linter (pnpm run lint) to fix the biome problem?

@OfekShimko
Copy link
Contributor Author

Thank you @malice00

@prabhu
Copy link
Collaborator

prabhu commented Jul 8, 2025

@bandhan-majumder could you work with @OfekShimko and test this PR by creating a series of before and after SBOMs for comparison with custom-json-diff? It won't be easy since python repos are a PITA to build correctly requiring multiple container images.

@bandhan-majumder
Copy link
Collaborator

bandhan-majumder commented Jul 8, 2025
edited
Loading

that's true. I will work to test this PR with before and after SBOMs diff.

@malice00
Copy link
Collaborator

malice00 commented Jul 8, 2025

Probably doesn't need mentioning, but I'd rather be safe than sorry -- @bandhan-majumder add those SBOMs in the project as well (at least the after ones, although failure-tests are also a good thing) and add them to our test suite!

@OfekShimko
Copy link
Contributor Author

Thank you! Let me know if I can assist in any way

@prabhu
Copy link
Collaborator

prabhu commented Jul 16, 2025

We are blocked since custom-json-diff is reporting too many differences. For some reason, the html export isn't working. Give us some more time.

@prabhu prabhu mentioned this pull request Jul 17, 2025
Closed
@prabhu
Copy link
Collaborator

prabhu commented Jul 18, 2025

@OfekShimko apologies. could you kindly rebase from master and resolve the conflicts?

Shimko added 3 commits July 20, 2025 10:29
Fix: improve root dependency detection for Python projects
8cb4a9e 
Signed-off-by: Shimko <oshimko@paloaltonetworks.com>
rename back loopPkgMap to pkgMap
6d6a3df 
Signed-off-by: Shimko <oshimko@paloaltonetworks.com>
run lint
4e58737 
Signed-off-by: Shimko <oshimko@paloaltonetworks.com>
@OfekShimko OfekShimko force-pushed the improve_requirements_root_detection branch from 82d9afe to 4e58737 Compare July 20, 2025 07:31
@OfekShimko
Copy link
Contributor Author

@prabhu sure, done :)

@prabhu
Copy link
Collaborator

prabhu commented Jul 20, 2025

@OfekShimko It is still showing conflicts for some reason. Any ideas?

@OfekShimko
Copy link
Contributor Author

@prabhu now it should be OK 👍🏽

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 20, 2025
View reviewed changes
prabhu
prabhu approved these changes Jul 21, 2025
View reviewed changes
Copy link
Collaborator

@prabhu prabhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for this PR! Will merge and test this directly in master due to need for multiple container images.

@prabhu prabhu merged commit 2c26754 into CycloneDX:master Jul 21, 2025
80 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prabhu prabhu prabhu approved these changes

Assignees
No one assigned
Labels
lang:python Ready for QA
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@OfekShimko @malice00 @prabhu @bandhan-majumder