Fix Python package dependency detection #3965
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously a dependency relationship between two Python packages was not detected if there were no parentheses around the version specifier in the wheel metadata of the parent package. This commit allows detection of such relationships. Signed-off-by: Christoph Blessing <chris24.blessing@gmail.com>
wagoodman
approved these changes
Jun 6, 2025
spiffcs
added a commit
that referenced
this pull request
Jun 9, 2025
* main: (31 commits) remove benchmark utils (#3982) fix: exclude packages with SPDX GENERATED_FROM source package indication (#3981) chore(deps): bump modernc.org/sqlite from 1.37.1 to 1.38.0 (#3979) chore(deps): bump github.com/go-git/go-git/v5 from 5.16.1 to 5.16.2 (#3978) chore(deps): update tools to latest versions (#3977) chore(deps): update CPE dictionary index (#3976) chore(deps): bump golang.org/x/net from 0.40.0 to 0.41.0 (#3970) chore(deps): bump github.com/sergi/go-diff (#3971) Fix Python package dependency detection (#3965) fix: Remove three Rust crate false positive CPE matches (#3967) Harden Container Runtime with Non-Root User (#3941) fix: Remove two Rust crate false positive CPE matches (#3962) chore(deps): bump golang.org/x/mod from 0.24.0 to 0.25.0 (#3963) chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.12 to 0.5.13 (#3964) fix: bump stereoscope to fix symlink performance issue (#3953) chore(deps): bump github.com/go-git/go-git/v5 from 5.16.0 to 5.16.1 (#3960) chore(deps): bump github/codeql-action from 3.28.18 to 3.28.19 (#3952) feat: add syft schema version to version command (#3949) chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.11 to 0.5.12 (#3943) chore(deps): update tools to latest versions (#3945) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Previously a dependency relationship between two Python packages was not detected if there were no parentheses around the version specifier in the wheel metadata of the parent package. This pull request allows detection of such relationships.
Type of change
Checklist: