Python Application Analysis

`

The Python coordinate based matching feature provides the ability to scan and evaluate Python dependencies found in a requirements.txt file.

What is supported

Files named requirements.txt will be analyzed.  Only requirements using the "==" operator and version without wildcards will be considered.   One requirement can be matched to multiple python packages.

Steps to analyze using the CLI

Create requirements

Run pip freeze

pip freeze > requirements.txt

Example file content


altgraph==0.10.2
backports-abc==0.5
backports.ssl-match-hostname==3.5.0.1
bdist-mpkg==0.5.0
certifi==2018.1.18
chardet==3.0.4
click==6.7
confire==0.2.0
Django==1.6
django-countries==3.3
django-make-app==0.1.3
docopt==0.6.2
enum34==1.1.6


Add environment markers (optional)

Adding environment markers can simplify the results by filtering out components that are not relevant to your deployment platform. Only the sys_platform environment marker is supported at the moment.   

Add the environment marker next to the component(s) in the requirements.txt.

e.g.  

Django==1.6; sys_platform == 'win32'


Run a scan

Invoke a CLI scan of the directory containing requirements.txt.  Instructions on how to do this can be found here https://help.sonatype.com/integrations/nexus-iq-cli.

The output from the cli


Dashboard results


Report results