Python Application Analysis
The Python coordinate based matching feature provides the ability to scan and evaluate Python dependencies found in a requirements.txt file.
What is supported
Files named requirements.txt (generated using a pip command) will be analyzed.
What do we parse from the file?
Requirements using the "==" operator and version without wildcards will be considered. One requirement could be matched to multiple distributions of the same python package. However using the "sys_platform" marker the dependency might be more specific. For example:
pywin32 ==1.0 ; sys_platform == 'win32'
Integrations with Python scanning support
- CLI from version 58
- Jenkins from version 3.4.20190116-104331.e820fec
- Bamboo from version 1.10.0
- Maven from version 2.10.0
Steps to analyze using the CLI
Run pip freeze
pip freeze > requirements.txt
The requirements.txt encoding is UTF-8. Special note for Microsoft Windows users, the cmd.exe encoding may need to be changed to UTF-8. Please refer to Microsoft documentation on how to do this.
Example file content
Add environment markers (optional)
Adding environment markers can simplify the results by filtering out components that are not relevant to your deployment platform. Only the
sys_platform environment marker is supported at the moment.
Add the environment marker next to the component(s) in the requirements.txt.
|Django==1.6; sys_platform == 'win32'|
Run a scan
Invoke a CLI scan of the directory containing requirements.txt. Instructions on how to do this can be found here https://help.sonatype.com/integrations/nexus-iq-cli.