Python Application Analysis

The Python coordinate based matching feature provides the ability to scan and evaluate Python dependencies found in a requirements.txt file.

What is supported

Files named requirements.txt (generated using a pip command) will be analyzed.

What do we parse from the file?

Requirements using the "==" operator and version without wildcards will be considered. One requirement could be matched to multiple distributions of the same python package. However using the "sys_platform" marker the dependency might be more specific. For example:

altgraph==0.10.2
pywin32 ==1.0 ; sys_platform == 'win32'

Integrations with Python scanning support

  • CLI from version 58
  • Jenkins from version 3.4.20190116-104331.e820fec
  • Bamboo from version 1.10.0
  • Maven from version 2.10.0

Steps to analyze using the CLI

Create requirements

Run pip freeze

pip freeze > requirements.txt

The requirements.txt encoding is UTF-8.  Special note for Microsoft Windows users, the cmd.exe encoding may need to be changed to UTF-8.  Please refer to Microsoft documentation on how to do this.

Example file content


altgraph==0.10.2
backports-abc==0.5
backports.ssl-match-hostname==3.5.0.1
bdist-mpkg==0.5.0
certifi==2018.1.18
chardet==3.0.4
click==6.7
confire==0.2.0
Django==1.6
django-countries==3.3
django-make-app==0.1.3
docopt==0.6.2
enum34==1.1.6


Add environment markers (optional)

Adding environment markers can simplify the results by filtering out components that are not relevant to your deployment platform. Only the sys_platform environment marker is supported at the moment.   

Add the environment marker next to the component(s) in the requirements.txt.

e.g.  

Django==1.6; sys_platform == 'win32'


Run a scan

Invoke a CLI scan of the directory containing requirements.txt.  Instructions on how to do this can be found here https://help.sonatype.com/integrations/nexus-iq-cli.

The output from the cli


Dashboard results


Report results