Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some package entries have wrong package metadata #20

Open
dlebelcimmi opened this issue Sep 4, 2024 · 1 comment
Open

Some package entries have wrong package metadata #20

dlebelcimmi opened this issue Sep 4, 2024 · 1 comment

Comments

@dlebelcimmi
Copy link

We use sbom4python to construct an sbom for our product. Our environment was built around python 3.9 and the sbom generation seemed correct. Now that we upgraded our environment to python 3.12, we now noticed an issue with some packages. Especially numpy and scipy.

The sbom entries for these packages are replaced by other packages when running sbom4python in python 3.12

numpy becomes GCC runtime library
scipy becomes libquadmath

In fact, these are sub dependencies of the related packages. The output of "pip show numpy" displays different metadata attributes of the package (Name:, Version:, etc.). But for these big packages, pip show also outputs some information about sub dependencies.

In python 3.9, the sub dependencies metadata output were indented. But in python 3.12, the metadata are not indented anymore and are then mingled at the same level. For example, lets compare the output of this command using different versions of python:

(python 3.9)

> pip show scipy | findstr Name:

Name: scipy
        Name: OpenBLAS
        Name: LAPACK
        Name: GCC runtime library
        Name: libquadmath

(python 3.12)

> pip show scipy | findstr Name:

Name: scipy
Name: OpenBLAS
Name: LAPACK
Name: GCC runtime library
Name: libquadmath

sbom4python uses pip show to recover packages metadata and build a metadata dictionnary by parsing the output of pip show.

sbom4python/sbom4python/scanner.py

Line 245 in f377631

out = self.run_program(f"pip show {module}")

sbom4python/sbom4python/scanner.py

Line 252 in f377631

if (len(entry) == 2) and (entry[1] and not (entry[1].isspace())):

Since the entries for the displayed package and the subpackage are at the same level in python 3.12, then all entries of a subpackage that is already in the dictionary end up overwritting the current package entry. The last sub package described by pip show take precedence and replace the actual package description. Furthermore, some metadata attributes are mingled in the final metadata.

For these reasons, I would urge you to replace the recovery of metadata by a more structured and robust approach (#17).
@dlebelcimmi dlebelcimmi changed the title Some package entries have wrong package metadata Some package entries have wrong package metadata label:bug Sep 4, 2024
@dlebelcimmi dlebelcimmi changed the title Some package entries have wrong package metadata label:bug label:bug Some package entries have wrong package metadata Sep 4, 2024
@dlebelcimmi dlebelcimmi changed the title label:bug Some package entries have wrong package metadata Some package entries have wrong package metadata Sep 4, 2024
@dlebelcimmi dlebelcimmi changed the title Some package entries have wrong package metadata bug: Some package entries have wrong package metadata Sep 4, 2024
@dlebelcimmi dlebelcimmi changed the title bug: Some package entries have wrong package metadata Bug: Some package entries have wrong package metadata Sep 4, 2024
@dlebelcimmi dlebelcimmi changed the title Bug: Some package entries have wrong package metadata Some package entries have wrong package metadata Sep 4, 2024
@anthonyharrison
Copy link
Owner

I am currently working on addressing #17.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anthonyharrison @dlebelcimmi