Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(python): Trivy doesn't skip dev deps for some versions of poetry #8096

Open
nikpivkin opened this issue Dec 13, 2024 · 0 comments · May be fixed by #8106
Open

bug(python): Trivy doesn't skip dev deps for some versions of poetry #8096

nikpivkin opened this issue Dec 13, 2024 · 0 comments · May be fixed by #8106
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
v0.58.1

Comments

@nikpivkin
Copy link
Contributor

The documentation says that dev dependencies for poetry are excluded. I did some tests with poetry (1.8.5). I added a dev dependency poetry add pytest --dev which added to the dev group:

[tool.poetry.group.dev.dependencies]
pytest = "^8.3.4"

But Trivy didn't skip it because now the package in the lockfile doesn't contain the category field as before, based on which Trivy determines the dev dependencies. This is unusual because the lock version remains unchanged and matches the one used in our tests: lock-version = '2.0'.

❯ trivy fs . -f json --list-all-pkgs | grep pytest
2024-12-12-12T17:03:28+06:00 INFO [vuln] Vulnerability scanning is enabled
2024-12-12-12T17:03:28+06:00 INFO [secret] Secret scanning is enabled
2024-12-12-12T17:03:28+06:00 INFO [secret] INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12-12T17:03:28+06:00 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-12-12T17:03:03:28+06:00 INFO Number of language-specific files num=1
2024-12-12-12T17:03:28+06:00 INFO [poetry] Detecting vulnerabilities...
          “ID": ‘[email protected]’,
          “Name": ‘pytest’,
            “PURL": ‘pkg:pypi/[email protected]’,
```
@nikpivkin nikpivkin added the kind/bug Categorizes issue or PR as related to a bug. label Dec 13, 2024
@nikpivkin nikpivkin mentioned this issue Dec 13, 2024
Merged
6 tasks
@knqyf263 knqyf263 added this to the v0.58.1 milestone Dec 15, 2024
@nikpivkin nikpivkin linked a pull request Dec 16, 2024 that will close this issue
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Trivy Roadmap
Status: No status
Milestone
v0.58.1
Development

Successfully merging a pull request may close this issue.

fix(python): skip dev group's deps for poetry nikpivkin/trivy
2 participants
@knqyf263 @nikpivkin