You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While scanning I have come across a requirements.txt from a templating engine which is being used to generate the final requirements.txt file.
For example this is a line from the above mentioned requirements.txt file ... %ifcookiecutter.command_line_interface|lower=='click'-%} ...
Since we scan all requirements.txt files while doing a file system scan we would be splitting the line by == to get package name and version (as per logic here). As we can see this result is not intended, I'm wondering if we can add some validation and skip these kind of lines which lead to incorrect/invalid packages (in not just pip parser but in other languages as well)
Below is an example of the packages being generated as part of output of trivy scan when we do a file system scan in the above mentioned scenario. { "Target": "opt/conda/pkgs/cookiecutter-2.6.0-py311h06a4308_0/info/test/tests/test-templates/include/{{cookiecutter.project_slug}}/requirements.txt", "Class": "lang-pkgs", "Type": "pip", "Packages": [ { "Name": "{%ifcookiecutter.command_line_interface|lower", "Identifier": { "PURL": "pkg:pypi/%7B%25ifcookiecutter.command-line-interface%7Clower@%27click%27-%25%7D" }, "Version": "'click'-%}", "Layer": {} }, { "Name": "{%ifcookiecutter.use_pytest", "Identifier": { "PURL": "pkg:pypi/%7B%25ifcookiecutter.use-pytest@%27y%27-%25%7D" }, "Version": "'y'-%}", "Layer": {} } ] }
The text was updated successfully, but these errors were encountered:
While scanning I have come across a
requirements.txtfrom a templating engine which is being used to generate the finalrequirements.txtfile.For example this is a line from the above mentioned
requirements.txtfile... %ifcookiecutter.command_line_interface|lower=='click'-%} ...Since we scan all requirements.txt files while doing a file system scan we would be splitting the line by
==to get package name and version (as per logic here). As we can see this result is not intended, I'm wondering if we can add some validation and skip these kind of lines which lead to incorrect/invalid packages (in not just pip parser but in other languages as well)Below is an example of the packages being generated as part of output of trivy scan when we do a file system scan in the above mentioned scenario.
{ "Target": "opt/conda/pkgs/cookiecutter-2.6.0-py311h06a4308_0/info/test/tests/test-templates/include/{{cookiecutter.project_slug}}/requirements.txt", "Class": "lang-pkgs", "Type": "pip", "Packages": [ { "Name": "{%ifcookiecutter.command_line_interface|lower", "Identifier": { "PURL": "pkg:pypi/%7B%25ifcookiecutter.command-line-interface%7Clower@%27click%27-%25%7D" }, "Version": "'click'-%}", "Layer": {} }, { "Name": "{%ifcookiecutter.use_pytest", "Identifier": { "PURL": "pkg:pypi/%7B%25ifcookiecutter.use-pytest@%27y%27-%25%7D" }, "Version": "'y'-%}", "Layer": {} } ] }The text was updated successfully, but these errors were encountered: