Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A transitive dependency is not being identified when publishing the build info for a Python project #2694

Open
cmoyamoradas opened this issue Sep 13, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@cmoyamoradas
Copy link

Describe the bug

In short, it is a Python project (https://github.com/akawork/jenkins-exporter) that resolves 6 dependencies during the packaging phase but when publishing the build-info in Artifactory using the JFrog CLI, there is one dependency that is missing (certifi-2024.8.30) in the build-info JSON object. Instead, the requests-2.21.0, that is one of the direct dependencies for the project, is appearing twice.

Current behavior

The build-info object doesn't reflect the transitive dependency certifi-2024-8-30. Instead, the requests-2.21.0 dependency (for which the certifi dependency is transitive) appears twice :
{
"type": "python",
"id": "jenkins-exporter:1.0",
"dependencies": [
{
"sha1": "6a578028eeb178e16c3f6796420a08825ac33552",
"sha256": "1b38b958750f66f208bcd9ab92a633c0c994d8859c831f7abc1f46724fcee490",
"md5": "07f3a06d16f8d52f5a70220b8e0cb3b2",
"id": "prometheus_client-0.6.0.tar.gz"
},
{
"sha1": "25e1a4ffa07f36024e3a5722a170f254c3d4d245",
"sha256": "7bf2a778576d825600030a110f3c0e3e8edc51dfaafe1c146e39a2027784957b",
"md5": "ed3af234ffcad0b3c1e521e1dfde19be",
"id": "requests-2.21.0-py2.py3-none-any.whl"
},
{
"sha1": "25e1a4ffa07f36024e3a5722a170f254c3d4d245",
"sha256": "7bf2a778576d825600030a110f3c0e3e8edc51dfaafe1c146e39a2027784957b",
"md5": "ed3af234ffcad0b3c1e521e1dfde19be",
"id": "requests-2.21.0-py2.py3-none-any.whl"
},
{
"sha1": "96faab7de7e9a71b37f22adb64daf2898e967e3e",
"sha256": "fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691",
"md5": "0004b00caff7bb543a1d0d0bd0185a03",
"id": "chardet-3.0.4-py2.py3-none-any.whl"
},
{
"sha1": "428950b762f04cb88c215188c4b60b2d8def8ecd",
"sha256": "ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c",
"md5": "61392a071e4a3b0f84cd6d71f94f15cc",
"id": "idna-2.8-py2.py3-none-any.whl"
},
{
"sha1": "100c48475b7db006881b14cbc3b1861ceffe5a3c",
"sha256": "a637e5fae88995b256e3409dc4d52c2e2e0ba32c42a6365fee8bbd2238de3cfb",
"md5": "cc3c42f7be135658be6d026d42503bd1",
"id": "urllib3-1.24.3-py2.py3-none-any.whl"
}
]
}

Reproduction steps

After cloning the project, these are the list of tasks I'm running:

  1. Create and activate a virtual environment
  2. Upgrade pip to the latest version 24.2 and install the wheel package
  3. Create a setup.py file that reflects the installed_required dependencies (looking at the requirements.txt file)
  4. Run the following script with all the commands:

#!/bin/bash
echo 'Configuring jf pip'
jf pip-config --repo-resolve=carlosmm-pypi-virtual &&
echo 'Installing'
jf pip install -r requirements.txt --build-name=jenkins-exporter --build-number=$1 --no-cache-dir --force-reinstall --trusted-host main.jfrog.local &&
echo 'Building'
python setup.py sdist bdist_wheel
echo 'Uploading'
jf rt u dist/ carlosmm-pypi-virtual/ --build-name=jenkins-exporter --build-number=$1 &&
echo 'Environment info'
jf rt bce jenkins-exporter $1 &&
echo 'Git info'
jf rt bag jenkins-exporter $1 &&
echo 'Publishing build info'
jf rt bp jenkins-exporter $1

Expected behavior

The transitive dependency certifi-2024.8.20 should be listed in the build-info JSON object and the requests-2.21.0 direct dependency should appear just once.

JFrog CLI version

2.67.0

Operating system type and version

Apple M1 Max - Sonoma 14.6.1

JFrog Artifactory version

7.84.12

JFrog Xray version

3.98.5

@cmoyamoradas cmoyamoradas added the bug Something isn't working label Sep 13, 2024
@cmoyamoradas cmoyamoradas changed the title A transitive dependency is not being identify when publishing the build info for a Python project A transitive dependency is not being identified when publishing the build info for a Python project Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant