-
-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Error while reading version specifier in poetry.lock #702
Comments
tried to reproduce: $ cd /tmp/.....
$ poetry init
$ # same version like in the issue desctiotion
$ poetry add ray==2.10.0
Package operations: 19 installs, 0 updates, 0 removals
- Installing attrs (23.2.0)
- Installing rpds-py (0.18.0)
- Installing referencing (0.34.0)
- Installing certifi (2024.2.2)
- Installing charset-normalizer (3.3.2)
- Installing frozenlist (1.4.1)
- Installing idna (3.6)
- Installing jsonschema-specifications (2023.12.1)
- Installing urllib3 (2.2.1)
- Installing aiosignal (1.3.1)
- Installing click (8.1.7)
- Installing filelock (3.13.3)
- Installing jsonschema (4.21.1)
- Installing msgpack (1.0.8)
- Installing packaging (24.0)
- Installing protobuf (5.26.1)
- Installing pyyaml (6.0.1)
- Installing requests (2.31.0)
- Installing ray (2.10.0)
Writing lock file
$ # same version like in the issue desctiotion
$ poetry add --dev cyclonedx-bom==4.1.3
$ # same command like in the issue description but with debug outut
$ poetry run cyclonedx-py poetry --no-dev --validate --output-format XML --outfile sbom.xml -vvv
DEBUG | CDX > args: {'command': 'poetry', 'groups_without': [], 'groups_with': [], 'groups_only': [], 'no_dev': True, 'extras': [], 'all_extras': False, 'mc_type': <ComponentType.APPLICATION: 'application'>, 'project_directory': '.', 'short_purls': False, 'outfile': <_io.TextIOWrapper name='sbom.xml' mode='wt' encoding='utf8'>, 'schema_version': <SchemaVersion.V1_5: (1, 5)>, 'output_format': <OutputFormat.XML: 2>, 'output_reproducible': False, 'should_validate': True, '_bbc': <class 'cyclonedx_py._internal.poetry.PoetryBB'>}
INFO | CDX > Generating SBOM ...
DEBUG | CDX.PoetryBB > use_groups: frozenset({'main'})
DEBUG | CDX.PoetryBB > use_extras: frozenset()
DEBUG | CDX.PoetryBB > root-component: <Component bom-ref=<BomRef 'testing-issue702' id=140308289511120>, group=None, name=testing-issue702, version=0.1.0, type=ComponentType.APPLICATION>
DEBUG | CDX.PoetryBB > lock_version: (2, 0)
DEBUG | CDX.PoetryBB > root-component depends on python
DEBUG | CDX.PoetryBB > root-component depends on ray
INFO | CDX.PoetryBB > add component for package 'ray'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'ray@2.10.0' id=140308284713040>, group=None, name=ray, version=2.10.0, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'aiosignal'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'aiosignal@1.3.1' id=140308289517520>, group=None, name=aiosignal, version=1.3.1, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'frozenlist'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'frozenlist@1.4.1' id=140308286104400>, group=None, name=frozenlist, version=1.4.1, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'click'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'click@8.1.7' id=140308286056528>, group=None, name=click, version=8.1.7, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'colorama'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'colorama@0.4.6' id=140308286063440>, group=None, name=colorama, version=0.4.6, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'filelock'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'filelock@3.13.3' id=140308286090704>, group=None, name=filelock, version=3.13.3, type=ComponentType.LIBRARY>
DEBUG | CDX.PoetryBB > existing component: <Component bom-ref=<BomRef 'frozenlist@1.4.1' id=140308286104400>, group=None, name=frozenlist, version=1.4.1, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'jsonschema'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'jsonschema@4.21.1' id=140308286326480>, group=None, name=jsonschema, version=4.21.1, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'attrs'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'attrs@23.2.0' id=140308285812048>, group=None, name=attrs, version=23.2.0, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'jsonschema-specifications'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'jsonschema-specifications@2023.12.1' id=140308286333968>, group=None, name=jsonschema-specifications, version=2023.12.1, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'referencing'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'referencing@0.34.0' id=140308284756944>, group=None, name=referencing, version=0.34.0, type=ComponentType.LIBRARY>
DEBUG | CDX.PoetryBB > existing component: <Component bom-ref=<BomRef 'attrs@23.2.0' id=140308285812048>, group=None, name=attrs, version=23.2.0, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'rpds-py'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'rpds-py@0.18.0' id=140308284800976>, group=None, name=rpds-py, version=0.18.0, type=ComponentType.LIBRARY>
DEBUG | CDX.PoetryBB > existing component: <Component bom-ref=<BomRef 'referencing@0.34.0' id=140308284756944>, group=None, name=referencing, version=0.34.0, type=ComponentType.LIBRARY>
DEBUG | CDX.PoetryBB > existing component: <Component bom-ref=<BomRef 'rpds-py@0.18.0' id=140308284800976>, group=None, name=rpds-py, version=0.18.0, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'msgpack'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'msgpack@1.0.8' id=140308286500304>, group=None, name=msgpack, version=1.0.8, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'packaging'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'packaging@23.2' id=140308286603536>, group=None, name=packaging, version=23.2, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'protobuf'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'protobuf@5.26.1' id=140308286617232>, group=None, name=protobuf, version=5.26.1, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'pyyaml'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'pyyaml@6.0.1' id=140308284589456>, group=None, name=pyyaml, version=6.0.1, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'requests'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'requests@2.31.0' id=140308284763920>, group=None, name=requests, version=2.31.0, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'certifi'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'certifi@2024.2.2' id=140308285858896>, group=None, name=certifi, version=2024.2.2, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'charset-normalizer'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'charset-normalizer@3.3.2' id=140308285872336>, group=None, name=charset-normalizer, version=3.3.2, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'idna'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'idna@3.6' id=140308286273296>, group=None, name=idna, version=3.6, type=ComponentType.LIBRARY>
INFO | CDX.PoetryBB > add component for package 'urllib3'
DEBUG | CDX.PoetryBB > add component: <Component bom-ref=<BomRef 'urllib3@2.2.1' id=140308285039696>, group=None, name=urllib3, version=2.2.1, type=ComponentType.LIBRARY>
INFO | CDX > Serializing SBOM: 1.5/XML
INFO | CDX > Validating result to schema: 1.5/XML
DEBUG | CDX > result is schema-valid
INFO | CDX > Writing to: sbom.xml
DEBUG | CDX > Wrote 167979 bytes to sbom.xml work data and the resulting SBOM xml file: issues702.zip conclusion: could not reproduce. |
@Neplex i was unable to reproduce the event. |
Hi @jkowalleck thanks for your quick reply. I forgot an extra in my description. Could you try again with ray[serve]@2.10.0 ? Here the complete debug log
|
re: #702 (comment) |
issue seams to be caused when running cyclonedx-python/cyclonedx_py/_internal/poetry.py Lines 326 to 328 in 7ae2145
which is a map calling the constructor of research showed, that the verison constraint poetry does at this point is no longer the original one ( other examples for version rework are:
anyway, the poetry versions are not working as expected. possibple solution: remove |
@Neplex, thank you for the report. I was able to reproduce and isolate the issue. |
@jkowalleck Happy to helps and thanks for your time. Hope to see the fix soon |
Possible solution: |
Is it necessary to parse these fields ? Given the built BOM, only the version and the package name seems required. And for the dependency graph same thing apply, we just need to know that |
this issue occurred when parsing the extras of a given package, to sort out which optional dependencies were actually used. At this very point of determination, the version of a package does not matter(since it is stated at a whole other area), but we care for the name of the optional dependency, and a possible extra of that optional dependency. PS: no worries. Thanks to your help, I will be able to craft a test bed for proper (regression/unit/integration) testing the needed fix. |
fix was released via https://github.com/CycloneDX/cyclonedx-python/releases/tag/v4.1.4 |
Describe the bug
Hi, I use cyclonedx to generate a BOM from my Poetry dependencies. I recently upgrade a python dependency and regenerate my poetry.lock file.
While generating the BOM I now have the following error :
To Reproduce
You can generate the Poetry lockfile with ray[serve]@2.10.0 as dependency
Expected behavior
It should not have issue with the given syntax as Poetry have no issue with it
Screenshots or output-paste
Environment
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: