docs: generate requirement text for ketryx #349
Conversation
muhabalwan-aginx
requested a review
from helmut-hoffer-von-ankershoffen
as a code owner
Codecov Report✅ All modified and coverable lines are covered by tests. |
|
muhabalwan-aginx
force-pushed
the
chore/pysdk-000-generate-reqfile-for-ketryx
branch
from
7ca1dee to
80ee800
Compare
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| # via jsonschema | ||
| websockets==15.0.1 | ||
| # via uvicorn | ||
| wrapt==2.0.1 | ||
| # via smart-open | ||
| wsidicom==0.29.0 | ||
| # via aignostics (pyproject.toml) | ||
| wsproto==1.3.2 | ||
| # via simple-websocket | ||
| yarl==1.22.0 | ||
| # via aiohttp |
There was a problem hiding this comment.
Bug: The requirements.txt is generated without the --universal flag, omitting Windows-specific dependencies like pywin32 from the SBOM for this multi-platform project.
Severity: MEDIUM | Confidence: High
🔍 Detailed Analysis
The requirements.txt file, intended for a Software Bill of Materials (SBOM) scan, is generated on a Linux environment without the --universal flag. According to uv documentation, this results in a platform-specific file that omits dependencies for other supported operating systems. Specifically, the pywin32 dependency, required for Windows as defined in pyproject.toml, is absent from the generated file. This creates an incomplete and misleading SBOM for a project that explicitly supports multiple platforms (Linux, macOS, and Windows), as it fails to account for the full dependency set required for a Windows environment.
💡 Suggested Fix
Regenerate the requirements file using the command uv pip compile --universal pyproject.toml -o requirements.txt. The --universal flag ensures that dependencies for all supported platforms, as defined by environment markers in pyproject.toml, are included in the output file.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: requirements.txt#L1-L546
Potential issue: The `requirements.txt` file, intended for a Software Bill of Materials
(SBOM) scan, is generated on a Linux environment without the `--universal` flag.
According to `uv` documentation, this results in a platform-specific file that omits
dependencies for other supported operating systems. Specifically, the `pywin32`
dependency, required for Windows as defined in `pyproject.toml`, is absent from the
generated file. This creates an incomplete and misleading SBOM for a project that
explicitly supports multiple platforms (Linux, macOS, and Windows), as it fails to
account for the full dependency set required for a Windows environment.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7588090
Add requirement.txt for Ketryx dependencies scan; it seem like Ketryx does not support uv.lock file and therefore we need to manually generate the requirements txt, which can be scanned by Ketryx SBOM