Python support relies on the presence of one of the following:
- A
requirements.txtfile. pip, in order to retrieve a list of installed dependencies.- Pipenv, used to manage a projects environment and dependencies.
Run fossa init to detect all python directories that contain requirements.txt or setup.py.
Add a module with type: pip, and target and dir set to the root of the Python project.
See Options for an in depth look at all of the available options for a Python module.
analyze:
modules:
- name: github.com/fossas/fossa-cli/cmd/fossa
type: pip
target: python/project
dir: python/project
options:
strategy: pipenv| Option | Type | Name | Common Use Case |
|---|---|---|---|
strategy |
string | Strategy | Specify a Python analysis strategy. |
requirements |
string | Requirements Path | Specify a custom requirements.txt file. |
Manually specify the python analysis strategy to be used. Supported options:
requirements: Parserequirements.txtto find all dependencies used.pip: Runpip list --format=jsonto find all dependencies in the current environment.pipover report the dependencies used if your environment is used to build multiple python projects.deptree: Run a custom python script to retrieve the dependency tree from pip. This provides similar information topipwith enough resolution to create a dependency tree.pipenv: Runpipenv graph --json=treewhich returns the dependency graph of a project managed by Pipenv.
Default: requirements
Specify the location of a requirements.txt file located outside of the project's root directory or a custom named file.
Example:
requirements: config/myrequirements.txtThe analysis strategy selected determines how analysis is completed for the Python analyzer. By default the fossa-cli will analyze a requirements.txt file to determine dependencies. Benefits and limitations of strategies are listed below.
requirements: This strategy is the most basic but provides an accurate representation of all dependencies inside ofrequirements.txt. The limitations with this method include not picking up transitive dependencies unless they are explicitly added to the file.pip&deptree: These strategies can accurately provide a dependency graph, however they analyze all dependencies managed by pip, not just those in the project. If your project is built in a CI environment where all pip installed dependencies are used, then this strategy would be effective. If you are on a local development machine then this strategy can over report dependencies.pipenv: This is the most reliable analysis strategy but requires your project to use Pipenv as its environment and package manager.