Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug(python): Trivy doesn't skip dev deps for some versions of poetry #8096

Closed
nikpivkin opened this issue Dec 13, 2024 · 0 comments · Fixed by #8106
Closed

bug(python): Trivy doesn't skip dev deps for some versions of poetry #8096

nikpivkin opened this issue Dec 13, 2024 · 0 comments · Fixed by #8106
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone

Comments

@nikpivkin
Copy link
Contributor

The documentation says that dev dependencies for poetry are excluded. I did some tests with poetry (1.8.5). I added a dev dependency poetry add pytest --dev which added to the dev group:

[tool.poetry.group.dev.dependencies]
pytest = "^8.3.4"

But Trivy didn't skip it because now the package in the lockfile doesn't contain the category field as before, based on which Trivy determines the dev dependencies. This is unusual because the lock version remains unchanged and matches the one used in our tests: lock-version = '2.0'.

❯ trivy fs . -f json --list-all-pkgs | grep pytest
2024-12-12-12T17:03:28+06:00 INFO [vuln] Vulnerability scanning is enabled
2024-12-12-12T17:03:28+06:00 INFO [secret] Secret scanning is enabled
2024-12-12-12T17:03:28+06:00 INFO [secret] INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12-12T17:03:28+06:00 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-12-12T17:03:03:28+06:00 INFO Number of language-specific files num=1
2024-12-12-12T17:03:28+06:00 INFO [poetry] Detecting vulnerabilities...
          “ID": ‘[email protected]’,
          “Name": ‘pytest’,
            “PURL": ‘pkg:pypi/[email protected]’,
```
@nikpivkin nikpivkin added the kind/bug Categorizes issue or PR as related to a bug. label Dec 13, 2024
@knqyf263 knqyf263 added this to the v0.58.1 milestone Dec 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Status: No status
Development

Successfully merging a pull request may close this issue.

2 participants