Fixes duplicate & incorrect version in requirements.txt & empty Upgrade To Version Suggestion #401

Sahilb315 · 2025-03-18T16:00:46Z

Fixes #343 #344

github-actions · 2025-03-18T16:01:11Z

vet Summary Report

This report is generated by vet

Policy Checks

✅ Vulnerability
✅ Malware
✅ License
✅ Popularity
✅ Maintenance
✅ Security Posture
✅ Threats

Malicious Package Analysis

Malicious package analysis is performed using SafeDep Cloud API.

Malicious Package Analysis Report

Ecosystem	Package	Version	Status	Report

ℹ️ 0 packages have been actively analyzed for malicious behaviour.
✅ No malicious packages found.

abhisek · 2025-03-18T16:29:00Z

pkg/readers/lockfile_reader.go

@@ -47,6 +48,16 @@ func (p *lockfileReader) EnumManifests(handler func(*models.PackageManifest,
 		if err != nil {
 			return err
 		}
+		var updatedPkgs []*models.Package
+		for _, pkg := range manifest.Packages {
+			if pkg.PackageDetails.Version != "0.0.0" && pkg.PackageDetails.Version != "" {


This seems like a hack. Whats the rationale behind this check? It seems to me we are working around a problem with a different root cause, probably related to parser. I think it makes sense to do some analysis and identify the root cause on why version will be empty or 0.0.0

I checked the parser & the issue exists in the osv-scanner lib we are using for parsing the file
https://github.com/google/osv-scanner/blob/v1/pkg/lockfile/parse-requirements-txt.go#L182

It parses the pkg with default version as 0.0.0 whenever there is no version given for a pkg

abhisek · 2025-03-18T16:29:46Z

pkg/reporter/markdown_summary.go

@@ -474,8 +474,10 @@ func (r *markdownSummaryReporter) getCheckIconForThreats(internalModel *vetResul
 func (r *markdownSummaryReporter) getAdviceSummary(adv *jsonreportspec.RemediationAdvice) (string, error) {
 	switch adv.Type {
 	case jsonreportspec.RemediationAdviceType_UpgradePackage:
-		return fmt.Sprintf("Upgrade to %s@%s", adv.GetTargetPackageName(),
-			adv.GetTargetPackageVersion()), nil
+		if adv.GetTargetPackageVersion() != "" {


I think we should do some analysis on why GetTargetPackageVersion() return empty version. May be we will discover a much more fundamental problem.

Its probably a issue in the backend right?

Sahilb315 added 2 commits March 18, 2025 10:21

fixes #344

740718d

fixed duplicate & incorrect version for requirements.txt

332320b

fix return err if lfParser.Parse fails

79e4b02

Sahilb315 requested a review from abhisek March 18, 2025 16:17

abhisek reviewed Mar 18, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fixes duplicate & incorrect version in requirements.txt & empty Upgrade To Version Suggestion #401

Fixes duplicate & incorrect version in requirements.txt & empty Upgrade To Version Suggestion #401

Sahilb315 commented Mar 18, 2025

github-actions bot commented Mar 18, 2025

abhisek Mar 18, 2025

Sahilb315 Mar 18, 2025

Sahilb315 Mar 18, 2025

abhisek Mar 18, 2025

Sahilb315 Mar 18, 2025

Fixes duplicate & incorrect version in requirements.txt & empty Upgrade To Version Suggestion #401

Are you sure you want to change the base?

Fixes duplicate & incorrect version in requirements.txt & empty Upgrade To Version Suggestion #401

Conversation

Sahilb315 commented Mar 18, 2025

github-actions bot commented Mar 18, 2025

vet Summary Report

Policy Checks

Malicious Package Analysis

abhisek Mar 18, 2025

Choose a reason for hiding this comment

Sahilb315 Mar 18, 2025

Choose a reason for hiding this comment

Sahilb315 Mar 18, 2025

Choose a reason for hiding this comment

abhisek Mar 18, 2025

Choose a reason for hiding this comment

Sahilb315 Mar 18, 2025

Choose a reason for hiding this comment