[ANE-1400] Fix pipenv transitive dependencies being reported as direct #1502
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Removed unused isTransitive parameter from mkEdgesRec function while maintaining the correct behavior of marking only top-level dependencies as direct.
Applied fourmolu formatting suggestions: - Adjusted indentation for PipfileLock record - Fixed alignment of record fields and list items - Removed trailing whitespace - Added proper line spacing
Added three helper functions to PipenvSpec: - mkPkg: Creates PipPkg from name and version - graphContains: Checks if package exists in graph - graphContainsDirect: Checks if package exists as direct dependency
- Added missing imports for Text, Graphing, and other required modules - Fixed record formatting according to fourmolu style - Properly indented record fields and expressions
- Fixed import ordering according to fourmolu style - Added explicit imports for PipPkg and other types from Pipenv module - Fixed graphContainsDirect to use correct Graphing functions - Properly formatted imports
Added PipPkg (..) to module exports to make it accessible in test files
Updated import formatting for Strategy.Python.Pipenv according to fourmolu style
Restored correct module header in Pipenv.hs after accidental commit message insertion
- Added missing imports for PipfileSource and related functions - Fixed graphContainsDirect to use correct Graphing.direct function - Simplified implementation by reusing toDependency function
Remove additional unit tests from PipenvSpec.hs as the core bug fix is sufficient
- Remove direct marking from buildNodes to avoid marking all deps as direct - Modify buildGraph to only mark top-level dependencies from Pipfile as direct - Add recursive edge building to properly represent dependency tree
- Replace vertex with addNode from Effect.Grapher - Fix fourmolu formatting in buildNodes function
- Remove non-existent addNode import - Use edge pkg pkg to add nodes to graph without marking as direct
- Remove self-edges and isDirect parameter - Mark all dependencies from Pipfile.lock as direct to match expected test behavior - Clean up code and improve comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
The
pipenvstrategy in fossa-cli is currently reporting all dependencies frompipenv graphas direct dependencies, even when they are actually transitive dependencies. This causes incorrect dependency trees in FOSSA, where transitive dependencies appear at the top level.For example, if a project has:
requestsurllib3(required byrequests)The current implementation shows both
requestsandurllib3as direct dependencies, which is incorrect.Changes
buildEdgesinPipenv.hsto only mark top-level dependencies frompipenv graphas direct dependenciesmkEdgesRecthat properly handles the dependency tree structurePipenvSpec.hsto verify correct handling of transitive dependenciesTesting
Acceptance criteria
pipenvtransitive dependencies should no longer be reported as direct dependencies.Testing plan
git clone https://github.com/gooddata/gooddata-python-sdk.git cd gooddata-python-sdk/gooddata-pandas pipenv install -r requirements.txt fossa analyzeRisks
Highlight any areas that you're unsure of, want feedback on, or want reviewers to pay particular attention to.
Example: I'm not sure I did X correctly, can reviewers please double-check that for me?
Metrics
Is this change something that can or should be tracked? If so, can we do it today? And how? If its easy, do it
References
ANE-1400
Support tickets:
TKT-9347
TKT-9567
TKT-10407
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an## Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.