Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Syft: The dependency graph does not include all Requires-Dist relationships defined in the package’s METADATA file #4401

New issue
New issue
Closed
#4408
Closed
Syft: The dependency graph does not include all Requires-Dist relationships defined in the package’s METADATA file#4401
#4408
Assignees
willmurphyscode
Labels
bugSomething isn't working
@Mohannadcse

Description

@Mohannadcse
Mohannadcse
opened on Nov 24, 2025

What happened:
When generating a CycloneDX SBOM for Python packages using Syft (1.38.0), the dependency graph does not include all Requires-Dist relationships from the package’s METADATA file.
Example: For Flask 1.1.2, Syft only reports two dependencies (click, itsdangerous) but omits others (Jinja2, Werkzeug), even though all four are declared in the METADATA and installed in the environment.
Snippet from the SBOM:


dependencies": [
  {
    "ref": "pkg:pypi/[email protected]?package-id=7c9599e2d82779f5",
    "dependsOn": [
      "pkg:pypi/[email protected]?package-id=f5afd6ba55e9b798",
      "pkg:pypi/[email protected]?package-id=1b2e20a8cd0be3ca"
    ]
  },
  {
    "ref": "pkg:pypi/[email protected]?package-id=587e5d030197d8be"
  }
]

Only 2 dependencies are listed for Flask instead of 4.

What you expected to happen:
Syft should include all dependencies declared in the METADATA file for Flask:

Requires-Dist: Werkzeug (>=0.15)
Requires-Dist: Jinja2 (>=2.10.1)
Requires-Dist: itsdangerous (>=0.24)
Requires-Dist: click (>=5.1)

Steps to reproduce the issue:

# Start a Python 3.11 container
docker run -it --name py-env python:3.11 bash

# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

# Create an app directory and requirements file
mkdir app && cd app
echo -e "Flask==1.1.2\nJinja2==2.11.3" > requirements.txt

# Create virtual environment and install dependencies
python3.11 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

# Generate SBOM
syft dir:.venv -o cyclonedx-json > sbom.json

Anything else we need to know?:
Motivation: Missing dependencies lead to false negatives in vulnerability detection.
Example: Grype reports three vulnerabilities for Jinja2, including:
GHSA-h75v-3vvj-5mfj (HTML attribute injection)
CVE-2024-34064 (XSS risk)

If Syft omits Jinja2 from Flask’s dependency graph, these vulnerabilities will not be associated with Flask in SBOM-based scans.

Impact: SBOM consumers relying on Syft for Python dependency graphs may miss critical transitive dependencies, affecting vulnerability scanning and compliance checks.
Although this version is old, it's necessary to capture this relation, this will help researchers and tools that use aim to reproduce CVEs and vulnerabilities.

Even open-rouce dependency projects such as deps.dev can capture this dependency, (though the version is wrong)

Image

sbom_venv_new_syft.json
vulns.json

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

OSS

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions