Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: normalize python package names from dependency lists #4408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
spiffcs merged 1 commit into from
Nov 25, 2025
Merged

fix: normalize python package names from dependency lists #4408

spiffcs merged 1 commit into from
Nov 25, 2025

Conversation

@willmurphyscode
Copy link
Contributor

@willmurphyscode willmurphyscode commented Nov 24, 2025

Because package names in METADATA files may have upper case like Werkzeug or Jinja2, but Syft artifacts have normalized names and are lower case, like werkzeug or jinja2, Syft would miss emitting dependency relationships. Therefore, normalize dependency names before comparing with existing artifacts.

Description

Syft's cataloging of venv/site-packages uses a dependency resolving post processor to compare the requires statements from the METADATA file to other python artifacts emitted and create relationships between them. However, the name comparison between the requires statements from the METADATA files was normalized via a different codepath than the artifact names, so there were missed relationships because, for example "Werkzeug" != "werkzeug".

Therefore, normalize the dependency names via the same normalization used for artifact names before building the relationships.

Fixes #4401

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@willmurphyscode
fix: normalize python package names from dependency lists
d588aa5 
Because package names in METADATA files may have upper case like
Werkzeug or Jinja2, but Syft artifacts have normalized names and are
lower case, like werkzeug or jinja2, Syft would miss emitting dependency
relationships. Therefore, normalize dependency names before comparing
with existing artifacts.

Signed-off-by: Will Murphy <[email protected]>
spiffcs
spiffcs approved these changes Nov 24, 2025
View reviewed changes
Copy link
Contributor

@spiffcs spiffcs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't think of any other cases to add - the tests are great and thanks for the quick fix to a triage bug 😄

@spiffcs spiffcs merged commit c958932 into main Nov 25, 2025
12 checks passed
@spiffcs spiffcs deleted the fix-normalize-python-dep-names branch November 25, 2025 15:20
@BrewTestBot BrewTestBot mentioned this pull request Dec 9, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Syft: The dependency graph does not include all Requires-Dist relationships defined in the package’s METADATA file

3 participants

@willmurphyscode @spiffcs