Skip to content

Feature/803 include other dependencies in vulnerability report#806

Draft
ArBridgeman wants to merge 10 commits intomainfrom
feature/803_include_other_dependencies_in_reports
Draft

Feature/803 include other dependencies in vulnerability report#806
ArBridgeman wants to merge 10 commits intomainfrom
feature/803_include_other_dependencies_in_reports

Conversation

@ArBridgeman
Copy link
Copy Markdown
Collaborator

@ArBridgeman ArBridgeman commented Apr 24, 2026
edited
Loading

closes #803

Checklist

Note: If any of the items in the checklist are not relevant to your PR, just check the box.

For any Pull Request

Is the following correct:

  • the title of the Pull Request?
  • the title of the corresponding issue?
  • there are no other open Pull Requests for the same update/change?
  • that the issue which this Pull Request fixes ("Fixes...") is mentioned?

When Changes Were Made

Did you:

  • update the changelog?
  • update the cookiecutter-template?
  • update the implementation?
  • check coverage and add tests: unit tests and, if relevant, integration tests?
  • update the User Guide & other documentation?
  • resolve any failing CI criteria (incl. Sonar quality gate)?

When Preparing a Release

Have you:

  • thought about version number (major, minor, patch)?
  • checked Exasol packages for updates and resolved open vulnerabilities, if easily possible?

@ArBridgeman ArBridgeman deployed to manual-approval April 27, 2026 06:47 — with GitHub Actions Active
@ArBridgeman ArBridgeman changed the title Feature/803 include other dependencies in reports Feature/803 include other dependencies in vulnerability report Apr 27, 2026
ArBridgeman
ArBridgeman commented Apr 27, 2026
View reviewed changes
Comment thread exasol/toolbox/util/dependencies/poetry_dependencies.py
)
)

# Poetry Group Dependencies
Copy link
Copy Markdown
Collaborator Author

@ArBridgeman ArBridgeman Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we think it's worthwhile to differentiate main and optional dependency groups, then we will need to make an issue for it.

While we could add snippet to capture optional-dependency groups in this property (PoetryToml.groups). This would be problematic when the groups are then used in PoetryDependencies.direct_dependencies, as the command to extract which groups goes with which dependencies will not work:

[
 "poetry",
 "show",
 "--top-level",
 f"--only={group.name}",
 "--no-truncate
}

In fact, there is not a way to differentiate between main and optional-dependencies from this command, which means current optional-dependencies (when they exist in a project) are already under main. Additionally, as the PEP-compliance of poetry continues to involve, it might be foolhardy for us to try to extract this ourselves from the pyproject.toml, and in the poetry.lock, the markings overlap, meaning one cannot say it is directly from main, transitive, etc.

So it would need to be thought about how one could approach this with minimal effort.

Copy link
Copy Markdown
Collaborator Author

@ArBridgeman ArBridgeman Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://github.com/exasol/python-toolbox/pull/806/changes#r3145359536 for a reference of what I described above with optional dependencies being reported in main.

Comment thread test/unit/util/dependencies/poetry_dependencies_test.py
assert poetry_dep.direct_dependencies == {
"main": {
"pylint": Package(name="pylint", version=sample_versions.pylint),
"ruff": Package(name="ruff", version=sample_versions.ruff),
Copy link
Copy Markdown
Collaborator Author

@ArBridgeman ArBridgeman Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reference point to point out that "ruff", an optional dependency, is reported already but in the main ones.

@ArBridgeman ArBridgeman force-pushed the feature/803_include_other_dependencies_in_reports branch from 131a3ff to 3d414bd Compare April 27, 2026 07:00
@ArBridgeman ArBridgeman force-pushed the feature/803_include_other_dependencies_in_reports branch from 3d414bd to fe98ea4 Compare April 27, 2026 07:30
@ArBridgeman ArBridgeman force-pushed the feature/803_include_other_dependencies_in_reports branch from fe98ea4 to b3e4066 Compare April 27, 2026 07:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Include dev dependencies in vulnerability report

1 participant

@ArBridgeman