feat: test handling of ~= in requirements.txt and add it to docs (i…

…ntel#3610) Co-authored-by: Terri Oda <[email protected]>
ffontaine · Jan 9, 2024 · 6d4df4a · 6d4df4a
1 parent d153456
commit 6d4df4a
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 7 deletions.
diff --git a/doc/MANUAL.md b/doc/MANUAL.md
@@ -1335,6 +1335,10 @@ The scanner examines the `Package.resolved` file which is created by the package
 The scanner examines the `PKG-INFO` and `METADATA` files for an installed Python package to extract the component name and version which
 are used to search the database for vulnerabilities.
 Support for scanning the `requirements.txt` file generated by pip is also present.
+#### Support for Version Range (`~=`) in `requirements.txt`
+The CVE binary tool supports version ranges specified with `~=` in your `requirements.txt` file. This allows you to define a compatible version range for your Python project.
+The CVE binary tool utilizes `pip install --dry-run` to seamlessly handle and interpret version ranges specified with `~=`. This ensures effective analysis of potential updates without the need for manual parsing of `~=`. 
+Note that `--dry-run` will give "what you get if you installed this requirements list today" so that's what the scan results will show.  We do not attempt to retrieve CVEs for all possible versions in that range.  If you want to check a specific version within that range (such as the very first allowed one) you would need to use a separate requirements.txt file with that version frozen.
 
 The tool supports the scanning of the contents of any Wheel package files (indicated with a file extension of .whl) and egg package files (indicated with a file extension of .egg).
 

diff --git a/test/test_package_list_parser.py b/test/test_package_list_parser.py
@@ -35,10 +35,6 @@ class TestPackageListParser:
             "default": {"remarks": Remarks.NewFound, "comments": "", "severity": ""},
             "paths": {""},
         },
-        ProductInfo(vendor="html5lib*", product="html5lib", version="0.999999999"): {
-            "default": {"remarks": Remarks.NewFound, "comments": "", "severity": ""},
-            "paths": {""},
-        },
     }
 
     # Find the versions of the ubuntu packages
@@ -124,7 +120,7 @@ def test_valid_requirements(self, filepath, parsed_data):
         package_list = PackageListParser(filepath, error_mode=ErrorMode.FullTrace)
         assert package_list.parse_list() == parsed_data
         # Update the packages back to latest
-        subprocess.run(["pip", "install", "httplib2", "requests", "html5lib", "-U"])
+        subprocess.run(["pip", "install", "httplib2", "requests", "-U"])
 
     @pytest.mark.skipif(
         distro.id() not in SUPPORTED_DISTROS,

diff --git a/test/txt/test_requirements.txt b/test/txt/test_requirements.txt
@@ -1,3 +1,2 @@
-html5lib==0.999999999
 httplib2==0.18.1
-requests==2.25.1
+requests~=2.25.1